TL;DR

Most businesses can improve application security this week without buying an enterprise platform: add SAST to code reviews, run DAST against staging, scan containers, and test APIs before release. Start with the OWASP Top 10, align your process with NIST SP 800-218, and use CIS Controls v8 as a checklist for turning security into repeatable business practice.

Start With the Real Business Risk

If your business runs a website, customer portal, booking system, ecommerce store, SaaS platform, or internal dashboard, application security is now business risk. Attackers do not need to “hack the network” if they can abuse a login form, exposed API endpoint, vulnerable dependency, or misconfigured container.

The practical goal is not perfection. The goal is to find common weaknesses before attackers do, fix the issues that create the most business impact, and make security checks part of normal delivery. For most SMBs, this can begin within a week using a mix of free and low-cost tools.

The OWASP Top 10 is the best starting point because it maps to the vulnerabilities attackers repeatedly exploit: broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, authentication failures, integrity failures, logging gaps, and server-side request forgery. If your team has never audited the application against these categories, that is the first gap to close.

This week, assign an owner for application security, list your internet-facing applications and APIs, identify who can deploy code, and document how vulnerabilities are found, triaged, fixed, and retested. That simple operating rhythm matters as much as the scanning tool.

Add SAST and Dependency Scanning to Development

Static Application Security Testing, or SAST, checks source code before it reaches production. It helps detect insecure patterns such as SQL injection, hardcoded secrets, weak cryptography, unsafe deserialization, and missing input validation. For a business owner, the value is simple: SAST moves security earlier, when fixes are cheaper.

Useful tools include:

  • SonarQube: strong for code quality, security hotspots, maintainability, and developer workflows. Community Edition is free for many use cases; commercial tiers vary by lines of code and features.
  • Snyk Code and Snyk Open Source: useful for code scanning, dependency vulnerability checks, license risk, and pull request integration. SMB teams often start free, then move into paid tiers depending on developers and project count.
  • GitHub Advanced Security, GitLab security scanning, or Bitbucket integrations: worth considering if your team already lives in those platforms.

A practical setup for this week:

  1. Connect Snyk or SonarQube to your main repositories.
  2. Turn on pull request comments for new high-risk issues.
  3. Block merges only for critical issues at first, so the process does not overwhelm delivery.
  4. Create a weekly vulnerability review for anything not fixed immediately.
  5. Record exceptions with an expiry date and business owner approval.

Also scan open-source dependencies. Many breaches come from vulnerable packages rather than custom code. Snyk, Dependabot, GitLab Dependency Scanning, and similar tools can automatically raise pull requests when libraries need updates.

For most SMBs, budget $0-$500/month to get started. Free tiers are often enough for a small team trial. Paid tiers become useful when you need private repository coverage, team management, reporting, SSO, policy controls, or more frequent scans.

Run DAST Against Staging Before Attackers Run It Against Production

Dynamic Application Security Testing, or DAST, tests the running application from the outside. It behaves more like an attacker: crawling pages, submitting forms, checking headers, probing inputs, and looking for exposed weaknesses.

Useful tools include:

  • OWASP ZAP: free, open-source, excellent for baseline DAST scans and CI/CD automation.
  • Burp Suite Community Edition: free and useful for manual testing, request inspection, and learning how attackers interact with your app. Burp Suite Professional is paid and more powerful, but Community Edition is enough for many quick wins.
  • Hosted DAST features in Snyk, GitLab, or other platforms: useful when you want reporting and workflow integration.

This week, run OWASP ZAP against a staging environment. Do not point aggressive scans at production without planning, because automated testing can submit forms, trigger workflows, create test records, or stress fragile systems. Start with a baseline scan, review alerts, and fix obvious issues: missing security headers, weak TLS settings, exposed admin paths, verbose error messages, and reflected input problems.

A sensible SMB DAST rhythm is:

  • Baseline scan on every staging deployment.
  • Deeper authenticated scan weekly or before major releases.
  • Manual Burp Suite review for login, payment, booking, account settings, file upload, and admin workflows.
  • Retest after fixes, not just after the next release.

DAST will not find everything. It may miss authorization flaws, business logic issues, and hidden APIs. But it gives fast visibility into mistakes that are visible from the internet.

Lock Down APIs and Containers

APIs are often where business risk concentrates. They connect your web app, mobile app, CRM, payment provider, marketing tools, AI workflows, and internal systems. A single broken authorization check can expose customer data even when the user interface looks secure.

This week, create an API inventory. Include public APIs, internal APIs, webhook endpoints, mobile app endpoints, third-party integrations, and admin endpoints. For each API, document authentication, authorization, data sensitivity, rate limits, logging, and owner.

