I'm sorry but you can't fix 'failing Web startup security' with automated scans. Automated scans are useless for finding all but the most trivial of vulnerabilities.
There's almost no doubt in my mind that the only way to fix the situation is with education. I think that if your goal is to fix poor security practises, you should change your strategy to teaching developers how to be security aware, rather than offering a service that merely pokes around for a few well known vulnerabilities.
BUT, there are charlatans armed with little more than nmap and a cursory understanding of the output that sell themselves as penetration testers, for a whole lot more than I assume this service will cost.
This, at least, is normalized, repeated, reported consistently, and history is kept. That's worth something.
It's incomplete, but I assume at the price point, it will be more cost efficient and trustworthy than the other options -- the most popular of which is doing nothing.
Usual rant about false senses of security elided for brevity.
Just as educated programmers can introduce bugs and it’s impossible to find a programmer that will write bug-free code, it’s also impossible to find one that will write vulnerability free code. Therefore educating programmers is not the solution; it’s part of the solution. And automated scanning is also not the solution, but it’s a big part of that solution.
> Automated scans are useless for finding all but the most trivial of vulnerabilities
I’m really curious about how you can make that claim. Automated scanning can find many very important vulnerabilities in a very accurate manner. We regularly receive user comments like this one:
“We have external scan performed by third party that found some vulnerabilities of our sites. Using Netsparker we were able to validate them and work on fixing them. More than this we found few others not reported by them that we had to patch.”
This proves that even a highly-paid security consultant can miss vulnerabilities that can be found by automated scanners. Not to mention that lots of security consultants also use automated scanners to speed up their task.
Finally, there are so many other issues to learn about that you can’t expect your developers to keep up-to-date with all of them: new attack techniques, new vulnerabilities that affect a framework, etc. So, even when your developers are educated about writing secure code, you can still create vulnerabilities in your application. Or when your code is secure in your staging environment, it can be not-so-secure on the production environment because certain settings are different etc.
> merely pokes around for a few well known vulnerabilities.
Modern web app scanners don't really work around the concept of testing well known vulnerabilities, there are classes of vulnerabilities such as LFI, SQLI, XSS etc. and scanners are intelligently (similar to an actual attacker / penetration tester) test these out.
You might be thinking about old school tools such as Nikto (also referred as CGI Scanners). Today, even those tools are doing a little bit more than just looking for well known vulnerabilities.
At my company we've been looking into this. We've been in contact with a security company who gave us a quote of £6k, for probably what amounts to not much more than just a port scan. We've only got 4 VPSes, so this seems a bit crazy! Keep up the good work, I want this now! :D
Just wondering; how does this differ from products like StopTheHacker and SiteLock (amongst others)? I mean, the idea is a solid one, but there's a few players in this arena already.
Sites like those generally in the business of seal-selling or doing very light security checks.
Many of them will only report out of date vulnerabilities (quick & easy to check) or very simple issues limited issues. Still a legit business obviously. Though the benefits are limited. Best way to check this, get a scan request and watch your logs. Most of them won't even do a POST request. How can you really check for vulnerabilities unless you test all the functionality in a web application?
I guess we should explain this in our website to distinguish ourselves from that pack.
Just so you know your responsive design is covering the request invite submit button when your browser goes somewhere below around 900px wide (Using chrome latest dev build).
A few exist but are priced for corporations looking for PCI compliance. If you can position yourself like a Pingdom or Pagerduty but for security you will do really well.
Thanks. What you have said is exactly the rationale behind what we're building - a move away from expensive and restrictive enterprise solutions toward something that works (both operationally and economically) for smaller businesses.
[+] [-] charliesome|13 years ago|reply
There's almost no doubt in my mind that the only way to fix the situation is with education. I think that if your goal is to fix poor security practises, you should change your strategy to teaching developers how to be security aware, rather than offering a service that merely pokes around for a few well known vulnerabilities.
