TL;DR

Most web application attacks exploit well-known vulnerabilities that cheap, automated tools can catch today. You do not need a $50,000 security consultant. A combination of free SAST (code scanning), DAST (running application scanning), API testing, and container scanning can find and fix OWASP Top 10 risks before attackers do. This article gives you a one-week plan, real tool names, and costs from $0 to $500 per month.

The Problem: Your Software Has the Same Old Holes

Every business runs software, custom or off-the-shelf. Attackers do not write zero-day exploits for most SMB targets. They run automated scanners looking for missing patches, exposed admin panels, SQL injection points, and broken authentication. The OWASP Top 10 has barely changed in a decade because developers keep making the same mistakes, and businesses skip scanning because it sounds expensive.

It is not. You can scan your web app, your APIs, and your containers this week for free or less than $500 per month. This post shows you exactly what to do and what tools to use.

The One-Week AppSec Sprint

Day 1-2: SAST, Catch Vulnerabilities in Your Code

Static Application Security Testing (SAST) scans your source code before it runs. It finds injection flaws, hardcoded secrets, insecure deserialization, and other bugs from the OWASP Top 10 categories like Injection (A03:2021) and Cryptographic Failures (A02:2021).

What to use:

  • SonarQube Community Edition $0, self-hosted. Scans 35+ languages. Install on a $20 VPS or your build server. Integrates with GitHub, GitLab, Bitbucket. It catches code smells and security hotspots together, which saves time.
  • Snyk Code free tier for small teams (1 dev free, then $25/dev/month). It shows the data flow from user input to vulnerable function, making injection flaws obvious. The free tier covers SAST and open-source dependency scanning.

What to do:

  1. Install SonarQube Community on a Linux box (docker run sonarqube:community).
  2. Connect your main web app repository.
  3. Run the first scan. Do not fix all 1,000 issues. Sort by severity, fix Critical and Blocker items first.
  4. Put a sonar.qualitygate in your CI pipeline to block new critical issues.

Day 3-4: DAST, Hit Your Running App Like an Attacker

Dynamic Application Security Testing (DAST) scans your running application from the outside. It spiders your site, sends attack payloads, and reports what actually works. This covers Broken Access Control (A01:2021), Security Misconfiguration (A05:2021), and Cross-Site Scripting (A03:2025).

What to use:

  • OWASP ZAP $0, open-source. Desktop GUI or headless in CI. The full scan finds SQLi, XSS, path traversal, and misconfigurations in 30-90 minutes. Use the "Ajax Spider" for JavaScript-heavy apps.
  • Burp Suite Community Edition $0. Manual testing power tool, but the automated scanner is limited. Good for targeted checks on login pages and APIs.

What to do:

  1. Run ZAP Quick Start against your staging environment (never production on first scan).
  2. Fix all High and Critical alerts, especially anything with "SQL Injection" or "XSS".
  3. Set up ZAP Baseline Scan in your CI pipeline. It runs a passive scan on every deploy and fails the build if new high-confidence issues appear.
  4. Check your HTTP headers: curl -I https://yourapp.com. Missing Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options? ZAP flags them. Add them.

Day 5: API Security, The Hidden Attack Surface

APIs are often less protected than the main web app. An exposed /api/v1/users that returns all user records because no authorization check exists is a Broken Access Control nightmare. The OWASP API Security Top 10 exists separately for this reason.

What to use:

  • Postman $0 for API testing. Combine with OWASP ZAP as a proxy: Postman sends requests through ZAP, which identifies vulnerable endpoints.
  • Postman collections define every endpoint. Run them against staging, then review ZAP alerts.

What to do:

  1. List every API endpoint your business exposes (internal and external).
  2. For each endpoint, verify authentication is required. If an endpoint returns data without a valid token, that is a critical finding.
  3. Check that /api/admin endpoints are not exposed to the internet. Use a simple curl test to confirm.
  4. Test rate limiting: send 100 requests in 10 seconds to a login endpoint. No throttle? That is a brute-force vulnerability.

