there& #39;s so many cool SaaS tools you can use to check security configurations... so if ur not into running nix command line tools and custom scripts you can see go take a look at common low hanging fruit! I& #39;ve been using shields up since many many many years ago
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        so let& #39;s do a quick thread.. inbound traffic... use  https://www.grc.com/default.htm ">https://www.grc.com/default.h... SHIELDS UP!
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        you wanna check a sites TLS head over to use  https://www.ssllabs.com/ssltest/ 
now">https://www.ssllabs.com/ssltest/&... the main limitation here is that it won& #39;t scan custom ports (so back to sslscan etc. on nix if that& #39;s ur scenario)
                    
                                    
                    now">https://www.ssllabs.com/ssltest/&... the main limitation here is that it won& #39;t scan custom ports (so back to sslscan etc. on nix if that& #39;s ur scenario)
                        
                        
                        See easy peasy and it doesn& #39;t take that long.... at the end you will see a GRADE score (a letter) now the devil is in the detail because A+ is great it doesn& #39;t mean u& #39;ll get pwn3d if not everything is configured.
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        so whilst that runs we should go check out MX records over at :  https://mxtoolbox.com/ 
CONFIGURE">https://mxtoolbox.com/">... DMARK/DKIM and SPF policies! go do it now! stop people impersonating ur brand! :) also move to hard fail rules... all those soft fails are pointless (ok monitor first)
                    
                                    
                    CONFIGURE">https://mxtoolbox.com/">... DMARK/DKIM and SPF policies! go do it now! stop people impersonating ur brand! :) also move to hard fail rules... all those soft fails are pointless (ok monitor first)
                        
                        
                        so our TLS/SSL scan has completed for this IP. so we can see here everything is good except it supports TLS 1.0 and 1.1 - there& #39;s probably a reason - they want to support legacy browsers. if u can migrate totally to TLS 1.3 u should by some people will choose not to
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        see u can see here there& #39;s all these weak ciphers.. so if ur concern is people with many SUPERCOMPUTERS then disable them :P
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        so that& #39;s MX, TLS and ingress ports (to ur egress IP, so remeember to check all of them, also think about agress u wanna be blocking risky ports e.g. (21,25, 22, 445, 138, 139, 3389) to the internet really (from endpoints not specific server roles)
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        ok so what else can we do (security on a SaaS budget :P ) well we can check content security policies! look weeeeeee! now these can protect against UI Redress (clickjacking) and cool stuff like XSS. be careful tho u can break ur site if u get these wrong so TUNE the config :)
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                        
                        
                        now let& #39;s go further... let& #39;s hunt for other web tools! Immuniweb offer a site scanner  https://www.immuniweb.com/websec/ 
clearly">https://www.immuniweb.com/websec/&q... it says free so ur the product :P lol but if ur using saas ur almost always the product anyway :P
                    
                                    
                    clearly">https://www.immuniweb.com/websec/&q... it says free so ur the product :P lol but if ur using saas ur almost always the product anyway :P
                        
                        
                        now& #39;s the time to get another cup of tea whilst this runs. it runs ALOT of checks... well it says i t does (i& #39;m not monitoring it coz its too fkin early)
                        
                        
                        
                        
                                                
                    
                    
                                    
                    
                        
                        
                        take thosse headings with a pinch of salt... being GDPR compliant here DOES not mean anything in reality to ur data controller/processes risks and obligations in reality. the technical controls u use r up to u
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                        
                        
                        while that runs - no SaaS explore will be complete without  @shodanhq so get ur buts checking ur exposed ports! shodan also has a vuln detection capability which is supert awesome ( u need to validate them coz it uses passive checks)  https://www.shodan.io/ ">https://www.shodan.io/">...
                        
                        
                        
                        
                                                
                        
                                                
                    
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    
                    
                                    
                    
                    
                
                 
                         Read on Twitter
Read on Twitter 
                             
                             
                             
                             
                             
                             
                             
                             
                             
                             
                                     
                                    