How You Can Test Your Episerver Websites Security
Wed 30 November, 2016 / By Jon D Jones
Security is a big concern for any online presence, especially if you do any type of e-commerce. For any big major enterprise level clients, I suggest you hire a third-party testing company to independently test your website for vulnerabilities. However, there are a number of free tools and checks you can do yourself to help ensure your site is as secure as possible. In today's guide, I'm going to cover some of these free tools and how you can use them to test your website.
SSLLabs provide a free online scanner, that will perform a deep analysis of the configuration for your public SSL web server to test your site's security.
Depending on your hosting server's setup, you might come up with a.. disappointing grade. Luckily, after checking this site, I got an "A" grade ranking and my website was shown on their website.. boom! If your website fails then you have some things you can work on. A lot of this ranking will be based on your hosting provider, have they enabled insecure protocols and encryption ciphers on your server?
Sucuri SiteCheck scanner will check your website for known malware, blacklisting status, website errors, and out-of-date software.
ScanMyServer provides a pretty comprehensive report on a number of potenial security vulnerabilities, like SQL Injection, Cross Site Scripting, HTTP Header Injection etc.. this tool is more PHP based but it only takes a few seconds to run so it can be worth the hassle.
To get the ScanMyServer report you need to add some HTML into your website footer, so this may or may not put you off using it.
Scan My Server
Next on the list of tools is ASafaWeb. ASafaWeb will scan your Episerver/.NET based website and based on it's tests, it will give you a list of pass/fail notification, with recommendations where applicable.
Even though my website is PHP based it can still scan it. It will do some basic things like make sure tracing is disabled, ELMAH logs are not public facing, HTTP cookies etc.. will be flagged.
Security-headers.io will scan your website and check to see if you've implemented strategies to prevent things like cross-site scripting (XSS) based.
The Security-headers.io report will warn you about things like your Content-Security-Policy, X-Frame-Options, X-XSS-Protection and X-Content-Type-Options.
The CSP analyser will analyse the 'content security policy' of your site and tells you how good it is.
Quttera is another tool that will check your website for malware and vulnerabilities exploits. Quttera will scan your site for malicious files, suspicious files, potentially suspicious files, phishTank, Safe Browsing (Google, Yandex) and Malware domain list.