Test and observe website security free of charge!

M.Sc. Chris Wojzechowski

Test and observe website security free of charge!

IT Security & Website Security is a big topic – it is also becoming more and more present. Meanwhile, daily news is circulating that there has been another data theft, a security hole has appeared or a website is being defaced. The latter is only reported if the victim is sufficiently prominent.

However, website operators rarely have the necessary knowledge to harden the web presence in front of hackers. In the first step, however, the same tools are available for small and large companies. On the one hand, there are the active scanners, such as the Mozilla Obversatory.

On the other hand, there are also tools from internet giants, such as the Google Search Console, which give you a continuous view of the website. Especially when something is wrong. The assessment of cyber risks should be the responsibility of managing directors in particular.

Detect security problems with Mozilla Obversatory

Mozilla is best known for Firefox – the web browser. But the organization around Firefox provides many more tools to increase security and privacy. Mozilla Observatory is one of them and allows to submit any website for review.

Website Security einer Website bestimmen
The Mozilla observatory only needs the domain to be checked! Source: Screenshot observatory.mozilla.org

After a few seconds you have the results of the analysis. Many things are checked during this process. The following results are the result of the analysis of the technique-blog.de:

Detailiierte Ergebnisse der Website Security Analyse
Ergebnisse der Website Security Analyse durch Mozilla Quelle: Screenshot Observatorium.mozilla.org

Seit der Einführung der Datenschutzgrundverordnung ist z.B. die Anzahl der Cookies interessant. Gerade dann, wenn der Zähler “0” erreicht, ist kein Cookie-Banner notwendig. Aber auch die anderen Erkenntnisse erhöhen das Sicherheitsniveau einer Website. Durch diese Liste kann man sich peu à peu durcharbeiten, etwas lernen und außerdem die Sicherheit der Website steigern. Das besondere an dem Observatory von Mozilla ist, dass dort mehrere Website Security Analysetools zum tragen kommen. So wird z.B. das ausgestellte Zertifikat, welches eine verschlüsselte Verbindung ermöglicht, untersucht. Aber auch externe Scanner werden angestoßen.

Website Security mit der Hilfe von Mozilla Obersatory
Über das Mozilla Obversatory werden unterschiedliche Scanner angestoßen. Aktuell erreichen wir mit unserer Domain 135/100 Punkte bei dem ImmuniWeb Scanner. Screenshot: observatory.mozilla.org

The results of the other scanners are easily displayed in a kind of staff. If you are interested in more detailed results of the analyses, you have the possibility to view them with a click.

Website Security from securityheaders.io
The results from Securityheaders.io Source: Screenshot Observatorium.mozilla.org

 

Website Security Scan from hstspreload.appspot.com
With hsts preload HSTS is taken a little bit closer. Source: Screenshot Observatory.mozilla.org

Websites tend to be ranked bad rather than good. Only when you have taken good steps in terms of website security can you start to score. In addition to the problems, the platform also makes extensive suggestions and recommendations for action. Gradually, you should have your own website checked by the scanner, wait for the results and make progress. Anyone can use these scanners for your website. So problems that are detected at this level are obvious to everyone. If you want to have your website or web app analyzed and protected in depth, a penetration test is the method of choice.

Interfaces and more complex applications cannot and will not be investigated by the Mozilla Observatory at this point. So if you have an extensive web application and want to have the interfaces (API) examined, you should fall back on a professional provider.

Website-Sicherheit mit der Google-Suchkonsole feststellen

The Google Search Console is a popular tool for webmasters. The first step is to confirm that you are the owner of the website. This is verified by an HTML tag, DNS entry or similar typical procedures. Once this is done, Google will tell you which keywords will lead the user to the registered website.

Search engine analysis & alerts in the Search Console dashboard

The Google Search Console is the tool for webmasters. With this tool you have the possibility to submit your website to the search engine company. This has several advantages:

  • Which keywords do visitors use to get to my site?
  • For which keywords does my site rank in general?
  • How often was my website displayed?
  • How many pages of my website are in the Google index?

So it is a very useful tool, considering that Google has a near monopoly in Europe. Good rankings on Google often speak for a high number of visitors.

Das Dashboard der Google Search Console
The dashboard of the Google Search Console informs you about the most important events, from the view of Google (Source: Screenshot Google Search Console)

Behind the few menu items you can find all kinds of statistics about your website. However, these are only recorded once you have started submitting the website to Google. The data goes back 90 days – so if you want to have a look back over a longer period of time, it’s a good idea to save it. This information is very interesting from a marketing point of view, in terms of search engine optimization. Up to this point, however, it does little to help the security of the website. But the Google Search Console provides information for this purpose as well – namely when these cases occur. Such a case occurs when the website distributes malware.

Unsichere Website - Warnung
Wenn diese rote Warnung auftaucht, wenn jemand Ihre Website besuchen will, verlieren Sie einen Großteil der Besucher.

The Search Console tells you more about security holes!

The Safe Browsing Engine plays a central role in the detection of security problems. If your site is affected, you’ll receive an immediate message in the Google Search Console. So far, this is where you’ve been notified that there are security problems on your website. Google now wants to accommodate webmasters and provide more detailed information about security problems. To this end, four categories will be added to the Search Console:

This is how the security of a website can be determined. So if you’re having problems, the Google Search Console is a good way to determine this status. For further website security, free scanners such as the Mozilla Observatory should be used. Especially for small and medium-sized companies these tools are worth a lot. Studies have shown that every second company website has security gaps.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.