Use Postman to build a small API security test collection. Include tests for:

  • Unauthenticated access to protected endpoints.
  • Accessing another customer’s records by changing IDs.
  • Missing rate limits on login, search, and export functions.
  • Excessive data returned in API responses.
  • Weak error messages that reveal stack traces or internal IDs.
  • Unsafe file upload and import endpoints.
  • Token expiry, refresh, and revocation behavior.

For containers, add Trivy to your workflow. Trivy can scan container images, file systems, infrastructure-as-code, Kubernetes manifests, and dependencies. A practical first step is to scan every production container image and fail builds on critical vulnerabilities with available fixes. If that creates too many alerts, start by reporting only, then move to enforcement once the team understands the baseline.

API security also needs logging. If you cannot answer “who accessed what data, from where, and when?”, incident response becomes guesswork. Log authentication events, authorization failures, admin actions, exports, failed validation, and suspicious rate-limit activity.

Build a One-Week Application Security Plan

Use NIST SP 800-218, the Secure Software Development Framework, as the operating model: prepare the organization, protect the software, produce well-secured software, and respond to vulnerabilities. Use CIS Controls v8 to turn that into governance, especially around vulnerability management, access control, audit logs, secure configuration, and application software security.

Here is a realistic one-week plan:

Day 1: Inventory applications, APIs, repositories, deployment pipelines, containers, and owners. Identify the top three business-critical systems.

Day 2: Enable SAST and dependency scanning with Snyk, SonarQube, Dependabot, or your existing Git platform. Triage critical and high findings.

Day 3: Run OWASP ZAP baseline scans against staging. Capture missing headers, exposed paths, insecure cookies, and obvious injection risks.

Day 4: Build a Postman collection for key API workflows. Test authentication, authorization, rate limits, and cross-customer access.

Day 5: Run Trivy against production container images and deployment manifests. Prioritize critical vulnerabilities with known fixes.

Day 6: Review OWASP Top 10 coverage. Focus first on broken access control, injection, vulnerable components, authentication failures, and security misconfiguration.

Day 7: Create a remediation board with owners, severity, due dates, retest steps, and exception expiry dates.

Quick-win checklist:

  • Are admin pages protected by MFA?
  • Are secrets removed from source code and build logs?
  • Are dependencies updated and monitored?
  • Are security headers configured?
  • Are cookies marked Secure, HttpOnly, and SameSite?
  • Are API endpoints protected by object-level authorization?
  • Are staging and production separated?
  • Are error messages safe for public users?
  • Are containers scanned before deployment?
  • Are vulnerability fixes retested before closure?

FAQ

Many SMBs can start at $0 using OWASP ZAP, Burp Suite Community Edition, Trivy, Dependabot, free SonarQube Community Edition, and limited free tiers from vendors such as Snyk. A practical SMB budget is usually $0-$500/month for early-stage coverage, depending on private repositories, user count, reporting needs, and CI/CD integrations.

Start with both, but keep the rollout simple. Add SAST and dependency scanning to pull requests so new issues are caught early, then run DAST against staging to find externally visible weaknesses. SAST helps developers fix code; DAST shows what an attacker can see.

Prioritize broken access control, injection, vulnerable and outdated components, authentication failures, and security misconfiguration. These are common, high-impact, and often fixable with better authorization checks, safer queries, patching, MFA, secure headers, and hardened deployment settings.

No. Scanners are essential for continuous coverage, but they miss business logic flaws, complex authorization problems, and chained attacks. Use automated scanning every week, then schedule manual testing for major releases, sensitive workflows, and systems handling customer, payment, health, legal, or operational data.

Conclusion

Application security does not need to begin with a six-month transformation program. This week, inventory your applications and APIs, enable SAST and dependency scanning, run OWASP ZAP against staging, test critical APIs in Postman, scan containers with Trivy, and prioritize fixes against the OWASP Top 10.

The businesses that improve fastest are the ones that make security repeatable: every release gets scanned, every serious issue has an owner, every exception expires, and every fix is retested. Visit consult.lil.business for a free cybersecurity assessment and a practical review of your application security posture.

References

  1. OWASP Top 10
  2. NIST SP 800-218 Secure Software Development Framework
  3. CIS Controls v8
  4. OWASP Zed Attack Proxy Project
  5. Trivy Vulnerability Scanner Documentation

Verifier warning: verifier could not run (PluginLlmTrustError).

TL;DR

  • The U.S. government just banned foreign-made routers from being sold in America because hackers were using them to break into networks [1].
  • Almost all routers — even ones from American companies — are built overseas, so this affects the whole industry [1].
  • Government hackers from China used compromised routers to spy on phone companies and attack Microsoft's customers [2] [3].
  • Your current router is fine to keep, but now is the time to check whether it is up to date and secure.

What Is a Router and Why Does It Matter?

