COLLEGE OF COMPUTING, INFORMATICS AND MEDIA

UNIVERSITI TEKNOLOGI MARA (UITM)

CAMPUS PUNCAK PERDANA, SHAH ALAM

BACHELOR OF INFORMATION SCIENCE (HONS)

(IMS657)

LEGAL AND ETHICAL ASPECTS OF INFORMATION SYSTEMS

INDEPENDENT PROJECT:

WEBSITE SECURITY EVALUATION: SUCURI

PREPARED BY:

MUHAMMAD HAZIQ DANIAL BIN MOHD NAWAWI (2022645766)

PREPARED FOR:

MADAM NORSANIAH BINTI MD NOH

GROUP:

CDIM2456A

SUBMISSION DATE:

18 JUNE 2024
ACKNOWLEDGEMENT

Alhamdulillah, praise be to Allah S.W.T., I am so blessed that I have managed to complete my

assignment with His blessings. I would like to thank Him for giving me good health and the
ability to complete this assignment. Before getting further into the assignment details, I would
like to express my heartfelt thanks to my lecturer, Madam Norsaniah bt Md Noh for her guidance
and teachings. Because of that, I can complete my report on Website Security Evaluation Using
SUCURI within the time frame given. Lastly, I hope all facts and my understanding shared in this
report will increase my knowledge and provide knowledge to others about online tools such as
SUCURI to evaluate website security.
TABLE OF CONTENT

ABSTRACT 1

INTRODUCTION 2

PROBLEM STATEMENT 3

OBJECTIVES 4

METHODOLOGY 4

RESULT 5

DISCUSSION 7

CONCLUSION 9

REFERENCES 10
ABSTRACT

The purpose of this website security evaluation is to acknowledge the free online tools to
scanning the security level of certain website. Website security are very important to
organization because the security of an organization website has a significant impact on the
health and well-being of thier company. The majority of website attacks in the past have always
resulted from security weaknesses in the website's design or from the developers' disregard for
security while constructing the website.The prevalence of cyber security risks has increased
recently, therefore it's critical to take precautions to safeguard your website, particularly if it
involves online transactions or is a well-known platform like WordPress. According to recent
reports, businesses that have devoted cybersecurity teams also experience regular threats.
Therefore, having appropriate protections is crucial. Because of these issues, researcher has
been carried out to guarantee that the assessment of a website's security is precise and
provides a thorough analysis of the website's security level. A safe and secure website can
avoid the website from cyber security threats like data breaching, virus attacks, and website
hacked.
INTRODUCTION

Any measure or programme implemented to guarantee that data on a website is not

accessible to cybercriminals or to stop the website from being exploited in any manner is
referred to as website security. By taking these steps, a website's hardware, software, and
sensitive data are better shielded against the many kinds of assaults that are now available.
This includes defending computer systems from misdirecting or disrupting the services they are
designed to provide. Cybersecurity and website security are synonymous, and website security
includes safeguarding websites from intrusions. It covers web application security and cloud
security, which protect web-based apps and cloud services, respectively. Improved security
measures, such the safeguarding of a virtual private network (VPN), which is also included in
the category of web security, have been made possible by advancements in website protection
technology. The seamless operation of any computer-based organisation depends on web
security. Organization website and even thier entire network may go down if a website is hacked
or if hackers manage to access the company systems or software, stopping commercial
activities. Companies must take into consideration the elements that go into threat prevention
and web security.

It can be difficult to maintain website security, particularly when managing a big network
of websites. For someone to be present online, having a secure website is just as important as
having a website host. A website may lose up to 98% of its traffic, for example, if it is hacked
and blocked. It can be just as detrimental to not have a secure website as it is to have none at
all. For instance, a client data breach may lead to costly fines, legal action, and reputation
damage. Ensuring the security of the organization website takes careful design work in all
areas, including the company web application, web server settings, password creation and
renewal rules, and client-side code. The good news is that if the organization using a
server-side web framework, it will almost certainly allow "by default" strong and well-thought-out
defence mechanisms against some of the most prevalent assaults, even though all of that
sounds very dire. Th orgnization can reduce the impact of other assaults by configuring thier
web server, such as by turning on HTTPS. Lastly, the organization can use publicly accessible
vulnerability web security scanning tools to determine whether they have committed any glaring
errors.
 The organization may find security flaws in thier App Engine, Compute Engine, and
Google Kubernetes Engine (GKE) online apps by using online Security Scanner. Crawling
through the application, it follows every link inside the range of the company beginning URLs
and tries to test as many event handlers and user inputs as it can. At the moment, Web Security
Scanner is limited to public IP addresses and URLs that aren't protected by a firewall. The
purpose of Web Security Scanner is to enhance the organizationn current secure design and
development procedures. Web Security Scanner errs on the side of under reporting and doesn't
present low confidence alerts so as not to distract the company with false positives. It does not
ensure that the company application is secure and does not take the place of a manual security
evaluation. In this research I will use SUCURI as online website security scanning tool to
evaluate the website security and the websites categories that I will evaluatefood and
beverages (F&B) website which is Dutch Portland restaurant website. Dutch Portland is a
restaurant located in Portland, America that serves breakfast and lunch.

