TL;DR
Most web application attacks exploit well-known vulnerabilities that cheap, automated tools can catch today. You do not need a $50,000 security consultant. A combination of free SAST (code scanning), DAST (running application scanning), API testing, and container scanning can find and fix OWASP Top 10 risks before attackers do. This article gives you a one-week plan, real tool names, and costs from $0 to $500 per month.
The Problem: Your Software Has the Same Old Holes
Every business runs software, custom or off-the-shelf. Attackers do not write zero-day exploits for most SMB targets. They run automated scanners looking for missing patches, exposed admin panels, SQL injection points, and broken authentication. The OWASP Top 10 has barely changed in a decade because developers keep making the same mistakes, and businesses skip scanning because it sounds expensive.
It is not. You can scan your web app, your APIs, and your containers this week for free or less than $500 per month. This post shows you exactly what to do and what tools to use.
The One-Week AppSec Sprint
Day 1-2: SAST, Catch Vulnerabilities in Your Code
Static Application Security Testing (SAST) scans your source code before it runs. It finds injection flaws, hardcoded secrets, insecure deserialization, and other bugs from the OWASP Top 10 categories like Injection (A03:2021) and Cryptographic Failures (A02:2021).
What to use:
- SonarQube Community Edition $0, self-hosted. Scans 35+ languages. Install on a $20 VPS or your build server. Integrates with GitHub, GitLab, Bitbucket. It catches code smells and security hotspots together, which saves time.
- Snyk Code free tier for small teams (1 dev free, then $25/dev/month). It shows the data flow from user input to vulnerable function, making injection flaws obvious. The free tier covers SAST and open-source dependency scanning.
What to do:
- Install SonarQube Community on a Linux box (docker run sonarqube:community).
- Connect your main web app repository.
- Run the first scan. Do not fix all 1,000 issues. Sort by severity, fix Critical and Blocker items first.
- Put a
sonar.qualitygatein your CI pipeline to block new critical issues.
Day 3-4: DAST, Hit Your Running App Like an Attacker
Dynamic Application Security Testing (DAST) scans your running application from the outside. It spiders your site, sends attack payloads, and reports what actually works. This covers Broken Access Control (A01:2021), Security Misconfiguration (A05:2021), and Cross-Site Scripting (A03:2025).
What to use:
- OWASP ZAP $0, open-source. Desktop GUI or headless in CI. The full scan finds SQLi, XSS, path traversal, and misconfigurations in 30-90 minutes. Use the "Ajax Spider" for JavaScript-heavy apps.
- Burp Suite Community Edition $0. Manual testing power tool, but the automated scanner is limited. Good for targeted checks on login pages and APIs.
What to do:
- Run ZAP Quick Start against your staging environment (never production on first scan).
- Fix all High and Critical alerts, especially anything with "SQL Injection" or "XSS".
- Set up ZAP Baseline Scan in your CI pipeline. It runs a passive scan on every deploy and fails the build if new high-confidence issues appear.
- Check your HTTP headers:
curl -I https://yourapp.com. Missing Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options? ZAP flags them. Add them.
Day 5: API Security, The Hidden Attack Surface
APIs are often less protected than the main web app. An exposed /api/v1/users that returns all user records because no authorization check exists is a Broken Access Control nightmare. The OWASP API Security Top 10 exists separately for this reason.
What to use:
- Postman $0 for API testing. Combine with OWASP ZAP as a proxy: Postman sends requests through ZAP, which identifies vulnerable endpoints.
- Postman collections define every endpoint. Run them against staging, then review ZAP alerts.
What to do:
- List every API endpoint your business exposes (internal and external).
- For each endpoint, verify authentication is required. If an endpoint returns data without a valid token, that is a critical finding.
- Check that
/api/adminendpoints are not exposed to the internet. Use a simple curl test to confirm. - Test rate limiting: send 100 requests in 10 seconds to a login endpoint. No throttle? That is a brute-force vulnerability.
