Web App Scanners Miss Half of Vulnerabilities

seek3r sends news of a recent test of six web application security scanning products, in which the scanners missed an average of 49% of the vulnerabilities known to be on the test sites. Here is a PDF of the report. The irony is that the test pitted each scanner against the public test files of all the scanners. This reader adds, "Is it any wonder that being PCI compliant is meaningless from a security point of view? You can perform a Web app scan, check the box on your PCI audit, and still have the security posture of Swiss cheese on your Web app!" "NTOSpider found over twice as many vulnerabilities as the average competitor having a 94% accuracy rating, with Hailstorm having the second best rating of 62%, but only after extensive training by an expert. Appscan had the second best 'Point and Shoot' rating of 55% and the rest averaged 39%."

Not a surprise to me.

[ls671]

> Web App Scanners Miss Half of Vulnerabilities

Well this is no surprise to me. Designing/testing secure systems is much more than scanning for vulnerabilities.

Scanning is only one of the tool to use to accomplish the goal.

Re:Whitehat Security

[ls671]

> There seems to be a little bit of a disconnect between the sales force and the operations team

No kidding, I can't believe that such a company exists ;-)))

Re:Web apps make it so easy to be insecure.

[RzUpAnmsCwrds]

But at least when it comes to hardware, we're willing to throw everything away and start from scratch.

Is that why I'm using a pipelined, out-of-order implementation of a 64-bit extension to a 32-bit extension of a 16-bit ISA?

I mean, shit, my Core 2 Duo supports everything from 128-bit vector instructions to segmented addressing. I have USB and PCI Express busses on my ThinkPad, but also CardBus/PCMCIA and a modem. I have Gigabit Ethernet but it is still compatible with 10Base-T. I have a DVI port (through the dock) but also a VGA port. My DVD-RW will read CDs which are 30 years old.