PROBLEM STATEMENT

A cyber attack is any deliberate attempt to gain unauthorised access to a network,

computer system, or digital device with the purpose of stealing, exposing, altering, disabling, or
destroying data, applications, or other assets. People who launch this cyber attacks are called
cybercriminals. Cybercriminals launch cyberattacks for a variety of motives, ranging from
small-scale larceny to military actions. Their strategies include social engineering scams, virus
attacks, and password theft in order to obtain unauthorised access to the systems they target.
Businesses can be disrupted, damaged, or even destroyed by cyberattacks. Cyberattacks can
have a variety of reasons, however they generally fall into three types which are criminal
motivated, political motivated, and personal motivated. Successful cyberattacks have the
potential to harm businesses. They may result in financial loss, data loss, and outages. By
putting cybersecurity policies and procedures in place, organisations can lower the frequency of
cyberattacks. Since it is hard to completely stop attacker efforts, organisations can also use
early detection procedures and continuous security monitoring to spot and report cyberattacks
as they happen.
OBJECTIVES

● To evaluate the level security of food and beverages website

● To investigate the use of online web security tools
● To choose the top online web security tools for the assessment of websites

METHODOLOGY

I will use SUCURI as online website security scanner to evaluate Dutch Portland Restaurant
website security. Blacklist alerts, malware that is apparent in the source code, and security flaws
in websites are all found remotely by the Sucuri Security Scanner. SUCURI also functions on all
website platforms, including WordPress, Joomla, Magento, Drupal, phpBB, and others. It also
assists in cleaning and safeguarding website against internet dangers.

Figure 1: SUCURI website homepage

 Figure 2: Dutch Portland Restaurant website

To use SUCURI scanner, the users must utilise their email addresses to create accounts. After
creating account, the users must copy the website that they want to evaluate URL addresses
and paste it inside the search bar at the SUCURI homepage. Once the user enters the URL
address in the scan bar and presses the scan button next to the search field, the website is
evaluated. The outcome will be visible on the screen in a few seconds. Users also can use
others features that been offered by SUCURI like website malware scanning & detection,
website intrusion detection system (IDS), website CDN performance & speed optimization,
website malware removal & protection, and website disaster recovery. Users must pay to use
these features. The only free features that user can use only for looking for known viruses,
malware, blacklisting status, website bugs, outdated software, and malicious code on the
website.
RESULTS

These results, as illustrated in the figures below, are the consequence of both building
application scan profiles in SUCURI to identify website vulnerabilities and importing the URL of
the Dutch Portland Restaurant website to SUCURI in order to learn about the data and
modifications made to it.
DISCUSSION

The results above show that website security scanner features provided by SUCURI that
users can use to keep an eye on and assess the security of their own websites and
applications. There are 6 things that have been scanned by the website security features
provided by SUCURI which are viruses, malware, blacklisting status, website bugs, outdated
software, and malicious code.

Firstly, the scanner stated that the Dutch Portland Restaurant website got the security
risk to a medium level. The scanner also stated that there is no malware found on this website.
Since the website is open to the public, it is not blocked. Nevertheless, the SUCURI scanner
turned up nine blacklists of websites. The initial low level of security risk is attributed to the lack
of malware, injected spam, defacements, and internal server issues that are found during the
scanning process. However, the level of security of Dutch Portland Restaurant became medium
level because it doesn't have a website application firewall. The website is open to attacks from
hackers and harmful malware in the absence of a firewall. One tool for network security that
stops illegal access to networks is a firewall. In order to detect and stop threats, it assists in
inspecting both incoming and outgoing traffic using a set of security rules.

