Web App Scanners Miss Half of Vulnerabilities

seek3r sends news of a recent test of six web application security scanning products, in which the scanners missed an average of 49% of the vulnerabilities known to be on the test sites. Here is a PDF of the report. The irony is that the test pitted each scanner against the public test files of all the scanners. This reader adds, "Is it any wonder that being PCI compliant is meaningless from a security point of view? You can perform a Web app scan, check the box on your PCI audit, and still have the security posture of Swiss cheese on your Web app!" "NTOSpider found over twice as many vulnerabilities as the average competitor having a 94% accuracy rating, with Hailstorm having the second best rating of 62%, but only after extensive training by an expert. Appscan had the second best 'Point and Shoot' rating of 55% and the rest averaged 39%."

Re:Web apps make it so easy to be insecure.

A lot of PHP "developers" won't admit it, but Microsoft's .NET platform actually does a far better job of allowing for the development of secure web applications than PHP ever will.

Even inexperienced ADO.NET developers know enough to use paramaterized queries. But I'm not fucking kidding you, I still see PHP code even today where the SQL is generated via string concatenation, without properly escaping input from the user. Whenever I see this sort of code, I immediately send a written letter to whoever owns the code, warning them of the hazard.

ASP.NET also helps prevent security exploits. By default, it prevents the inputting of HTML via posted fields or query string parameters, which helps prevent several common attacks.

Even after well over a decade, PHP still makes is too damn easy to write code that is full of security flaws.

Re:Every system is different

Are you fucking serious? No, really. Are you fucking kidding me? ARE YOU?

You truly think "web security" consists of nothing more than avoiding SQL and XSS injection attacks? ARE YOU FUCKING KIDDING ME?

What about SECURING YOUR GODDAMN WEB SERVER(S) ? HUH? What about that? Is that the third "half" that you forgot? And I'm not just talking about the HTTP daemon itself. I'm talking about whatever operating system you're running on those servers. I'm talking about whatever you use to control remote access and physical access to those servers. Get my drift? GET IT?

What about your web application itself? HAVE YOU THOUGHT OF THAT? Let me guess, you got it developed in India, didn't you? Did you do a code review? DID YOU DO A FUCKING CODE REVIEW OF THE WEB APP YOU GOT BUILT IN INDIA? DID YOU? No, you didn't. That's probably your biggest fucking security hole. How do you know that they're not siphoning off credit card information, or other private information belonging to your customers and web site users? YOU DON'T, BECAUSE YOU DIDN'T DO A CODE REVIEW!

Are you using PHP? I said, ARE YOU USING PHP? If you are, then your web site's security is fucked to Hell and back.

Have you ensured that you don't have anyone intercepting your network traffic? HAVE YOU? WHAT NETWORK AUDITING HAVE YOU DONE? Yeah, that's right. NONE.

Pathetic little worms like you sicken me. Your complete shortsightedness and lack of knowledge about security leads to all of the problems we have today.

Re:Web apps make it so easy to be insecure.

I too am sick of PHP getting bashed all the time...And yes I'm a web developer who writes in PHP...

I got that far, then stopped reading.

First, you are not a "web developer who writes PHP". If you use PHP, you're nothing but a hack.

Second, by claiming to be a "developer who writes PHP", you've immediately destroyed whatever small degree of legitimacy you and your arguments (which I didn't bother to read) might have had.

Cry "ad hominem" all you want. The fact remains that you openly admit to using PHP. That basically makes you as smart as a dog turd.