Welcome to Hardenize!

We'd like to show you an early version of a new tool we're working on. As you're playing with it, please remember this:

  • Ignore any bugs you encounter. This is only a proof-of-concept release that we will be refining in the following months.
  • We wanted to show the wide range of functionality that want to cover, but most of the tests that we have today are incomplete.
  • This is just our public report; our commercial product will reuse the core technology, but it will focus on continuous assessment and collaborative features.

The problem we want to solve is this...

Less than 1% of all
web sites use modern
security features

Whichever way you look at it, there are many effective security technologies that we can use today, and yet only a small number of deployments do.

WHOIS, DNS, DNSSEC, DANE, CAA, SMTP, STARTTLS, CAs, X.509, SPF, DKIM, DMARC, IPv4, IPv6, HTTP/2, SSL, TLS, HSTS, CSP, HPKP, RC4, SHA, cookies, mixed content, SRI, privacy, ...

As it stands today,
security is too complex

Few people can dedicate themselves to understand all the technologies individually and also how they work together.

As a result, we have to work hard to secure systems only after they have been deployed. This approach is not only inefficient, but also doesn't work very well. We need to try something else.

Hardenize helps organizations deploy the latest security standards

Our goal is to build security in, engage developers and
system administrators from the start, and make security fun.

Thank you!

Please have a look around and
let us know what you think.

Hardenize Roadmap

Current status: Alpha

We’re currently reasonably happy with the report design, user interface, and overall usability. Although we’re planning to continue with UI improvements in the future, our primary focus now is on improving the assessments. Most tests we’re currently showing need further refinement. We’re planning additional tests, but generally not until we substantially improve the ones that are already covered.

In parallel, we’re working on our “real” application. What you can now see is our a public report, which sacrifices detail for brevity. Our complete application will provide much more detail as well as support continuous assessment and reporting.

Version 1.0 Alpha (Almost done!)

In this section you can see the implementation status of our assessment features. Our plan is to stay in alpha until all the features listed below are implemented. Once in beta, we will continue to polish the user interface and start to work on our grading algorithm.

Domain
Name servers Show the name server configuration obtained during assessment.
Completed
DNSSEC In this first release, we're testing if DNSSEC is supported and correctly configured.
Completed
CAA Show CAA configuration for the domain name.
Completed
Email
TLS Thorough TLS assessment: supported protocols, cipher suites, and order preference.
Completed
Certificates Show all certificates used for SMTP.
Completed
DANE Show DANE information for SMTP. Verify configuration and show pinned certificates.
Completed
SPF Fetch, validate, and display SPF policy. At the moment, we're showing only the main SPF configuration; we will recursively fetch all referenced policies and provide configuration advice.
Completed
DMARC Fetch, validate, and display DMARC policy.
Completed
WWW
HTTP (80) Show full HTTP transaction information, including redirects.
Completed
HTTPS (443) Show full HTTP transaction information, including redirects.
Completed
TLS Thorough TLS assessment: supported protocols, cipher suites, order preference, etc.
Completed
Certificates Show all certificates used for HTTP. Need better indication of self-signed certificates as well as better presentation of the root store tests.
Completed
DANE Show DANE information for HTTP. Verify configuration and show pinned certificates.
Completed
Cookies Show all cookies. Detect insecure session cookies. Planning to add support for same-site cookies and name prefixes.
Completed
Mixed content Inspect web page HTML to detect mixed content.
Completed
HSTS Fetch, validate, and display active HSTS policy. Check if the hostname is preload-ready. Check for preloading, including the waiting list. Check for inconsistent HSTS policies and policies delivered over plaintext.
Completed
HPKP Fetch, validate, and display HPKP policy. Show pinned certificates.
Completed
CSP Fetch, validate, and display all provided CSP policies.
Completed
Subresource Integrity Inspect web page HTML to dicover remote resources. Detect and validate SRI usage.
Completed
Frame Options Show and check the X-Frame-Options header.
Completed
XSS Protection Show and check the X-XSS-Protection header.
Completed
Content Type Options Show and check the X-Content-Type-Options header.
Completed

Version 1.0 Beta

Once in beta, we expect that will give access to Hardenize to wider audiences. We will then focus on the following of the product:

  • Fine-tuning of the assessments
  • User interface polish
  • Quality control and regression testing
  • Development of grading criteria
  • Documentation (e.g., remediation guidance)
Alpha Preview