In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Health Care, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

How to Perform a Security Audit: 11 Things to Put on Your Checklist (plus, the best tools you could use)
Tips

How to Perform a Security Audit: 11 Things to Put on Your Checklist (plus, the best tools you could use)

by Adriana Cacoveanu on May 22 2020

So, you need to do a quick risk assessment of your site. How do you perform a security audit?

Are there any quick and easy (and effective) things that you can do to evaluate your website and to detect any security risks lurking in there?

And what are some of the tools that you could use?

Here are the answers to all the dilemmas stemming from your main question:

"Security auditing: what do to?"

1. But First: What Is a Security Audit Report?

What do we mean by "audits" in this context?

 

  • pentests
  • regular security assessments
  • "security posture" tests
  • auditing logs

     

And what is a security audit report, more precisely?

What Is a Security Audit Report?

Source: searchcio.techtarget.com

In short: when you run a security audit you evaluate your website's performance in relation to a list of criteria.

And, more often than not, you'd want to include other types of security diagnosis into your workflow, as well:

 

  • penetration testing: where you (or an expert in your team) simulate the actions of a potential hacker, performing several attacks on your website to test its resilience
  • vulnerability assessment: where you try to identify any security weaknesses 

2. What Tasks Should You Put Into Your Security Audit Checklist? Top 11

What should you do in your regular security audits? 

What security audit procedures to include?

We've put together a list of 11 steps to put on your checklist. So, when conducting a security audit the first step is to:

2.1. Determine the Assets that You'll Be Focusing On

Set the scope of your audit:

Which are the high priority assets that you'll be scanning and monitoring?

For example, your list could include key assets like:

 

  • sensitive customer and company data
  • internal documentation
  • IT infrastructure

     

You can't expect to future-proof your website's improved level security if you're going to use the same vulnerable IT equipment, right?

Next, you'll want to set your security perimeter, as well:

What are the things that your audit will cover and those that should be skipped?

2.2. List Out Potential Threats

You can't build a shield around your website against a "no-name" threat, right?

You need to go ahead and name those threats, so you know what to look for and how to adapt your future security measures:

Here are just some examples of security threats that you might want to put on your list: 

 

  • negligent employees using weak passwords for sensitive company data 
  • malware
  • phishing attacks
  • denial of service attacks
  • malicious insiders

2.3. Assess the Current Level of Security Performance

Another key step to put on your security audit checklist.

Your team could be using the strongest passwords. They could be sticking to rigorous security procedures and best practices.

And yet, they might not be informed about the latest methods that hackers use to infiltrate systems...

A good evaluation of your organization's current security performance will help you identify precisely weak links like that one.

2.4. Set Up Configuration Scans

Using a higher-end scanner will help you:

 

  • detect security vulnerabilities 
  • assess the hardening of the PCs

     

Are there any malware/anti-spyware programs in there? Turned on encryption, settings that are temporarily changed? 

Therefore, keep in mind to run some configuration scans, too, when you do a security audit. They make a great "ally" for spotting any config mistakes that people in your team might have made.

2.5. Keep an Eye on Reports (Not Just on the Urgent Alerts)

As you put all your focus on urgent alerts, you might be tempted to underestimate the value of the reports generated by your auditing tools.

Now, that's one risky thing to do.

Instead, you'd want to keep an eye on those reports, for they can be a tremendous source of valuable information.

"Information" that might look non-alarming to you now, but, which — with time, if a suspicious activity becomes a routine — can turn into a major threat.

One that you'd ignore by... overlooking to go through your reports.

2.6. Monitor DNS for any Unexpected Changes

Are there any signs of sloppiness when it comes to the credentials used for your domain?

The quicker you identify them, the lower the security risk.

2.7. Run Daily Scans of Your Internet-facing Network

As you'll security audit your website, you'll want to be alerted (on a daily basis, if possible) about any "surprising" changes.