The results from SUCURI scanning also have given some ways to make the Dutch
Portland Restaurant website to become more improved. First, regarding the protection
elements, SUCURI suggests the website creator to put in place a cloud-based WAF to stop
DDoS and website hacking. SUCURI scanner also suggests the website to install an SPF
record in order to stop email address abuse by spammers. The scanning process also found
that the website system is lacking a number of headers. Still, there are a few ways to remedy
the issue. First of all, Content-Security-Policy: frame-ancestors 'none' can be used to get around
the ClickJacking Protection missing security header. The website also lacked a security header
to stop content type sniffing. It is advised that the Dutch Portland Restaurant website add the
(X-Content-Type-Options: nosniff) header in order to strengthen protection against specific
drive-by download types. Internet Explorer (IE) and Chrome both support this header, which
stops them from MIME-sniffing responses from the defined content-type.
 Other than that, the Dutch Portland Restaurant website also lacked a
Strict-Transport-Security security header. Browsers are notified by the HTTP
Strict-Transport-Security response header (often shortened to HSTS) that a website should only
be visited via HTTPS and that any further attempts to access it via HTTP should be immediately
redirected to HTTPS. When a website accepts an HTTP connection and reroutes it to HTTPS,
users may interact with the non-encrypted version of the website for a while before being
redirected. This may happen, for instance, if the user inputs http://www.foo.com/ or even just
foo.com. A chance for a man-in-the-middle attack is created by this. Instead of taking users to
the secure version of the original website, the redirect could be used to send them to a
malicious website. The HTTP Strict Transport Security header instructs the browser to
automatically switch from loading a website via HTTP to HTTPS requests if it detects an attempt
to access a website via HTTP. Finally, the scanner also found that the Dutch Portland
Restaurant website lacked a Content-Security-Policy directive. SUCURI website scanner
suggests to include the ensuing CSP directives (default-src should be used if all values are the
same): base-uri, frame-src, object-src, and script-src.

Upon seeing the scanning process's outcome, it is evident that the website's designers
still have a great deal of work ahead of them in terms of the website's security. Problems like
lack of website firewall and security headers must be taken by the website developer to
overcome the issues that could arise and hurt the website even more. The website creator must
install a firewall for their website because the first line of defense against outside threats like
virus attacks and hackers is a firewall. Specifically, intrusion prevention systems (IPS) and
firewalls work together to prevent malware and some application layer assaults. In general,
firewalls are crucial for stopping cyberattacks, safeguarding private information, and preserving
the security and privacy of computer systems and networks.
CONCLUSION

In conclusion, website security is very important to organizations including food and beverages
companies. No matter how big or small the organization is, compromised website security can
have disastrous effects. This is due to the fact that rectifying the losses resulting from a
cyberattack often costs a business more than $1.7 million. In as little as a few weeks, this might
force a small to medium-sized business to close its doors.The majority of individuals in today's
world rely on websites for the different goods and services they utilize on a daily basis. Clients
may provide the organization their full social security number, dates of birth, credit card details,
and names. For malevolent hackers who might wish to steal this private data, this is a treasure
trove. Don't provide crooks with this chance. Take internal actions to ensure that the
organization staff members understand the significance of protecting this sensitive information,
and protect their data by encrypting it before it is sent anywhere. Safeguarding business website
also means safeguarding the physical assets of your company. This is due to the fact that
hackers are not only capable of stealing consumer data but are also able to infect real
computers with viruses via the company website. It is important for business owners to
understand the financial commitment required to purchase costly equipment for their
operations.Website owners are now concerned about safeguarding their sites and users from
harmful cyberattacks, which has led to an increase in the sophistication of cyberthreats.
REFERENCES

Gray, K. (n.d.). 7 Reasons why website security is essential for your business.

https://blog.envisionitsolutions.com/7-reasons-why-website-security-is-essential-f

or-your-business

Home - Dutch's Portland. (2012, November 19). Dutch’s Portland.

https://www.dutchsportland.com/

Sant, H. (2024, June 20). 15 Best Website Scanner to find security vulnerabilities and

Malware in 2024. Geekflare.

https://geekflare.com/online-scan-website-security-vulnerabilities/

Sucuri Security Scanner extension - Plesk. (2023, May 10). Plesk.

https://www.plesk.com/extensions/sucuri-security-scanner/

Yasar, K., & Lutkevich, B. (2023, April 19). firewall. Security.

https://www.techtarget.com/searchsecurity/definition/firewall