A thorough website security check can reveal vulnerabilities in your code and help you fix them before they are exploited by hackers. This step-by-step guide shows you how to test your site’s security status with Detectify and take the first steps towards securing your web app.
1. Before you get started
If you would like to check your website’s security and aren’t sure where to start, this post is for you. Discovering that your code contains security flaws isn’t the best feeling in the world, but it’s much better than believing you are 100% safe (no one is) and being surprised by a hacker attack later on. The only vulnerabilities you can fix are the ones you are aware of!
Checking your site’s security status will not only help you get secure, it will also allow you to learn how to write safer code.
Plan and prioritize
Planning is development 101, but security has a tendency to make people panic and try to fix everything at once. To avoid this, map out your priorities before you run a security test. For example, if you have an e-commerce website that processes payments, you will probably prioritise fixing that rather than your online store’s blog. If you suspect your old campaign sites could be vulnerable to a subdomain takeover, you might want to secure those first.
It is always a good idea to set aside a couple of hours to work with the results of your security test or, if you’re an agency, guide your clients through their security report. Even when a website security check doesn’t reveal anything critical, the findings might require fixing minor issues, updating various installations and reconfiguring security settings.
2. Check your website security
We will show you how to check your site’s security status and evaluate the results. If you are not a Detectify user, you can sign up for our free 14-day trial to access all the features in this guide.
Let’s get to the good stuff! When you add your first scan profile to Detectify, a security scan will start automatically. If you already have a scan profile, you can manually trigger a scan by clicking on your scan profile and clicking “Start deep scan”.
The results will start coming in as soon as the scanner enters the security testing phase. When the scan is finished, you can access a comprehensive report with all the identified security findings.
3. Interpret your results
Congrats, you’ve just run your first website security check! Once your scan is finished, you’re ready to assess your site’s security and fix vulnerabilities.
The fastest way to get an idea of your site’s security status is to look at the Threat score that is based on CVSS, a standardized vulnerability scoring system. The score can be anywhere between 1 and 10 and the higher the score, the more important it is that you fix the findings.
Below your threat score, you will also see the number of high, medium, and low severity findings. This is useful for quick reporting as well as tracking your security progress over time. If you’d like to share an overview of your website security check with your colleagues, you can export a summary in PDF format!
Time to dive into the findings and fix some critical issues! High severity findings can be found at the top of your report, have the highest CVSS score and should be fixed first.
You can find out more about each finding by clicking on it. This will show you details like where the issue was discovered, its impact and individual CVSS score, and remediation tips.
4. Fix vulnerabilities
As you work your way from critical findings to medium findings, keep an eye on the additional resources available at the bottom of the page in the finding details view. These provide more information about security issues as well as tips on how to remediate them.
Make sure to take a look at low severity findings after you have fixed the critical ones. Seemingly harmless security issues can play a crucial role in chain attacks, but luckily, they are usually easy to fix.
Once you have fixed a finding, you can mark it as fixed and run another scan to check if your site is more secure.
5. Make security a routine
Unfortunately, website security checks are not a one-off affair. New vulnerabilities emerge all the time and both old and new technologies can fall victim to hackers. We update the Detectify scanner every week, adding new security tests submitted to us by over 100 researchers active in our crowdsourced security community, Detectify Crowdsource. To ensure you’re on top of the latest threats, try making the steps we described above a routine.
With Detectify, you can schedule recurring scans at regular intervals, as well as use integrations or email notifications to let you know when your findings are ready. This way, your security scans will run in the background while you can focus on development.
Are you ready to check your website’s security? Sign up for a free 14-day trial and run a scan to see how your code stacks up against over 700 security tests!