Your router is like the front door to your business's internet connection. Every email, every file, every video call, every payment — it all flows through that one small box sitting in the corner of your office.

If someone takes control of your router, they can see everything that passes through it. They can redirect your web traffic, steal passwords, or use your connection to attack other businesses — all without you knowing.

What Did the FCC Do?

The FCC — the U.S. agency that regulates communications technology — just said: no more foreign-made routers can be imported into America unless the manufacturer proves they are safe [1].

The reason is simple. Government investigators found that hackers — specifically groups working for the Chinese government — had been breaking into foreign-made routers and using them as secret tunnels to spy on American companies and government agencies [2].

Think of it like discovering that a popular brand of door locks had a hidden master key that burglars were using. The government decided to stop selling those locks until the problem is fixed.

How Were Hackers Using Routers?

Three major incidents pushed the FCC to act:

Spying on phone companies. A group called Salt Typhoon used compromised routers to break into U.S. telecommunications companies and listen in on calls and messages [2].

Attacking Microsoft customers. Another group called Storm-0940 built a network of thousands of hacked routers and used them to try millions of password combinations against Microsoft customers' accounts [3].

Building robot armies. The FBI found that foreign-made routers had been turned into "botnets" — networks of hijacked devices that attackers control remotely to overwhelm websites and services [4].

Does This Affect My Business?

If you are in the U.S., this ban affects what routers you can buy in the future. If you are in Australia or elsewhere, the ban itself does not apply — but the security risks absolutely do. The same routers with the same vulnerabilities are sold worldwide.

According to security researchers, 70% of small business routers are running outdated software with known security holes [5]. That is like leaving your front door unlocked every night and hoping nobody tries the handle.

The Australian Signals Directorate has specifically warned that network devices are "a primary target" for both government hackers and criminal groups [6].

What Should You Do Right Now?

1. Check your router's firmware. Log into your router (usually by typing 192.168.1.1 or 192.168.0.1 in your web browser) and look for a firmware update option. If an update is available, install it.

2. Change the default password. If you have never changed your router's admin password from the one it came with, do it today. This is the single most impactful thing you can do.

3. Find out how old your router is. If your router is more than five years old, it probably does not get security updates anymore. That means known vulnerabilities will never be fixed. Plan to replace it.

4. Ask your IT provider. If someone manages your IT, ask them: "When was the last time our router firmware was updated?" If they do not know, that is a problem.

The Simple Takeaway

Your router is the most important — and most ignored — security device in your business. Whether or not the FCC ban affects you directly, the underlying lesson applies everywhere: know what is connecting your business to the internet, keep it updated, and replace it when it is past its use-by date.

Strong foundations make for strong businesses. A $200 investment in a modern, automatically-updating router is one of the highest-value security improvements any small business can make.

FAQ

Yes. The ban only applies to new routers being imported into the U.S. for sale. Your existing router is not affected. However, check if it still receives firmware updates — if it does not, plan to replace it.

Almost all of them. TP-Link, Netgear, ASUS, D-Link — even American companies manufacture their routers overseas. The ban affects any router made outside the U.S. unless the manufacturer gets a special exemption [1].

Check three things: (1) Is the firmware up to date? (2) Have you changed the default admin password? (3) Is remote management turned off? If you can answer yes to all three, your router is in better shape than most.

A botnet is a network of hijacked devices — like routers, cameras, or computers — that a hacker controls remotely. They use these networks to overwhelm websites with traffic (DDoS attacks), try millions of stolen passwords (credential stuffing), or hide their real location when hacking other targets [4].

References

[1] S. Smalley, "FCC bans foreign-made routers from US market over 'unacceptable risk'," The Record by Recorded Future, Mar. 25, 2026. [Online]. Available: https://therecord.media/fcc-routers-banned-security-china

[2] Federal Communications Commission, "National Security Determination — Routers," FCC, Mar. 20, 2026. [Online]. Available: https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf

[3] Microsoft Threat Intelligence, "Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network," Microsoft Security Blog, Oct. 2024. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/

[4] FBI, CNMF, and NSA, "PRC-Linked Actors Botnet Assessment," Department of Defense, Sep. 2024. [Online]. Available: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF

[5] Cisco Talos, "Small Business Router Security Report 2025," Cisco Talos Intelligence Group, 2025. [Online]. Available: https://blog.talosintelligence.com/small-business-router-security/

[6] Australian Signals Directorate, "Annual Cyber Threat Report 2024-2025," ASD, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report

[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] NIST, "Guide to Enterprise Patch Management Planning," NIST SP 800-40 Rev 4, 2022. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final


Not sure if your network is properly secured? Chat with lilMONSTER — we explain network security in plain English and help you build a stronger foundation for your business.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation