By Tobias Manolo
So, you’ve got your website and it’s working well; but is it secure? And how do I check whether it’s not vulnerable? But if you don’t have much of a budget to constantly check your web applications for any potential vulnerabilities or security flaws, it can be quite a challenge! That said, there are some services that are offered free.
On every website, there is sensitive data, be it corporate or relating to consumers; building a website without building in a security plan is too much of a risk to take. Not only that, design your website poorly and you could be open to being in breach on regulatory standards. Many with small budgets opt for free and open source scanning tools that can check how secure your web application is, all of which will help to improve levels of security.
For example, the Netsparker Community Edition scanner is able to provide you wish solutions to any flaws it finds; then there’s Wapiti that is able to test for injection-based vulnerabilities, although it doesn’t have a GUI and needs to run from a terminal. Skipfish works in a slightly different way in that it prepares an annotated sitemap that is interactive; and not forgetting Vega that runs on Windows, OS X and Linus which includes an automated scanner that intercepts proxy and runs quick tests that will look at HTTP requests, and their responses. The two principal flaws that hackers focus on are the vulnerabilities in cross-site scripting and SQL injection. But there is one small problem with vulnerability scanners for web applications… you have to build the website first, then scan for any issues! Yet there is a way around this; static code analysis can be used to detect any potential vulnerabilities before the website is launched, i.e. RIPS which is a free tool.
If you’re developing a website using Microsoft’s range of tools, then you will also have access to a range of free developer resources that will help to make the website secure. A good place to start is their Secujrity Development Lifecycle (SDL) software which develops a security assurance process that also has links to a range of free tools, i.e. a Threat Modelling Tool, expression fuzzing tools and the Attack Surface Analyser. In addition, if your website is utilising an Agile-based approach, Microsoft’s SDL for Agile Development document can show you how to tasks in SDL can be mapped.
It won’t take long for a hacker to find websites that have vulnerabilities, and they’ll take no time in setting out to attack them. And they’re prepared to take any data held on the site! Just because you only have login details, these can give hackers access to other sites and those could be the ‘money pot’ for them. With the number of free and open source solutions available today, even with no budget it is possible to ensure that your website is, and remains, secure.