How to Perform a Security Audit: Run Daily Scans of Your Internet-Facing Network
 

2.8. Mirror Your Website

Why is this a "must" task to include in your security auditing plan?

Because by mirroring your website you spot some otherwise hard-to-access files and directories.

You'd be surprised at how many valuable:

 

  • internal IP addressing schemes
  • email addresses and phone numbers of people in your team
  • code-related comments
  • software versions
  • server names

     

... you can find in those comment fields.

2.9. Perform an Internal Vulnerability Scan

How? By opting for an enterprise-level vulnerability scanner.

What it does is install an agent on each computer in your organization, that will monitor their... vulnerability level.

How often should you run this type of scan? 

Monthly or quarterly would be great.

2.10. Run Some Phishing Tests

You'll want to set up a routine of sending out fake phishing emails to people in your team.

It's still the most effective type of cybersecurity training that you could give your team:

 

  • they get a close-to-real-life experience of a phishing attack
  • they can assess their own vulnerability to scenarios where they'd give hackers access to sensitive information (by clicking on links or attachments in a phishing email)

2.11. Monitor Your Firewall's Logs

Watch for any inconsistent or unusual behavior in your firewall. 

How to Perform a Security Audit: Monitor Your Firewall's Logs

3. What Are Some of the Best Security Auditing Tools You Can Use? Top 5

Now that you have a plan put in place you need some tools to carry it out, right?

We've done our research, put together a list, then narrowed down the options to 5 tools that you should consider evaluating first:

3.1. The OWASP Testing Guide

A step-by-step checklist that'll streamline your manual testing efforts.

Note: running an OWASP top 10 check is one of those "quick and easy" things you that can do for assessing your website's security performance. You'd be testing it for 10 of the most common security risks.

3.2. Burp Suite

What if you wanted to put your security audit on autopilot?

You could go for Burp Suite to manually analyze your website, then run an active scan.

Note: the tool comes in two "flavors", a pro and a free version.

3.3. Nessus

If you're looking for an easy to use tool, Nessus Tenable's the one.

Use it to track down security vulnerabilities on your website. It's effective and it generates some detailed reports.

3.4. Qualys Web App Scans 

Its main selling points:

 

  • great coverage
  • accurate reports

3.5. Rapid7 

You might want to try their vulnerability scanner.

 

And 2 honorable mentions: Rapidfiretools.com and Risksense.

4. Final (Wise) Word

The keyword that best describes an effective security audit is "on-going":

It's definitelty not a one-time event, but rather a routine made of several "healthy" habits that you stick to.

A "routine" aimed at helping you formulate a custom set of security solutions:

 

  • network monitoring
  • data backup
  • employee education awareness
  • software updates
  • email protection

     

What if you don't have the resources — the time and the available people in your team — to run a security audit?

We're here to help.

Just drop us a line and let's tailor a security audit checklist that meets your website's specific challenges.

Image by raphaelsilva from Pixabay  

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

DrupalDrupal 8Tips
10 Best Headless CMS in 2020, That Cover Most of Your Requirements (Part 2)

