Why Scan Websites?
Websites or web apps are just like apps on your phone or laptop - they’re programs that do something (usually related to storing, processing, and retrieving information). The only difference is that they run inside your web browser rather than on a specific device.
In the Cyber Safety Monitoring module, the website scanner identifies vulnerabilities in your company's web apps - problems or weaknesses that a hacker could exploit. The goal of running a scan is to find these vulnerabilities before the bad guys do, and make sure you get them fixed.
It’s important to do scans on a regular, continual basis. New vulnerabilities are constantly being discovered, and many web apps get new features added on a regular basis (new features can introduce new vulnerabilities). Make sure you’re running a scan frequently enough to stay ahead of the hackers.
Scan Configuration Options
Scan Schedule and Frequency
To help you achieve a useful monitoring cadence, we recommend setting a scanning frequency of no more than once a month, but no less than quarterly. You will need to take into account your company’s schedule to make sure the scan runs at an appropriate time (we suggest outside of normal business hours), and you may want to look to schedule scans after upgrades or releases of your web app (e.g., if you release updates every second Tuesday, try scheduling the scan for every second Wednesday).
Scan Levels
The Cyber Safety scanner has two primary modes, which run an increasing number of tests. It’s a balancing act to get it right - the more tests, the better chance of discovering a vulnerability, but the longer the scan will take. The scan modes are described below, along with our recommendations:
Lightning
The lightning scan tests for just a few basic security configuration items on a web page, such as weak SSL encryption or security settings missing for cookies.
- Time: Fastest
- Depth of Scan: Minimal
Normal
The recommended setting, this mode tests for a broad set of vulnerabilities with a variety of settings and payloads (data used to test the application). The additional activity from the scanner causes this scan to take a little longer.
- Time: Slow
- Depth of Scan: Deep
Using the Scan Report
After a scan is completed, you'll get a scan report containing information about that scan, including how long it took, vulnerabilities that the scan tested for, vulnerabilities that were found during the scan.
Cyber Safety scan reports are designed to be easy to read, however they do assume a basic knowledge of web app and cybersecurity terminology. If words like POST, PUT, and SQL Injection mean nothing to you, we recommend adding an appropriate member of your team to Cyber Safety, such as a CTO, Engineering Lead, etc.
Addressing Vulnerabilities
You can also download a copy of the scan reports as a PDF, and send them to an engineering, IT, or other team responsible for maintaining your web app. This report contains all the details they need to verify the vulnerability exists, and has recommendations for fixing it. As all web apps are unique, this is guidance first and foremost - your IT team may need to do some additional research and testing to identify how to fix the vulnerability.
Verifying Your Fixes
Once a vulnerability has been fixed, the scanner will identify this issue as fixed the next time it runs, and remove it from future reports. If the issue appears again in the future, our scanner will note that it was previously identified as an issue and re-open it; this helps your team to pinpoint the cause of a recurring vulnerability and speeds up the time to fix it.
Types of Vulnerabilities Detected
The scan checks for many common vulnerabilities in websites and web apps. For a full list, see What vulnerabilities does the Cyber Safety website scan detect?.