The Acunetix saga

As they say: better late then never. Here are my comments on the whole Acunetix saga.

First of all, you should read the great posting at Computer Defense about the matter. It contains links to all the important events in this area, including the original press release, the reaction on Network World and others.

So here is the situation as I understand it: Acunetix provides a free (as in beer) security scanner, which can be used to scan your website for vulnerabilities. In their press release they claimed that 70% of the people who used it were vulnerable, in reaction to which Network World (which isn't all bad, since they have at least one very good podcast) summoned up a security expert, which claimed that the statistics were BS and challenged Acunetix by saying that he would give them 1,000 USD if they were able to hack 10 sites picked random from the list.

First of all I have no relation with Acunetix (I can't even remember their name, I have to copy paste every time I write it :-)). Second of all: I don't think highly of such automated scanner. There is nothing better than a good old fashioned code review (and believe me, there are some nasty things in the codebase out there which run the big websites). Such automatic tools pick up only the low hanging fruits: cross site scripting (also known as HTML injection for the purist :-)) and SQL injection. And even those aren't guaranteed to be found completely. Basically these scanners face the same problems as the search engine crawlers: navigation embedded in javascript and / or flash, restricted member areas, etc.

This being said, you can't dismiss the results of such scans. SQL injections are very bad, but at least they are easy to convey to the security team (everybody understands if you say: look, I can view / edit / delete your entire database!). Cross site scripting attacks on the other hand are looked down however by many because they say: they don't hurt my server, so it isn't a big deal, right? Wrong! Cross site scripting attacks can mean things like cookie stealing, taking actions on behalf of the user (like buying / selling things, transferring founds, etc). The notorious Sammy worm was based on a Cross Site Scripting flaw!

And finally: Network World's expert is an idiot at best or an attention seeking w**** at worst! Those are strong words, but how can somebody call themselves a security expert and don't stop to think that even if the statistics were doctored (which I'm pretty sure they not - not that I trust Acunetix, but the figure seems to be consistent with my experience) no reputable security company would go around defacing peoples websites at random just to prove a point. And I'm pretty sure that whatever agreement they had with the site owners, it didn't include a clause which would permit Acunetix to use the site for demonstration purposes. This expert should be sued for defamation by the real experts! And the kicker is: when Acunetix said that they take the challenge, but for the Network World website, the expert said that they had no relation with Network World and thus they can not authorize such an experiment. No relation !? No relation like: I make stupid statements and pose as an expert there, but I can't be bothered to test them. Thinking about the legal consequences? Why didn't you think about the legal consequences of your original proposal genius?