Day 6: Container Scanning and Dependency Checks

If you use Docker containers, your base images are full of known vulnerabilities. Attackers scan Docker Hub for outdated images. Trivy checks your containers and your application dependencies.

What to use:

  • Trivy $0, open-source. Scan images, filesystems, and git repos. Run trivy image your-app:latest to see all CVEs.
  • Snyk Open Source (included in free tier). Checks your package.json, requirements.txt, pom.xml for known vulnerable libraries.

What to do:

  1. Scan your container images. Fix everything with CVSS 9.0+ first.
  2. Update your base image tag. python:3.11-slim not python:latest.
  3. Add Trivy to your CI: every image build fails if a critical CVE exists with a fix available.

The $0-$500/Month Tool Stack for SMBs

Tool Capability Cost
SonarQube Community SAST, code quality $0 (self-host)
OWASP ZAP DAST, automated scanning $0
Trivy Container, dependency, IaC scanning $0
Postman API design and testing $0 (basic)
Snyk Team SAST + SCA + container, unified $25/dev/month (free for 1 dev)
Burp Suite Pro Advanced DAST, manual testing $449/year
Semgrep OSS SAST with custom rules $0

Most SMBs can start at $0 and upgrade when the business outgrows free limits. Even the $500/month tier costs less than one incident response.

What NIST and CIS Recommend

NIST SP 800-218, the Secure Software Development Framework, says prepare the organization, protect the software, produce well-secured software, and respond to vulnerabilities. SAST and DAST are part of the "produce" and "protect" phases. CIS Controls v8 maps SAST to Control 16 (Application Software Security), specifically requiring static and dynamic code analysis for applications handling sensitive data.

These are not aspirational guidelines. If you handle customer data, payment card information, or health records, scanning is a baseline expectation from your cyber insurer and from regulators.

FAQ

What if I have no source code access (SaaS or vendor-built app)? You skip SAST. Run DAST with ZAP against the staging or production environment (with permission). Many vendors allow security scanning in their terms of service. The scan finds misconfigurations and injection points you can report for remediation.

Our budget is zero. Can we still do this? Yes. SonarQube Community, OWASP ZAP, Trivy, and Postman are all free and run on a spare Linux machine. The only cost is your time. Block out one week. The quick wins, missing security headers and exposed admin panels, take hours to find and fix.

How often should we scan? DAST weekly against staging, SAST on every code commit. A one-time scan is worse than no scan; it gives false confidence. Automate the scans or schedule them in your calendar like a recurring meeting.

Our developers will fight this. How do we make it stick? Start with low-noise tools. SonarQube's quality profile can be tuned so the first run only flags Critical severity. Developers see clean code wins, not 5,000 warnings. Put the tool in their existing workflow (GitHub PR comments), not in a separate portal they never open.

Conclusion

The attackers scanning your app right now are not genius hackers. They are running scripts that check for missing patches and open admin endpoints. Your defense is cheap, automated, and achievable in a week. Start with SonarQube and ZAP tomorrow, scan your APIs on Wednesday, lock down your containers on Thursday, and automate everything on Friday.

Stop guessing whether your web app is secure. Scan it. Fix the critical findings. Then scan it again.

Visit lil.business/book for a free 30-minute cybersecurity assessment. We will walk through your web application stack, run an initial ZAP scan, and give you a prioritized remediation plan. No pitch, no upsell, just actionable security advice.

References

  1. OWASP Top 10:2025
  2. NIST SP 800-218 Secure Software Development Framework
  3. CIS Controls v8 - Control 16: Application Software Security
  4. Australian Cyber Security Centre (ACSC) - Essential Eight
  5. Snyk vs SonarQube Comparison (2026)
  6. OWASP ZAP - Getting Started
  7. Trivy - Container Vulnerability Scanner

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage