5 Online Tools to Evaluate the Security of Your Website For free
Parsysco Cyber | March 21, 2023
Does your company operate online? Perhaps you have a marketing website, a multi-user cloud application, an e-commerce site, or even all three. In any case, securing your company online may seem daunting. In this market with thousands of security vendors available, it's challenging for new companies to know where they should start and at what price.
Without question, the best place to start is simple and free. Luckily, there are plenty of tools you can use to evaluate the security of your website with little to no effort required by you. However, it's important to note that while receiving a good security evaluation score from these tools is an excellent first step, they're all inherently limited and cannot assess every aspect of your website.
The best way to think about each tool is as if they're looking at specific parts of your website with a magnifying glass and rating the security of that section.
Securityheaders.com is an online scanner developed by security researcher Scott Helme that will analyze the HTTP response headers from your web server and provide a letter-grade score based on implemented headers and headers configuration.
On the homepage, under "Scan your site now", enter the full URL of your website to be scanned. Before you click "Scan", click the checkbox, "Follow redirects" to ensure the scanner lands on the final page of your website (the one your users see when visiting your site).
Wait a few moments, and securityheaders will display a new page with a letter grade from A+ (perfect) to F (needs review).
Your letter grade will vary for your website depending on how many of the six security headers are implemented and whether they're securely configured. If your website recieved a poor letter grade, don't worry, that does not necessarily mean it's directly at risk. However, implementing the missing security headers will improve its resiliency to cyber attacks.
You can find more information about each specific security header and their implementation below:
- Content-Security-Policy (CSP)
- HTTP-Strict-Transport-Security (HSTS)
- X-Frame-Options
- Referrer-Policy
- X-Content-Type-Options
- Permissions-Policy
Sllabs.com is an online SSL/TLS web server scanner developed by Qualys Labs that performs a deep analysis of your web server SSL/TLS configuration to identify weak implementations, misconfigurations, and common SSL/TLS vulnerabilities. ssllabs.com provides a letter-grade score based on the combined risk evaluation of each category.
On the scan page, find "Hostname"; enter the full URL of your website and click scan.
The following page will list all servers for your domain. Wait until each server finishes scanning to see the letter grade listed under the "Grade" column.
Click on one of the servers to view the detailed output of the scan. The "Summary" section highlights key findings and displays a bar graph rating the security of each category on a scale from 0 to 100. Scrolling down the page shows a category's technical breakdown necessary for remediation work.
You can find more information about SSL/TLS security and secure implementation below:
- SSL / TLS Overview
Ethicalcheck.dev is an online web API scanner powered by APIsec. Ethicalcheck.dev offers free and paid versions; the free version will provide a basic vulnerability scan of your APIs via a Swagger JSON file and output a PDF penetration test report.
On the homepage, under "OpenAPI/Postman URL", enter the full URL of your API Swagger JSON/YAML file. Swagger (Now known as OpenAPI Specification) is an open specification for defining REST APIs similar to a WSDL document for SOAP-based web services. After you enter your Swagger file URL, provide an email to receive the PDF report and click "Scan Now".
EthicalCheck will analyze your Swagger file and begin security testing your APIs for common API vulnerabilities. Once it is complete, you'll receive a PDF report in your email.
The PDF report is broken into the following sections:
- Executive Summary
- Coverage Overview
- Discovered Vulnerabilities
- Review/False-Positives
- Tested/Discovered Endpoints
- Tested Categories
- Remediations
You can find more documentation about Swagger and how to create your own Swagger file below:
- What Is Swagger (OpenAPI)?
Hostedscan.com is an online service that provides automated vulnerability scanning for your website or network IPs. Hostedscan's free version allows users to launch up to 10 scans per month with 90-day data retention and downloadable PDF reports.
After you click "Submit", you will receive a link to the HostedScan dashboard to view your security scan in progress.
HostedScan will perform a network vulnerability scan for out-of-date software exploitable by known CVEs, a web application scan to check for common attacks such as SQLi and XSS, a full port scan to detect firewall and network misconfigurations, and an SSL/TLS scan to check for certificate issues and exploits such as Heartbleed and CRIME.
Note, HostedScan's free version will only perform an unauthenticated scan. At the time of this writing, Basic tier and above are required for authenticated scanning.
Upguard.com is an online external risk assessment scanner that uses public information to identify misconfigurations and known exploitable vulnerabilities on your website. To get started, enter your website's URL in the input field next and click the "Get my free score" button.
Upguard will score your websites security on a scale from 0 to 950 and present a corresponding letter grade upon scan completion.
Scrolling further down the page will showcase individual vulnerabilities discovered during the scan. Each vulnerability contains a title, brief explanation, and marker. The color of the marker will indicate the severity of the discovered issue with Red being a high severity, orange a medium severity, and green/blue low severity.
Conclusion
These free security scanners are a great way to begin assessing the security of your business's digital assets. If you're interested in a professional security assessment of your business, please explore our services or contact us for a quote.