A thorough website security check can reveal vulnerabilities in your code and help you fix them before they are exploited by hackers. This step-by-step guide shows you how to test your site’s security status with Detectify and take the first steps towards securing your web app.
1. Before you get started
If you would like to check your website’s security and aren’t sure where to start, this post is for you. Discovering that your code contains security flaws isn’t the best feeling in the world, but it’s much better than believing you are 100% safe (no one is) and being surprised by a hacker attack later on. The only vulnerabilities you can fix are the ones you are aware of!
Checking your site’s security status will not only help you get secure, it will also help you write safer code.
Plan and prioritize
Planning is development 101, but security has a tendency to make people panic and try to fix everything at once. To avoid this, map out your priorities before you run a security test. For example, if you have an e-commerce website that processes payments, you will probably prioritise fixing that rather than your online store’s blog. If you suspect your old campaign sites could be vulnerable to a subdomain takeover, you might want to secure those first.
It is always a good idea to set aside a couple of hours to work with the results of your security test. If you’re an agency, make sure you have time to guide your clients through their security report. Even when a website security check doesn’t reveal anything critical, the findings might require fixing minor issues, updating various installations and reconfiguring security settings.
2. Check your website security
We will show you how to check your site’s security status and evaluate the results. If you are not a Detectify user, you can sign up for our free 2-week trial to access all the features in this guide.
Let’s get to the good stuff! When you add your first scan profile to Detectify, a security scan will start automatically. If you already have a scan profile, you can manually trigger a scan by clicking on your scan profile and clicking “Start deep scan”.
Once you start a scan, you can follow its progress and check which phase the scanner is in.
The results will start coming in as soon as the scanner enters the security testing phase. When the scan is finished, you can access a comprehensive report with all the identified security findings.
3. Interpret your website security check results
Congrats, you’ve just run your first website security check! Once your scan is finished, you’re ready to assess your site’s security and fix vulnerabilities.
Threat score
The fastest way to get an idea of your site’s security status is to look at the Threat score that is based on CVSS, a standardized vulnerability scoring system. The score can be anywhere between 1 and 10. The higher the score, the more important it is that you fix the findings.
The threat score gives you a quick snapshot of your site’s overall security status
Below your threat score, you will also see the number of high, medium, and low severity findings. This is useful for quick reporting as well as tracking your security progress over time. If you’d like to share an overview of your website security check with your colleagues, you can export a summary in PDF format.
Findings
Time to dive into the findings and fix some critical issues! High severity findings found at the top of your report have the highest CVSS score and should be fixed first.
Findings are colour-coded based on their severity. Critical findings can always be found at the top of you report.
You can find out more about each finding by clicking on it. This will show you details like where the issue was discovered, its impact and individual CVSS score, and remediation tips.
The finding details view provides additional information about each finding.
4. Fix vulnerabilities
As you work your way from critical to medium findings, keep an eye on the additional resources at the bottom of the finding details view page. These provide more information about security issues as well as tips on how to remediate them.
Make sure to take a look at low severity findings after you have fixed the critical ones. Seemingly harmless security issues can play a crucial role in chain attacks, but luckily, they are usually easy to fix.
Once you have fixed a finding, you can mark it as fixed and run another scan to check if your site is more secure.
Keep track of your security progress by marking remediated findings as fixed.
5. Make security a routine
Unfortunately, website security checks are not a one-off affair. New vulnerabilities emerge all the time and both old and new technologies can fall victim to hackers. We update the Detectify scanner every week, adding new security tests submitted to us by over 100 researchers active in our crowdsourced security community, Detectify Crowdsource. To ensure you’re on top of the latest threats, try making the steps we described above a routine.
Detectify integrates with a wide range of developer tools to bring security into your workflow.
With Detectify, you can schedule recurring scans at regular intervals, as well as use integrations or email notifications to let you know when your findings are ready. This way, your security scans will run in the background while you can focus on development.
Are you ready to check your website’s security? Sign up for a free 14-day trial and run a scan to see how your code stacks up against over 700 security tests!