DEV Community

Cover image for Security Audit Any Website's Dependencies with CPE Data
MikeL
MikeL

Posted on • Originally published at detectzestack.fly.dev

Security Audit Any Website's Dependencies with CPE Data

#security #api #webdev #python

Every technology on a website is a potential attack surface. An outdated jQuery version, an unpatched WordPress plugin, a web server with a known CVE — these are the entry points attackers look for.

The problem is visibility. How do you know what technologies a website runs, and which have known vulnerabilities?

DetectZeStack returns CPE (Common Platform Enumeration) identifiers for every detected technology. CPE is the standard naming scheme used by NIST's National Vulnerability Database (NVD) to link software products to their known vulnerabilities (CVEs).

How CPE-Based Security Auditing Works

  1. Detect technologies — scan a website to identify all tech
  2. Extract CPE IDs — each technology includes its CPE identifier
  3. Query NVD — look up each CPE for known CVEs
  4. Assess risk — prioritize by CVSS score

Step 1: Detect Technologies with CPE Data 

curl -s "https://detectzestack.fly.dev/analyze?url=example.com" \
  -H "X-Api-Key: YOUR_KEY" | jq '.technologies[] | {name, cpe}'
Enter fullscreen mode Exit fullscreen mode

Example response:

[
  { "name": "Nginx", "cpe": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*" },
  { "name": "jQuery", "cpe": "cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*" },
  { "name": "WordPress", "cpe": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*" }
]
Enter fullscreen mode Exit fullscreen mode

What's a CPE? It's a structured naming scheme for IT products. cpe:2.3:a:wordpress:wordpress:* means "application, vendor wordpress, product wordpress, any version." The NVD uses CPEs to link products to CVE entries.

Step 2: Query the NVD for Vulnerabilities

Here's a Python script that takes DetectZeStack output and checks each technology for known vulnerabilities:

import requests
import time

DETECTZESTACK_URL = "https://detectzestack.fly.dev/analyze"
NVD_API_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0"
API_KEY = "your-detectzestack-key"

def audit_website(domain):
    # Detect technologies
    resp = requests.get(DETECTZESTACK_URL, params={"url": domain}, headers={
        "X-Api-Key": API_KEY
    })
    techs = resp.json().get("technologies", [])

    findings = []
    for tech in techs:
        cpe = tech.get("cpe")
        if not cpe:
            continue

        # Query NVD
        nvd_resp = requests.get(NVD_API_URL, params={
            "cpeName": cpe,
            "resultsPerPage": 10
        })
        time.sleep(0.6)  # NVD rate limit

        vulns = nvd_resp.json().get("vulnerabilities", [])
        if vulns:
            findings.append({
                "technology": tech["name"],
                "cpe": cpe,
                "cve_count": len(vulns),
                "top_cves": [v["cve"]["id"] for v in vulns[:5]]
            })

    return findings

findings = audit_website("target-site.com")
for f in findings:
    print(f"{f['technology']}: {f['cve_count']} known vulnerabilities")
    for cve in f['top_cves']:
        print(f"  - {cve}")
Enter fullscreen mode Exit fullscreen mode

Step 3: Automate Continuous Monitoring

Set up webhook alerts for real-time tech change notifications:

curl -X POST "https://detectzestack.fly.dev/webhooks" \
  -H "X-Api-Key: YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "app.yourcompany.com",
    "webhook_url": "https://your-siem.com/webhook/techstack",
    "secret": "hmac-secret-for-verification"
  }'
Enter fullscreen mode Exit fullscreen mode

When a technology changes on a monitored domain, you'll receive a webhook. Feed this into your vulnerability management pipeline to check for newly introduced risks.

Practical Use Cases

Vendor Risk Assessment: Before onboarding a SaaS vendor, audit their website. Outdated frameworks or missing security headers are red flags.

Supply Chain Monitoring: Track tech changes across critical suppliers. If a partner drops HTTPS or switches CDNs, you want to know.

Penetration Test Recon: Start engagements with a comprehensive technology inventory. Four detection layers (HTTP, DNS, TLS, headers) surface infrastructure that manual inspection misses.

Compliance Reporting: Generate evidence that your web properties use current, patched technologies for SOC 2, ISO 27001, or PCI DSS audits.

Why Not Just Use a Vulnerability Scanner?

Traditional scanners (Nessus, Qualys) require network access and authenticated scans. DetectZeStack works from the outside — you can audit any public website, including vendor sites you don't control. They're complementary tools.

Cost

Manual vendor security assessments cost $500-2,000 per vendor. Automated tools like BitSight charge $15,000-50,000/year.

With DetectZeStack at $5/month (5,000 requests), you can audit 5,000 domains monthly. That's enterprise-grade coverage at indie pricing.

Get your free API key — 100 requests/month, no credit card required.

How do you handle external dependency auditing? I'd love to hear your approach in the comments.

Top comments (0)