Recently it comes to my attention that many so called "web security" experts issuing reports on web sites vulnerability using tools such as security scanner from Acunetix site. You can download and try it for free but how really usefull this tool is?
As I said earlier I am a web developer and working on that fields since 1996. Looks like I do have some expirience and would like to tell you: do not waste your money on that kind of tools.
I can create such a tools within 20 minutes and it will show unsuspected user scary picture of his website possible vulnerabilities. But how many of those scary things are real? Belive it or not but even developers of such tools have no clue. Best example is SQL injection vulnerability. Any web site which have database behind it is potentially vulnerable to it.
And all scanning tools have show that. Small things which none considered is human factor behind it. For example none of sites developed by me was ever broken using SQL injection!
There were vulnerabilities on IIS side but that is nothing your developers can do about. Only your network and sysadmin can keep up your systems up to date with Microsoft updates to protect system.
As a result what would I recommend to all web site users and future owners?
Better spend it on your IT team education and allocate resources on books and code reviews.
Establish company standards and do not let anyone - no matter how high or valuable this person for your company - compromise those standards.
That is your only protection against hackers and other type of BS waste.
And keep in mind the old saying, but still true: the avaricious pays twice
As I said earlier I am a web developer and working on that fields since 1996. Looks like I do have some expirience and would like to tell you: do not waste your money on that kind of tools.
I can create such a tools within 20 minutes and it will show unsuspected user scary picture of his website possible vulnerabilities. But how many of those scary things are real? Belive it or not but even developers of such tools have no clue. Best example is SQL injection vulnerability. Any web site which have database behind it is potentially vulnerable to it.
And all scanning tools have show that. Small things which none considered is human factor behind it. For example none of sites developed by me was ever broken using SQL injection!
There were vulnerabilities on IIS side but that is nothing your developers can do about. Only your network and sysadmin can keep up your systems up to date with Microsoft updates to protect system.
As a result what would I recommend to all web site users and future owners?
Better spend it on your IT team education and allocate resources on books and code reviews.
Establish company standards and do not let anyone - no matter how high or valuable this person for your company - compromise those standards.
That is your only protection against hackers and other type of BS waste.
And keep in mind the old saying, but still true: the avaricious pays twice
 
 
No comments:
Post a Comment