Website Security

All UCSF websites must meet minimum security standards, as outlined by UCSF Information Technology Services and the University of California Electronic Information Security Policy. For more information, visit Application and Website Security about vulnerability scanners available. 

For most websites that contain only public data your website software must be patched with security updates within 21 days of the patch being released.

UCSF Drupal Template Websites

If you are using the UCSF Drupal Template, then Web Services does the heavy lifting. The UCSF Web Services team applies the Drupal security patches weekly so you don't have to. If you are getting email notifications that a security patch is available for Drupal, you can change the frequency or turn off these notifications.

Non-Drupal Websites

If you are not using the UCSF Drupal Template or your website is being hosted by a non-UCSF 3rd party hosting company, such as SquareSpace, WiX, or DreamHost, security is still your responsibility. 

IT Services offers Netsparker Cloud, a self-service web application vulnerability scanner, which is able to find OWASP based web application vulnerabilities such as SQL injection, and cross-site scripting (XSS) within a web application. 

To get started, contact the Service Desk at 415-514-4100, and submit a request, or email [email protected].