10 Best Headless CMS in 2020, That Cover Most of Your Requirements (Part 2)

Ready to compare the features of 5 other best headless CMS in 2020? We've got them ready for you to just dive in and: survey the key reasons why you'd choose one over the other discover each one's main use cases narrow down your options … and pick the one that matches your requirements. What Is the Best Headless CMS in 2020? 5.6. Directus An open source tool for managing and delivering content across an entire network of platforms and devices. And here are some of the top reasons for choosing Directus: it provides your editorial team with an easy to use admin app for managing content it can be in the cloud or self-hosted it provides API for your development team to fetch content 5.7. Netlify CMS  One of your top 10 headless CMS options, an open source one, that you get to add to any static site generator of your choice. A React single-page application that provides you with an easy to use UI, playing the role of a… wrapper for your Git Workflow. Basically, when using Netlify CMS your content gets stored in your web app's git repository (as markdown files), close to your codebase.   "How does a Netlify CMS Gatsby setup work?"   It's pretty straightforward: You enter your content via that user-friendly interface, then Gatsby uses it to come up with the right pages for your web app. Why would you use it? it fits both large and small-sized projects, with fewer pages to create, to add content to, to edit, and to manage you get to review/preview your content and make changes in real-time, and even control entries status in editorial workflow mode it provides you with an easy-to-use UI, with just 3 tabs: workflow, media, and content you're free to use it with any static site generator you get to extend its functionality: add your own UI widgets, editor plugins, customized previews, etc. 5.8. GraphCMS     An API-first content management system, a GraphQL-native one, that allows you to distribute content across multiple digital platforms. And not just anyhow, but… within minutes. Your developer team gets to create content APIs in no time, whereas your content team gets all the tools they need for a smooth editor experience.   Source: capterra.com GraphCMS vs Contentful: Main Differences GraphCMS works best for enterprise and mid-market companies, enabling them to build highly scalable applications GraphQL is its underlying technology: an open source query language for APIs, that's been growing more and more popular among developers Contentful targets top global brands, helping them distribute digital content experiences across complex networks of markets and channels REST is its underlying technology: a programming paradigm for distributed systems And here are 2 good reasons for choosing GraphCMS as your go-to headless content management system:  you get a CMS that's client-side and JAMstack compatible you get to tap into the benefits of a JAMstack approach to development (JavaScript & Markup & API) 5.9. Cosmic A cloud-hosted headless content management system that provides you with both GraphQL and REST APIs. But what makes Cosmic one of the best headless CMS in 2020? Why choose the Cosmic Headless CMS?  it ships with features like content modeling, media management, localization, and webhooks it grants you a smooth editor experience with its WYSIWYG  editor, that you can use to incorporate (by embedding code) third-party services like Typeform and GitHub. it integrates smoothly with AWS, Slack, Algolia, Stripe, HubSpot 5.10. Kentico Kontent A cloud-based content delivery API that turns your structured content into content that's easy to be "consumed" by any device or digital platform that you might use as a front-end delivery layer.  Why would you choose it over other great options of headless CMS? you get an AI chatbot when using Kentico Kontent it provides webhooks and custom elements that make third-party integrations a lot smoother you get content management API enabling content consumption And we've come to… the END of the list of 10 best headless CMS in 2020. Which one checks the most features off your list? Now, if you're facing a "Headless Drupal 8 vs Contentful" dilemma, we're here to: help you identify the one that works best for your business and your requirements make your headless CMS-based project work Just drop us a line!   Image by tdfugere from Pixabay   ... Read more
Adriana Cacoveanu / Sep 26'2020
DrupalDrupal 8JavascriptTips
10 Best Headless CMS in 2020, That Cover Most of Your Requirements (Part 1)