[+] [-] quesera|13 years ago|reply
BUT, there are charlatans armed with little more than nmap and a cursory understanding of the output that sell themselves as penetration testers, for a whole lot more than I assume this service will cost.
This, at least, is normalized, repeated, reported consistently, and history is kept. That's worth something.
It's incomplete, but I assume at the price point, it will be more cost efficient and trustworthy than the other options -- the most popular of which is doing nothing.
Usual rant about false senses of security elided for brevity.
[+] [-] fmavituna|13 years ago|reply
> Automated scans are useless for finding all but the most trivial of vulnerabilities
I’m really curious about how you can make that claim. Automated scanning can find many very important vulnerabilities in a very accurate manner. We regularly receive user comments like this one:
“We have external scan performed by third party that found some vulnerabilities of our sites. Using Netsparker we were able to validate them and work on fixing them. More than this we found few others not reported by them that we had to patch.”
This proves that even a highly-paid security consultant can miss vulnerabilities that can be found by automated scanners. Not to mention that lots of security consultants also use automated scanners to speed up their task.
Finally, there are so many other issues to learn about that you can’t expect your developers to keep up-to-date with all of them: new attack techniques, new vulnerabilities that affect a framework, etc. So, even when your developers are educated about writing secure code, you can still create vulnerabilities in your application. Or when your code is secure in your staging environment, it can be not-so-secure on the production environment because certain settings are different etc.
> merely pokes around for a few well known vulnerabilities.
Modern web app scanners don't really work around the concept of testing well known vulnerabilities, there are classes of vulnerabilities such as LFI, SQLI, XSS etc. and scanners are intelligently (similar to an actual attacker / penetration tester) test these out.
You might be thinking about old school tools such as Nikto (also referred as CGI Scanners). Today, even those tools are doing a little bit more than just looking for well known vulnerabilities.
[+] [-] lucaspiller|13 years ago|reply
(Also the link to your other product http://www.mavitunasecurity.com/netsparker/ doesn't seem to work?)
[+] [-] fmavituna|13 years ago|reply
> (Also the link to your other product http://www.mavitunasecurity.com/netsparker/ doesn't seem to work?)
Is it still not working for you? I just checked and it was up, also pingdom didn't report any downtimes, maybe a temporary issue in your side?
[+] [-] rmc|13 years ago|reply
Or are there things you don't know about and don't know how to test for? Should you maybe pay a professional who knows about this?
How much is your data worth?
[+] [-] fmavituna|13 years ago|reply
If you have any questions / feedback, me and Tim (@ScanMySite) are happy to hear.
[+] [-] meiji|13 years ago|reply
[+] [-] fmavituna|13 years ago|reply
Many of them will only report out of date vulnerabilities (quick & easy to check) or very simple issues limited issues. Still a legit business obviously. Though the benefits are limited. Best way to check this, get a scan request and watch your logs. Most of them won't even do a POST request. How can you really check for vulnerabilities unless you test all the functionality in a web application?
I guess we should explain this in our website to distinguish ourselves from that pack.
[+] [-] edd|13 years ago|reply
[+] [-] ScanMySite|13 years ago|reply
[+] [-] edbloom|13 years ago|reply
[+] [-] zalew|13 years ago|reply
pssst: screenshot arrows don't work.
[+] [-] ScanMySite|13 years ago|reply
[+] [-] Fizzadar|13 years ago|reply
[+] [-] dns|13 years ago|reply
[+] [-] johnx123-up|13 years ago|reply
[+] [-] ScanMySite|13 years ago|reply
[+] [-] taligent|13 years ago|reply
A few exist but are priced for corporations looking for PCI compliance. If you can position yourself like a Pingdom or Pagerduty but for security you will do really well.
Best of luck.
[+] [-] ScanMySite|13 years ago|reply
[+] [-] cbrcoder|13 years ago|reply
[deleted]
[+] [-] jamesbanner|13 years ago|reply
[deleted]