Ask HN: What do you use to monitor website security (vulns, uptime, etc.)?
3 points
1 day ago
| 4 comments
| HN
I recently built [PenZen](https://penzen.app). It scans websites for real vulnerabilities (not just SSL checks) using OWASP Zap under the hood and sends prioritized alerts with AI-powered remediation suggestions.

I made it because I was tired of tools that alert me about issues I don't understand or can’t do anything about. Curious: What are you using to monitor website security?

And more importantly: What actually makes you trust a report or take action on it?

McNutty
2 hours ago
[-]
Shodan (with account, not just talking about the public search page)
reply
alp1n3_eth
1 day ago
[-]
Externally / Blackbox options would be Nessus, Nuclei, OWASP ZAP (as you mentioned), and Burp Suite. The two latter only work well when used in combination with manual methods though, as they won't pick up business logic, auth bypass, MFLAC/IDOR, etc. on their own.

A lot of scanning templates / rulesets won't be 100% accurate or up-to-date, and will easily miss a lot of big things, so having it pentested by an actual person is always important.

From the source code side of things, Semgrep / CodeQL, Veracode / Snyk, Burp Enterprise (CI/CD), etc. are good options. But again, most places shouldn't get just scans, there should be a manual component involving a security professional who knows what they're doing.

XBOW is making some pretty cool strides in the meantime from a blackbox perspective though.

reply
KomoD
1 day ago
[-]
I use HetrixTools for uptime monitoring for both websites and servers (with their agent).

I don't use anything that scans for generic "vulns" (like "you're missing this header") and just use a WAF like Cloudflare for most stuff.

reply
mtmail
1 day ago
[-]
Do you mean https://penzen.app/ ? The .io domain doesn't resolve for me.
reply
lukejkwarren
1 day ago
[-]
That’s the one! Apologies.

Using any other security scanning tools?

reply