10 Best Headless CMS in 2020, That Cover Most of Your Requirements (Part 1)

Overwhelmed with options? Are you building your first (e-commerce) headless CMS and you don't know what headless CMS platform to choose?  What are the best headless CMS in 2020, so you can at least narrow down your choices and start... somewhere? Which system matches most of your feature requirements? Here's a top 10: 1. But First: What Is a Headless CMS, More Precisely? Relax, I won't bore you with too many details — we already have an in-depth post on the differences between headless and traditional CMS. So, if we were to sum up the concept in just a few words, we could say that: A headless content management system is an architecture where content is separated from the presentation layer (the client-side front-end). Meaning that you get to create, store, and edit "raw" content (with no design or layout) in the backend and deliver it wherever needed —wearable, mobile app, website — via API. In short, what you get in a headless architecture is: a database to store your content in a dashboard for editing your content Source: Zesty.io As for the "head" that serves your content to the end-user : you're free to build your own front-end, from the ground up … and even multiple front-ends, if needed, that will all use calls from the API to retrieve and display content 2. … Then What's a Decoupled CMS? Headless CMS vs decoupled CMS: what's the difference? And why headless over decoupled? The role that the API plays… That's what makes the difference (and why you'd want to go for a headless approach): If, in a decoupled architecture, the API plays the role of an intermediary between back-end and front end, in a headless architecture the API can be used by any of the front-end portions for pulling data. In other words, a decoupled CMS does come with a built-in front-end delivery layer, that you can rely on, but a headless approach is an API-driven content repository. Which gives you more flexibility for delivering content to any type of display layer. … to multiple "heads". You're free to distribute it wherever it needs to get displayed. 3. Why Choose a Headless CMS? Top 9 Benefits Before I "divulge" the best headless CMS in 2020 to you, here's a shortlist of the key advantages of using a headless CMS software: you get to engage your customers with personalized content across an entire network of digital channels, at different stages in their journey you can deliver richer digital experience, tailored to each channel you gain platform independence you're free to choose your technology of choice you benefit from cross-platform support you get to manage your content from a central location and distribute it to multiple platforms/IoT-connected devices, in a universal format you're free to manage all your platforms from one interface your development team gets to choose the development framework of their choice, integrate new technologies and, overall… innovate you're free to redesign as often as you need to, without the dread of re-implementing your entire CMS from the ground up     4. … And When Should You Use It? 5 Best Use Cases  How do you know for sure that you need to adopt this approach? You know it because your scenario describes one of the following use cases for headless CMS: you're building a site using a technology you're familiar with you're building a website with a static site generator you're building a JS-based website or web app you're building a native mobile app you're building an e-commerce site and you know that the commerce platform you're using won't… cut the mustard as a CMS; or you need to enrich product info in your online store 5. What Are the Best Headless CMS in 2020? Top 10 "Which CMS should I use?" you wonder. "The one that meets most of your requirements…" So, you should start by pinning them down. What features are you looking for in a CMS? Maybe you need a system that should: be straightforward and easy to use for the marketers/non-technical people in your team be built on… Node be highly customizable and editable for your content team to be able to change overlay text, logo, background video/image be simple to set up integrate easily with Gatsby support multi-site setups not be tied up to (just) one specific database provide ease of content entry and rich-text support provide a granular permission system provide native support for content types What are the features that your project couldn't live without? Now, with that list of "mandatory" features at hand, just drill down through your top headless CMS options in 2020. Here they are: 5.1. Storyblok A purely headless CMS that ships with a visual editor, as well. Why would you go for Storyblok? What makes it one of the best headless CMS in 2020? it provides the experience of a page builder for all those non-technical users in your team: editors get to manage content via a more user-friendly interface it grants your developers easy access to the APIs they need 5.2. Prismic Its major selling point? It allows you to choose your own language, framework, technology… And these are the 3 good reasons to go with Prismic as your headless CMS: it allows you to model your content schema and to add your content you're free to choose whatever framework that meets your feature needs: React, Vue, Next, Nuxt, Node, Gatsby… you're free to choose either GraphQL or RESTful API to query content 5.3. Drupal 8 Headless CMS   Another great option is to exploit Drupal's headless capabilities and pair them with the JavaScript framework of your choice. Here are some of the best reasons why you'd use a Drupal 8 API-first architecture: Drupal's a mature and enterprise-level headless solution backed by a wide community, used by more than 1 million sites globally; you get to tap into its massive module collection and even create new custom ones to extend your website's functionality its JSON:API follows the JSON:API specification; developers in your team can start using the API even if they're not experts in working with Drupal you get to load your GraphQl schemas straight from your Drupal content repository; there's a specialized module for this: the GraphQL module you get to use all of  Drupal's famed features (granular access to content, processes, workflows, modules, etc.) right away; you get them out-of-the-box since the REST API is… rooted deep into Drupal 5.4. Strapi, One of the Best headless CMS for Gatsby. It's an open-source Node.js headless CMS, a "host it yourself" one, that allows you to build Node.js apps in… minutes. Why would you use it? because it generates available RESTful API or uses GraphQL shortly after installation, making data available via customizable API because it allows your developers to invest all their resources in writing reusable app logic (instead of having to use some of that time to build an infrastructure) because it's fully JavaScript because it supports plugins that extend the platform's functionality because it's open-source: you'll find the entire codebase on GitHub  5.5. Contentful  Looking for a platform-agnostic solution? A… content delivery network that would enable your development team to manage and distribute (and reuse) content to multiple channels? Then this is the API-driven headless CMS you're looking for. Here are 6 other reasons why you'd want to put Contentful on your shortlist: consistent APIs easy to set up you're free to create your own models easy to use: ships with a robust, non-technical, user-friendly UI you get to add custom plugins quick and easy you get to set your own schemas to get displayed the way you want them to, across different apps Good to know! There's even a Shopify extension available. What it does is connect your online store to your content, stored in Contentful. And if you'll need help with building, fine-tuning, and integrating your content hub, we're ready to tweak Contentful to your needs.  END of Part 1! Stay tuned, for there are 5 more candidates for the title of "the best headless CMS in 2020" waiting in line.  Image by Couleur from Pixabay ... Read more
Adriana Cacoveanu / Sep 25'2020
Tips
Magento vs Shopify 2020: Which Platform Should You Use for Your eCommerce Store? And Why?

