Tools That Every Web Developer Should Use: Security Scanners

I am constantly asked to review and analyze websites’ performance statistics and analytics.  Over the years, I have found several tools known and unknown that I use in combination to get an idea of the overall health and performance of these sites.  As a developer, if you are not looking at these tools or similar tools, help yourself and get on board.

This week I am exploring security scanning tools and why they can be a useful tool in development.

Security Scanning

This topic is somewhat of a loaded gun.  These tools by no means ensure complete protection and are just helpful guides on how you “might” be at risk.  Nothing beats passive security scanning and review by security professionals.    I typically use these tools to point out to clients that they may be exposed and should take steps to mitigate these obvious risks.  These are not silver bullets and do not guarantee complete protection but can give you a baseline and point you in the right direction.

SSL Labs – Server Security Scanning https://www.ssllabs.com/ssltest/

ssl-labs
WordPress.com does a good job keeping SSL certificates up to date!  Thank goodness!

 

This online scanning tool is an amazing tool to let you know if your website’s host and certificate are up to par and will help you keep your data secure.  In my opinion, site security is the #1 priority and there is no reason for a site to be without an SSL certificate.  They’re free!  Some of the clients I’ve talked didn’t even realize this existed and after I showed them their grade they were shocked!

Case in point, one client bought the latest and greatest extended validation (EV) certificate and they thought they were good to go.  Little did they know that EV certificate only establishes a certain amount of trust and doesn’t guarantee security.  I ran this scan and they received a “C” due to allowing SSL V3 connections to their webserver which can open them up to vulnerabilities such as POODLE which will give man in the middle attacks the ability to capture users data.

We ran this site through this scanner and was able to find the solutions to solve many of the vulnerabilities because SSL Labs provides documentation on how to fix it.  This an amazing site to use in my opinion and one I check out frequently just to make sure my sites maintain their grade.

ZAP – OWASP Zed Attack Proxy Project

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

This is an installed application on your local computer and let’s you do very deep security scanning on a website you own.  It’d important that you turn off your analytics before running this scan as it can mess up your site analytics because it hits EVERYTHING.

zap-scan-progress
This was after 7 minutes of scanning and it hit my site over 3400 times.

The above screenshot is a look at every setting this scanner checks by default and as you can see, it is very thorough.  When I first used the application, I didn’t even know what most of the scans actually meant. Because it is so intensive and can affect analytics, I would not run this on a site without permission of its owner.

zap-alerts
It also gives alerts and on what things can be improved and gives them priority on their threat level.  After a scan of 7 minutes, I received 5 alerts about this site.

Conclusion

These are just a handful of tools that I use on a frequent basis to help me get an understanding of a website’s performance.   I wanted to share these with developers just in case the thought never occurred to them.  Do you have any tools that I have not mentioned that have helped you out?  Please comment and share!  You can also contact me on Twitter or LinkedIn.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s