Sitefinity Web Site Security Assessment Package


Duration: 2 weeks


Minimum of 2 meetings with client (Business SME) for questions and investigations beyond the site. Also full access to the source code of the site.

Description of deliverables:

Assessing the overall security architecture of a website is crucial to ensure the protection of sensitive data, prevent unauthorized access, and mitigate potential security risks. Here are some key aspects that a Visus Sr. Cybersecurity expert will check for:

  1. HTTPS and SSL/TLS:

    • Ensure that the website uses HTTPS to encrypt data transmission.
    • Check for a valid SSL/TLS certificate to establish a secure connection between the server and the client.
  2. Secure Authentication and Authorization:

    • Verify that the website implements strong authentication mechanisms, such as multi-factor authentication (MFA).
    • Check for secure session management and token-based authentication.
    • Ensure that authorization is properly implemented to control user access to different parts of the website.
  3. Protection Against OWASP Top 10 Vulnerabilities:

    • Look for protection against common web application vulnerabilities listed in the OWASP Top 10, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
  4. Input Validation and Sanitization:

    • Check if the website performs proper input validation and sanitization to prevent code injection attacks.
  5. Secure Password Storage:

    • Ensure that user passwords are securely hashed and salted to protect against data breaches.
  6. Security Headers:

    • Check for the presence of security-related HTTP headers like Content Security Policy (CSP), X-XSS-Protection, X-Content-Type-Options, and others.
  7. Secure File Uploads:

    • Verify that the website applies restrictions and validation on file uploads to prevent malicious file execution.
  8. Secure APIs:

    • If the website has APIs, ensure that they are protected with proper authentication, authorization, and rate limiting.
  9. Secure Payment Processing:

    • If the website processes payments, check if it complies with Payment Card Industry Data Security Standard (PCI DSS) requirements.
  10. Regular Security Updates:

    • Check if the website’s underlying software, frameworks, and plugins are regularly updated to patch security vulnerabilities.
  11. Error Handling and Logging:

    • Verify that error messages do not expose sensitive information to potential attackers.
    • Check for proper logging and monitoring to detect and respond to security incidents.
  12. Data Privacy and GDPR Compliance:

    • Ensure that the website handles user data in compliance with data privacy laws, such as the General Data Protection Regulation (GDPR).
  13. Access Controls:

    • Review the access controls in place to restrict administrative access to authorized personnel only.
  14. Intrusion Detection and Prevention:

    • Check if the website has intrusion detection and prevention systems in place to monitor and block suspicious activities.
  15. Penetration Testing and Vulnerability Assessments:

    • If possible, conduct regular penetration testing and vulnerability assessments to identify potential weaknesses.

It’s important to remember that security is an ongoing process, and threats evolve over time. Regular security assessments, updates, and monitoring are essential to maintain a robust security posture for a website.