Magento vs Shopify 2020: Which Platform Should You Use for Your eCommerce Store? And Why?

A bit stuck? Are you looking to roll out your online store, but… you’re struggling with a Magento vs Shopify 2020 dilemma? Which solution works best for the size and the type of your eCommerce business? Which one covers most of your feature needs? In today’s post you’ll get your answers to the following questions: How are they different? Why would you choose Shopify over Magento? What are its strongest selling points? What are the cons of Shopify? What are the pros and cons of Magento vs Shopify? Which eCommerce platform works best for your type of business? 1. What Are the Major Differences Between Magento and Shopify? The main reason why you’re torn between Magento and Shopify is that: You don’t have a clear picture of the essential differences between them. So, let me expose them to you: 1.1. Magento is an eCommerce solution for enterprise-level online stores. It’s robust and flexible enough to power fully customized eCommerce websites, built from scratch — that you can further expand to fit your growth plan — by teams of Magento developers. 1.2. Shopify, on the other hand, is self-managed.  You don’t need any specialized skills — or server-side techs — to set up a Shopify store.  A front-end developer and a designer, at most, will do. “How easy is it to use Shopify?” Shopify is best-known for being beginner-friendly.  In short, the “Magento vs Shopify” dilemma comes down to: Flexibility and customization vs Ease of use. Which one's more important to you? 2. Magento vs Shopify 2020: Why Would You Choose Shopify? What makes Shopify a candidate for the title of “the best solution for creating an eCommerce website in 2020"? Here’s why Shopify could be the better choice for your online store: you have no (or limited) coding skills the idea of having a huge app marketplace at your disposal to browse through sounds tempting to you you need to get your e-Store up and running… now: the drag-and-drop website builder allows you to set up a new store in… minutes it’s an end-to-end eCommerce solution that you’re looking for, one that enables you to roll out and manage your online store with no technical experience it’s easier to use: its interface is famous for being particularly user-friendly you run a small or medium-sized eCommerce business page loading time is critical for you: Shopify’s just… fast Overall, it’s much less of a headache than Magento and usually the go-to option for small eCommerce business owners, with no web development experience, who need to get their websites rolled out fast. 3. What Are the Cons of Shopify? What could make you hesitate to choose Shopify for your eCommerce website? For there are, indeed, some limitations to consider before going for this particular platform:   You’d be trading some of the control over your online store for… ease of use and the convenience of setting up your eStore quick and easy, with no technical expertise   You do get a huge collection of plugins to choose from but… they all come with a price tag on; one that you’ll need to consider when planning out your budget   You won’t be able to customize every single aspect of your website. By comparison, Magento puts no limitation on the configurations that you can make to your site   Shopify provides you with weaker SEO features   It charges a transaction fee per… sale   4. Why Would You Choose Magento over Shopify? When dealing with a Magento vs Shopify 2020 dilemma, what could make you opt for Magento? Lots of reasons... Here are the strongest ones:   It enables you (or your team of Magento developers in Toronto) to customize everything about your eCommerce website, from theme to checkout process, to main menu, to email template, to...   