Day 6: Container Scanning and Dependency Checks
If you use Docker containers, your base images are full of known vulnerabilities. Attackers scan Docker Hub for outdated images. Trivy checks your containers and your application dependencies.
What to use:
- Trivy $0, open-source. Scan images, filesystems, and git repos. Run
trivy image your-app:latestto see all CVEs. - Snyk Open Source (included in free tier). Checks your
package.json,requirements.txt,pom.xmlfor known vulnerable libraries.
What to do:
- Scan your container images. Fix everything with CVSS 9.0+ first.
- Update your base image tag.
python:3.11-slimnotpython:latest. - Add Trivy to your CI: every image build fails if a critical CVE exists with a fix available.
The $0-$500/Month Tool Stack for SMBs
| Tool | Capability | Cost |
|---|---|---|
| SonarQube Community | SAST, code quality | $0 (self-host) |
| OWASP ZAP | DAST, automated scanning | $0 |
| Trivy | Container, dependency, IaC scanning | $0 |
| Postman | API design and testing | $0 (basic) |
| Snyk Team | SAST + SCA + container, unified | $25/dev/month (free for 1 dev) |
| Burp Suite Pro | Advanced DAST, manual testing | $449/year |
| Semgrep OSS | SAST with custom rules | $0 |
Most SMBs can start at $0 and upgrade when the business outgrows free limits. Even the $500/month tier costs less than one incident response.
ISO 27001 SMB Starter Pack — $147
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →What NIST and CIS Recommend
NIST SP 800-218, the Secure Software Development Framework, says prepare the organization, protect the software, produce well-secured software, and respond to vulnerabilities. SAST and DAST are part of the "produce" and "protect" phases. CIS Controls v8 maps SAST to Control 16 (Application Software Security), specifically requiring static and dynamic code analysis for applications handling sensitive data.
These are not aspirational guidelines. If you handle customer data, payment card information, or health records, scanning is a baseline expectation from your cyber insurer and from regulators.
FAQ
What if I have no source code access (SaaS or vendor-built app)? You skip SAST. Run DAST with ZAP against the staging or production environment (with permission). Many vendors allow security scanning in their terms of service. The scan finds misconfigurations and injection points you can report for remediation.
Our budget is zero. Can we still do this? Yes. SonarQube Community, OWASP ZAP, Trivy, and Postman are all free and run on a spare Linux machine. The only cost is your time. Block out one week. The quick wins, missing security headers and exposed admin panels, take hours to find and fix.
How often should we scan? DAST weekly against staging, SAST on every code commit. A one-time scan is worse than no scan; it gives false confidence. Automate the scans or schedule them in your calendar like a recurring meeting.
Our developers will fight this. How do we make it stick? Start with low-noise tools. SonarQube's quality profile can be tuned so the first run only flags Critical severity. Developers see clean code wins, not 5,000 warnings. Put the tool in their existing workflow (GitHub PR comments), not in a separate portal they never open.
Conclusion
The attackers scanning your app right now are not genius hackers. They are running scripts that check for missing patches and open admin endpoints. Your defense is cheap, automated, and achievable in a week. Start with SonarQube and ZAP tomorrow, scan your APIs on Wednesday, lock down your containers on Thursday, and automate everything on Friday.
Stop guessing whether your web app is secure. Scan it. Fix the critical findings. Then scan it again.
Visit lil.business/book for a free 30-minute cybersecurity assessment. We will walk through your web application stack, run an initial ZAP scan, and give you a prioritized remediation plan. No pitch, no upsell, just actionable security advice.
References
- OWASP Top 10:2025
- NIST SP 800-218 Secure Software Development Framework
- CIS Controls v8 - Control 16: Application Software Security
- Australian Cyber Security Centre (ACSC) - Essential Eight
- Snyk vs SonarQube Comparison (2026)
- OWASP ZAP - Getting Started
- Trivy - Container Vulnerability Scanner
Qualified Triage
Need to prove security trust?
We verify authority first, minimise access, define scope, and help you collect evidence for insurers, customers, tenders, auditors, and AI governance reviewers.
Start Qualified Triage →