Automatic Scans
Adriel Desautels, chief technology officer at Netragard LLC, a Mendham, N.J.-based company that offers manual vulnerability testing services, said automated scans can be useful in ensuring that a Web site is protected against known security flaws. "They make sure that network security is not a complete disaster," he said.
But automated scans don't work as well with customized Web applications and e-commerce environments, Desautels contended. And they do next to nothing to test Web sites against less commonly known vulnerabilities, he said, adding that those are the flaws most likely to be exploited by black-hat hackers.
"We had a major financial institution customer that had passed an automated vulnerability scan and intrusion testing," Desautels said. "Everything appeared to be working, but then we came in and by the end of the third day, [we] had penetrated 17 of their internal systems."
No One's Perfect
Tim Dowling, vice president of consumer growth initiatives at McAfee's Web security group, said it's unreasonable and naive to expect any IT security service to provide 100% protection against online threats.
"Hacker Safe is not perfect," Dowling acknowledged. But he said that ScanAlert's service does help users defend their Web sites against "thousands and thousands" of threats. And sites that sport the seal are far more readily trusted by consumers than ones that don't, he claimed -- a contention that was backed up by several ScanAlert users.
According to Dowling, a full 90% of the scans that ScanAlert performs on a daily basis are automated. But in cases where sites fail the vulnerability scans, the vendor may do manual penetration testing to help its clients understand and correct security problems, Dowling said. And contrary to the claims of Kennedy and Desautels, ScanAlert does look for problems such as SQL injection and cross-site scripting flaws, Dowling said.
He added that the date-stamped Hacker Safe seal is served and controlled entirely by ScanAlert and is withdrawn any time a Web site fails to pass the daily vulnerability scan. Since new vulnerabilities arise frequently, Dowling said, it isn't uncommon for sites to lose and regain their Hacker Safe status, as Geeks.com did last June and December.
The Hacker Safe service should be just one part of a multilayered security strategy, said Jay Greenberg, director of e-commerce at Spencer Gifts LLC, a novelty gifts retailer in Egg Harbor Township, N.J.
"This is one additional tool that you can utilize to help secure your site," Greenberg said, adding that IT and Web site managers also "have to be smart and diligent about making sure your developers are monitoring and checking" for security flaws as well.
In addition to helping secure Web sites at the back end, ScanAlert's service can boost sales by making consumers "feel comfortable" about doing business on a site, Greenberg said.
Before joining Spencer Gifts, he worked for another company that was a ScanAlert client. Greenberg said that to test how useful the Hacker Safe logo was from a marketing standpoint, the company -- which he declined to identify -- asked ScanAlert to make the seal visible to only about half of the visitors to its Web site. The test showed that more of the people who could see the logo bought products, he said.
Customer Testiimonials
Jay Cline, president of Minnesota Privacy Consultants and former chief privacy officer at hospitality industry conglomerate Carlson Companies Inc., has been a ScanAlert customer for about a year. Using the Hacker Safe service certainly doesn't guarantee that hackers will never be able to break into a Web site, said Cline, who also is a Computerworld columnist.
"What I'm buying is a service that keeps me safe from hackers that use known vulnerabilities," Cline said. "I'm aware that there's still [other risks] that I need to watch out for."
ScanAlert has helped identify security problems that might otherwise have been missed, Cline said. For example, during the initial sign-up process, a scan pointed him toward a cross-site scripting vulnerability that resulted from the way in which his site was being hosted by an external Web site developer.
A logo proclaiming that a site is safe from hackers could sometimes be seen as an open invitation for malicious attackers to try to crack the site, Cline acknowledged. But like Greenberg, he said that the Hacker Safe seal can be a valuable tool for convincing consumers to complete transactions and not be scared away by any security concerns.
"If you're looking for ROI, Hacker Safe on balance gives you more lift," Cline said.
Bill Cronin, manager of e-commerce at The Vermont Teddy Bear Co. in Shelburne, Vt., also said that he has been able to justify the cost of the ScanAlert service from a marketing standpoint.
When it comes to actually boosting the security of a Web site, though, the benefits are somewhat less obvious, Cronin said. He added that ScanAlert can help users identify some pretty obvious flaws that most IT departments really should be finding on their own in the first place.
"If they're coming up with vulnerabilities on your site, you really aren't doing your job as a security administrator," Cronin said. "The technical side of me says there is limited use here from a security perspective. The marketing guy in me says it's a no-brainer."
Eric Ogren, an independent consultant in Boston, said that the situation isn't black and white, because the IT security industry has yet to develop any metrics for measuring the effectiveness of different vulnerability detection approaches.
It's hard to say for sure how effective ScanAlert's automated scans are, Ogren said. But he added that it's equally hard to know if manual penetration testing and vulnerability assessments are as useful and scalable as their proponents claim.
Ad Choices