You get to build custom functionality for your website, that’s not available on the market   You have lots of extensions available to choose from — Magento being open-sourced — and to customize your online store   You benefit from its strong SEO capabilities   You get to tap into its multi-store functionality: Magento enables you to manage all your online stores from one central dashboard   “In fact, according to eCommerce Platforms research Magento SEO scores 95 out of 100, and that is great result!” (source: Cart2Cart ) In short, you’d want to go with Magento because it enables you to build pretty much anything that you might need for your eCommerce website. 5. What About the Cons of Using Magento? For you need to be aware of the disadvantages of using this eCommerce solution, as well, before you make any decision. Now, here are the most… discouraging ones:   Building a fully customized website in Magento takes time and requires web development experience and Magento expertise; you can’t get away without a team of back-end Magento developers to handle the whole process and all the customization wok   You do have a large and thriving community to rely on, but no 24/7 dedicated support (like you have with Shopify)   You’ll need to optimize your Magento website on a regular basis to make sure it keeps performing at its best   You’ll need to take into account the cost of all the extensions that you might want to add, of the web hosting service, and the Magento expertise needed   6. Magento 2 vs Shopify vs... Shopify Plus: Which One’s the Best Fit? Considering that, starting June 2020, Magento 1.0 is no longer supported, your Magento vs Shopify 2020 dilemma turns into: “Magento 2 vs Shopify”. What new features does Magento 2 bring to the debate? simplified navigation (even) better customization capabilities better performance a more admin-friendly panel drag-and-drop layout editing improved checkout  “And what about Shopify Plus?” you might then ask yourself. Here are some of the enhancements that Shopify Plus ships with, so you can see for yourself whether it’s the best fit for what you’re looking for:   It gives you greater control over your online store: you gain more customization freedom   It’s robust enough to handle more than 10,000 transactions per minute, which makes it a viable alternative to Magento 2 for enterprise-level eCommerce businesses   You’re free to edit your checkout page (a feature that’s not available in Shopify)   You get your own launch manager: basically, a dedicated Shopify Plus team will handle everything for you, from implementing the custom Shopify theme that you need to code writing   7. Which Commerce Platform Works Better for Your Type of eCommerce Business? Now that you have a clear(er) picture of the pros and cons of Magento vs Shopify, how do you know which one’s the best fit for you? For your business goals and size? It’s simple: just pick the answer(s) that best fits your scenario from the following ones: You’ll want to use Magento if: you have a large product catalog your customization  needs are… above the average (i.e. complex product configurations): you want a fully customized online store built from the ground up you need a commerce platform robust enough to support your entire network of vendor/supplier fulfillment channels you have qualified Magento developers in your team (or the budget to hire some professionals, who know what they’re doing) You’ll want to use Shopify over Magento in 2020 if: it’s a small to medium product catalog that you need to set up being able to integrate/cross-sell on multiple platforms is a crucial feature for you you need to get your storefront online as quickly as possible Does this head-to-head help you with your Magento vs Shopify 2020 dilemma?  No matter which one’s the “winner”, the next question stays the same: “How do I get my Shopify/ Magento website built and suited to my needs?" Just drop us a line and we’ll have either our Shopify or our Magento expert team assigned to your eCommerce project! Image by Photo Mix from Pixabay  ... Read more
Adriana Cacoveanu / Sep 18'2020

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York