Trading Up to Better Website Security
Tuesday, January 09, 2007 | Website Security
Normally I don’t
post shameless company promotions on my blog, but
this one is different. I thought people might find it
interesting to follow the results. Commercial website scanner vendors (Cenzic, SPI Dynamics,
Watchfire, etc.) and service providers like WhiteHat
Security go back and forth with claims about what
scanning technology can and can’t find. I say
scanning is only capable of testing for about half of
the issues (technical vulns). The scanner vendors
claim that their products can find logical flaws.
Who’s right? It's time to find out.
Enterprises are motivated to select the best solution for identifying vulnerabilities. That’s where the focus should be. We all loathe reading lame paid-for 4-star reviews and bogus magazine awards. It’s 2007, and I say it's time to let the results speak for themselves. The hard part about measuring results is you never really know the total number of vulnerabilities present in custom websites, and demo sites are a poor baseline for measurement. The best results are gathered using real websites when solutions go head-to-head, but obviously you just can't go out and pen-test any website you feel like.
As it happens, a large portion of our Sentinel customers, with some of the largest and most popular websites in the world, previously purchased commercial scanners. They said they were complex, reported too many false positives, or that it was faster to perform assessments by hand. (Survey results back this up.) It's not that the tools don’t work. They’re sophisticated, but often end up not being the right solution for the job. Websites are constantly changing and so are the vulnerabilities that plague them. Unfortunately, many enterprise security professionals understand this problem, and are hesitant to try something new for fear of throwing away good money after bad. Worse still, their websites remain unprotected and head-to-head comparisons between competing solutions, which would ease the decision-making process, are few and far between.
WhiteHat Sentinel's vulnerability assessment results are more complete than scanners, but I'm not here asking people to take my word for it. I have something else in mind. Here's the deal: If your company previously purchased a commercial scanner and ended up not using it, not liking it, or is curious about alternatives, you can receive up to a $30,000 credit towards an annual Sentinel subscriptions. Completely risk-free. See our results first hand on your website for comparison against your current scanner reports. (Click here for details) The enterprise gets to decide what can and can’t be scanned for. Win, lose or draw; good, bad or otherwise - we're all going to learn something.
Enterprises are motivated to select the best solution for identifying vulnerabilities. That’s where the focus should be. We all loathe reading lame paid-for 4-star reviews and bogus magazine awards. It’s 2007, and I say it's time to let the results speak for themselves. The hard part about measuring results is you never really know the total number of vulnerabilities present in custom websites, and demo sites are a poor baseline for measurement. The best results are gathered using real websites when solutions go head-to-head, but obviously you just can't go out and pen-test any website you feel like.
As it happens, a large portion of our Sentinel customers, with some of the largest and most popular websites in the world, previously purchased commercial scanners. They said they were complex, reported too many false positives, or that it was faster to perform assessments by hand. (Survey results back this up.) It's not that the tools don’t work. They’re sophisticated, but often end up not being the right solution for the job. Websites are constantly changing and so are the vulnerabilities that plague them. Unfortunately, many enterprise security professionals understand this problem, and are hesitant to try something new for fear of throwing away good money after bad. Worse still, their websites remain unprotected and head-to-head comparisons between competing solutions, which would ease the decision-making process, are few and far between.
WhiteHat Sentinel's vulnerability assessment results are more complete than scanners, but I'm not here asking people to take my word for it. I have something else in mind. Here's the deal: If your company previously purchased a commercial scanner and ended up not using it, not liking it, or is curious about alternatives, you can receive up to a $30,000 credit towards an annual Sentinel subscriptions. Completely risk-free. See our results first hand on your website for comparison against your current scanner reports. (Click here for details) The enterprise gets to decide what can and can’t be scanned for. Win, lose or draw; good, bad or otherwise - we're all going to learn something.