There is no such thing as perfect security, only varying levels of insecurity.

-Salman Rushdie

Although the context of this quote is completely irrelevant to the internet and web development, the content of the quote is perfectly applicable to web security. However, if you manage, develop, or run a website, and you value the security of your website’s users (not to mention the security of your own servers), then never let this truth discourage you from making your website as secure as you possibly can!

The process for improving the security of a website will vary greatly depending on its structure and function. Consequently, the best way to make a website secure is for the site’s developers and testers to have a broad knowledge of vulnerabilities and possible attacks, and an advanced understanding of how to properly protect against them. The web security authority Open Web Application Security Project (OWASP) offers a very comprehensive guide for testing your website for various vulnerabilities.

But manual detection of vulnerabilities requires time and resources. So if (or when) you exhaust the time and resources you are able to spend on manual improvement of your site’s security, here are three approaches which can help automate the process of website vulnerability detection.

Approach 1: Use vulnerability scanning software.

There are numerous automated software tools for scanning web applications for vulnerabilities. OWASP publishes a list of vulnerability scanning tools.

Of the programs listed, most are commercial software, but some are open source and free to use. One widely used and trusted commercial tool is AppScan, owned by IBM. For open source options, the scanner with the most favorable reviews appears to be Vega, which scans for vulnerabilities including XSS, SQL injection, directory traversal, URL injection, shell injection, and file inclusion.

There is one more widely used open source distribution which deserves mention here: Kali (AKA Kali Linux). It’s not just one tool; it is an entire Debian-derived environment designed for penetration testing. Vega and many other open source vulnerability scanners are included with installation of Kali Linux.

Approach 2: Use static code analysis tools.

Static code analysis is the analysis of software that is performed without actually executing the software. Security-specific static code analysis tools help automate detection of vulnerabilities during development. These tools highlight possible vulnerabilities in source code by using techniques such as Taint Analysis and Data Flow Analysis. The idea behind both of these techniques is to map out the flow of data in an application, and then identify which parts have been “tainted” by user-supplied data. Trusty OWASP publishes a list of security-specific static code analysis tools.

We can also use linting utilities to search our code for vulnerabilities. Most developers already use linters to ensure consistent formatting across projects. But linters can also help us find insecurities! The very popular open source linter ESLint (one of the JavaScript tools we use) has several existing plugins to help find vulnerabilities. Two good options include eslint-plugin-security and eslint-plugin-no-unsafe-innerhtml.

Additionally, the beauty of ESLint is that it is completely customizable. If you find that these plugins aren’t relevant to your web application, you can write your own custom rules to warn you whenever you use any techniques known to be dangerous or insecure.

Like other automated tools, static code analysis is no substitute for human testing. Although the current state of automated tools falls short of detecting vulnerabilities to a high degree of confidence (and they often find many false positives), they can still help zero in on the security relevant portions of the code.

Approach 3: Use “bug bounty” programs.

Bug bounty programs outsource the work of finding security vulnerabilities to individuals outside of your company. When you use these programs, you will pay only for vulnerabilities that have been found, and you decide the amount that you will pay for each vulnerability found.

In addition to performing manual testing, bug bounty hunters will employ the aforementioned vulnerability scanning programs to sweep your site.

Those who have dedicated their time to pursuing bug bounties often have a wide array of scanning tools at their disposal, including numerous commercial scanners. With this approach, you can reap the benefits of the latest and most advanced scanning tools on the market without having to purchase them.

A large and trusted platform for coordinating bug bounties is HackerOne.

If you use bug bounty programs, always have the bug bounty hunters attack a test deployment of the web application, and never the actual deployment. The test deployment environment should be as similar as possible to the production environment in every respect. This prevents doing any real damage in testing, or putting a large payload on the site’s actual servers.

Lastly, only employ the help of bug bounty programs after you have done as much manual testing as you can afford and have run all the automated tests you have available. This minimizes the potential bug bounties paid.

Conclusion: Use a suitable combination of these approaches based on threats/risk.

First, define the threat level of the website you’re auditing. Examine the quantity of users, the amount of sensitive data the site handles, and the functionality of the site. Based on these factors, determine a threat level. A site which handles online payments or other sensitive information may be treated differently than a blog of cat photos. But whatever your situation is, consider using the aforementioned tools and programs to lighten the load of manual penetration testing.