Editor’s note: The following post was written by Developer Security MVP Troy Hunt
ASafaWeb is the Automated Security Analyser for ASP.NET Websites and it’s a free on-demand service located at asafaweb.com. The goal of ASafaWeb is to help ASP.NET website developers quickly identify security misconfiguration risks within their sites. The service simply takes a publicly facing URL then makes a number of non-malicious requests to the site to establish the security profile and provide guidance on how it can be further strengthened.
ASafaWeb goes beyond security analysis alone though, it also aims to educate and build further awareness around constructs such as HttpOnly cookies and XFO headers to prevent clickjacking attacks. Findings are accompanied by links to detailed explanations of the risk, possible attacks and required mitigation. There’s also a scheduling feature to regularly scan a site in case a misconfiguration should slip in during a release whereupon an automated notification can then be delivered.
I was inspired to create ASafaWeb as in my role as a Developer Security MVP, I often see fundamental security concepts misunderstood by developers. Security has to be made more consumable so I wanted to create the easiest possible means to assess websites and learn the basics in a fashion that’s clear and concise. Being a free on-demand service that literally takes seconds to run means the barriers to entry are non-existent and any ASP.NET developers – regardless of experience – can run it at the drop of the hat and get useful security information about their website back. It’s my community contribution to help build a safer web.