How to Perform a Security Audit: 11 Things to Put on Your Checklist (plus, the best tools you could use)

So, you need to do a quick risk assessment of your site. How do you perform a security audit?

Are there any quick and easy (and effective) things that you can do to evaluate your website and to detect any security risks lurking in there?

And what are some of the tools that you could use?

Here are the answers to all the dilemmas stemming from your main question:

"Security auditing: what do to?"

1. But First: What Is a Security Audit Report?

What do we mean by "audits" in this context?
 

• pentests
• regular security assessments
• "security posture" tests
• auditing logs
   

And what is a security audit report, more precisely?

Source: searchcio.techtarget.com

In short: when you run a security audit you evaluate your website's performance in relation to a list of criteria.

And, more often than not, you'd want to include other types of security diagnosis into your workflow, as well:
 

• penetration testing: where you (or an expert in your team) simulate the actions of a potential hacker, performing several attacks on your website to test its resilience
• vulnerability assessment: where you try to identify any security weaknesses 

2. What Tasks Should You Put Into Your Security Audit Checklist? Top 11

What should you do in your regular security audits? 

What security audit procedures to include?

We've put together a list of 11 steps to put on your checklist. So, when conducting a security audit the first step is to:

2.1. Determine the Assets that You'll Be Focusing On

Set the scope of your audit:

Which are the high priority assets that you'll be scanning and monitoring?

For example, your list could include key assets like:
 

• sensitive customer and company data
• internal documentation
• IT infrastructure
   

You can't expect to future-proof your website's improved level security if you're going to use the same vulnerable IT equipment, right?

Next, you'll want to set your security perimeter, as well:

What are the things that your audit will cover and those that should be skipped?

2.2. List Out Potential Threats

You can't build a shield around your website against a "no-name" threat, right?

You need to go ahead and name those threats, so you know what to look for and how to adapt your future security measures:

Here are just some examples of security threats that you might want to put on your list: 
 

• negligent employees using weak passwords for sensitive company data 
• malware
• phishing attacks
• denial of service attacks
• malicious insiders

2.3. Assess the Current Level of Security Performance

Another key step to put on your security audit checklist.

Your team could be using the strongest passwords. They could be sticking to rigorous security procedures and best practices.

And yet, they might not be informed about the latest methods that hackers use to infiltrate systems...

A good evaluation of your organization's current security performance will help you identify precisely weak links like that one.

2.4. Set Up Configuration Scans

Using a higher-end scanner will help you:
 

• detect security vulnerabilities 
• assess the hardening of the PCs
   

Are there any malware/anti-spyware programs in there? Turned on encryption, settings that are temporarily changed? 

Therefore, keep in mind to run some configuration scans, too, when you do a security audit. They make a great "ally" for spotting any config mistakes that people in your team might have made.

2.5. Keep an Eye on Reports (Not Just on the Urgent Alerts)

As you put all your focus on urgent alerts, you might be tempted to underestimate the value of the reports generated by your auditing tools.

Now, that's one risky thing to do.

Instead, you'd want to keep an eye on those reports, for they can be a tremendous source of valuable information.

"Information" that might look non-alarming to you now, but, which — with time, if a suspicious activity becomes a routine — can turn into a major threat.

One that you'd ignore by... overlooking to go through your reports.

2.6. Monitor DNS for any Unexpected Changes

Are there any signs of sloppiness when it comes to the credentials used for your domain?

The quicker you identify them, the lower the security risk.

2.7. Run Daily Scans of Your Internet-facing Network

As you'll security audit your website, you'll want to be alerted (on a daily basis, if possible) about any "surprising" changes.

2.8. Mirror Your Website

Why is this a "must" task to include in your security auditing plan?

Because by mirroring your website you spot some otherwise hard-to-access files and directories.

You'd be surprised at how many valuable:
 

• internal IP addressing schemes
• email addresses and phone numbers of people in your team
• code-related comments
• software versions
• server names
   

... you can find in those comment fields.

2.9. Perform an Internal Vulnerability Scan

How? By opting for an enterprise-level vulnerability scanner.

What it does is install an agent on each computer in your organization, that will monitor their... vulnerability level.

How often should you run this type of scan? 

Monthly or quarterly would be great.

2.10. Run Some Phishing Tests

You'll want to set up a routine of sending out fake phishing emails to people in your team.

It's still the most effective type of cybersecurity training that you could give your team:
 

• they get a close-to-real-life experience of a phishing attack
• they can assess their own vulnerability to scenarios where they'd give hackers access to sensitive information (by clicking on links or attachments in a phishing email)

2.11. Monitor Your Firewall's Logs

Watch for any inconsistent or unusual behavior in your firewall. 

3. What Are Some of the Best Security Auditing Tools You Can Use? Top 5

Now that you have a plan put in place you need some tools to carry it out, right?

We've done our research, put together a list, then narrowed down the options to 5 tools that you should consider evaluating first:

3.1. The OWASP Testing Guide

A step-by-step checklist that'll streamline your manual testing efforts.

Note: running an OWASP top 10 check is one of those "quick and easy" things you that can do for assessing your website's security performance. You'd be testing it for 10 of the most common security risks.

3.2. Burp Suite

What if you wanted to put your security audit on autopilot?

You could go for Burp Suite to manually analyze your website, then run an active scan.

Note: the tool comes in two "flavors", a pro and a free version.

3.3. Nessus

If you're looking for an easy to use tool, Nessus Tenable's the one.

Use it to track down security vulnerabilities on your website. It's effective and it generates some detailed reports.

3.4. Qualys Web App Scans 

Its main selling points:
 

• great coverage
• accurate reports

3.5. Rapid7 

You might want to try their vulnerability scanner.
 

And 2 honorable mentions: Rapidfiretools.com and Risksense.

4. Final (Wise) Word

The keyword that best describes an effective security audit is "on-going":

It's definitelty not a one-time event, but rather a routine made of several "healthy" habits that you stick to.

A "routine" aimed at helping you formulate a custom set of security solutions:
 

• network monitoring
• data backup
• employee education awareness
• software updates
• email protection
   

What if you don't have the resources — the time and the available people in your team — to run a security audit?

We're here to help.

Just drop us a line and let's tailor a security audit checklist that meets your website's specific challenges.


Image by raphaelsilva from Pixabay