Dev Tools

Tools That Every Web Developer Should Use: Security Scanners

I am constantly asked to review and analyze websites’ performance statistics and analytics.  Over the years, I have found several tools known and unknown that I use in combination to get an idea of the overall health and performance of these sites.  As a developer, if you are not looking at these tools or similar tools, help yourself and get on board.

This week I am exploring security scanning tools and why they can be a useful tool in development.

Security Scanning

This topic is somewhat of a loaded gun.  These tools by no means ensure complete protection and are just helpful guides on how you “might” be at risk.  Nothing beats passive security scanning and review by security professionals.    I typically use these tools to point out to clients that they may be exposed and should take steps to mitigate these obvious risks.  These are not silver bullets and do not guarantee complete protection but can give you a baseline and point you in the right direction.

SSL Labs – Server Security Scanning

ssl-labs does a good job keeping SSL certificates up to date!  Thank goodness!


This online scanning tool is an amazing tool to let you know if your website’s host and certificate are up to par and will help you keep your data secure.  In my opinion, site security is the #1 priority and there is no reason for a site to be without an SSL certificate.  They’re free!  Some of the clients I’ve talked didn’t even realize this existed and after I showed them their grade they were shocked!

Case in point, one client bought the latest and greatest extended validation (EV) certificate and they thought they were good to go.  Little did they know that EV certificate only establishes a certain amount of trust and doesn’t guarantee security.  I ran this scan and they received a “C” due to allowing SSL V3 connections to their webserver which can open them up to vulnerabilities such as POODLE which will give man in the middle attacks the ability to capture users data.

We ran this site through this scanner and was able to find the solutions to solve many of the vulnerabilities because SSL Labs provides documentation on how to fix it.  This an amazing site to use in my opinion and one I check out frequently just to make sure my sites maintain their grade.

ZAP – OWASP Zed Attack Proxy Project

This is an installed application on your local computer and let’s you do very deep security scanning on a website you own.  It’d important that you turn off your analytics before running this scan as it can mess up your site analytics because it hits EVERYTHING.

This was after 7 minutes of scanning and it hit my site over 3400 times.

The above screenshot is a look at every setting this scanner checks by default and as you can see, it is very thorough.  When I first used the application, I didn’t even know what most of the scans actually meant. Because it is so intensive and can affect analytics, I would not run this on a site without permission of its owner.

It also gives alerts and on what things can be improved and gives them priority on their threat level.  After a scan of 7 minutes, I received 5 alerts about this site.


These are just a handful of tools that I use on a frequent basis to help me get an understanding of a website’s performance.   I wanted to share these with developers just in case the thought never occurred to them.  Do you have any tools that I have not mentioned that have helped you out?  Please comment and share!  You can also contact me on Twitter or LinkedIn.

By Brett The Whitt

Brett is a web development consultant and has been working for more than 12 years. He specializes in hybrid mobile app development and using front end frameworks such as AngularJS. Always passionate about continuous education, he has been most recently mentoring and encouraging his co-workers to become better speakers. To further this growth, he leads Lightning Talk Nights and other events at his job at HMB Inc

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s