HackerSafe - Is it really worth it?

Also, when there are serious threats like sql injection and xss the hackersafe logo gets autonmatically disabled and does not appear on your site.

This is why I was wondering whether some of the sites that have hackersafe logos are in fact fake ones.

Ladadadada: I will be checking out AppScan. nice tip. green rep for you.

 

For anyone planning on scanning their own sites, on the less pricey side of web-app scanning are Chorizo Scanner and Burp Suite.

Unfortunately I don't have any data on how thoroughly they check sites compared to AppScan but I know we looked at both of them when the AppScan license renewal came up...

 

craigedmonds, you seem to be unusually supportive of HackerSafe. Would you mind posting up some report snippets relating to SQL injection / XSS and similar vulnerabilities if they do indeed perform thorough tests for them?

I don't see how they could practically say for certain that a website is safe from hackers in terms of the above, and things like session fixation. There is just no automated way to test for these things to an acceptable level.

Let's say I download phpBB3 and run it on a HackerSafe site. Now, it's currently only a release candidate, and let's say that a developer left in some debugging stuff, for example if($_GET['debug']) $sql = "SELECT * FROM users WHERE uid ='".$_GET['debug']."'";

(That's just an example, I'm sure phpBB would never be so careless). There is absolutely no reference to a debug field at the front end of the website (say, in a form), so how is HackerSafe going to test for that one? It looks and smells like a waste of money to me.

The only real way to test code security is to manually look over every line and process the logic in your mind. I would never run my code through an automated package and call it hacker safe - It's just not thorough enough. You don't get something for nothing, and in this case I doubt you get much at all for the $1,000 or whatever they believe is a fair price. A website that is 95% secure is as Hacker-Safe as a website that is 0% secure.

 

They scan and rate things on 5 levels.. I have a scan setup with them right now..

they are based as follows.

Vulnerability Levels
Severity Level Description
Urgent Intruders can easily gain control of the device being tested, which can lead to the compromise of your entire network security. Or hackers can use this device to access sensitive information from other devices in your network. Hackers are often actively scanning for this type of vulnerability.

For example, vulnerabilities at this level may include full read and write access to files or databases, remote execution of commands, gaining Administrator or Root level access, and the presence of Trojans or backdoors.
Critical Intruders can possibly gain direct control of the device being tested, or there may be potential leakage of highly sensitive information.

For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users hosted on the device.
High Intruders may be able to gain access to specific information stored on the device being tested, including security settings. This could result in potential misuse of, or unauthorized access to the device or information stored on it.

For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services such as mail-relaying.
Medium Intruders may be able to collect sensitive information from the host, such as the precise version of OS or software installed or directory structure. While this level of vulnerability is not directly exploitable itself, with this information intruders can more easily exploit possible vulnerabilities specific to software versions in use.
Low Intruders can collect general information about the device being tested (open ports, OS or software type, etc.). Hackers may be able to use this information to find exploitable vulnerabilities.

Currently had a scan done today as they scan every day..

All Vulnerabilities Tested (2914) that was today.. there is a set group scanned always.. However as new vulnerabilitys come up and become public knowledge and privately addressed and or found they are scanned for as well.

 

Scriptman: AppScan would have found your phpBB example !

Some of the more speculative tests it does are looking for admin.php, admin.cfm, admin.asp (Even if you're not running asp...) and admin/ in every directory it finds on your site.
It also adds extra, default-sounding parameters such as admin=TRUE, user_id=1, debug=TRUE, debug=1, etc. So, it would have actually found your debug parameter and tried it with the number 1.

I'm not certain whether it would have realised the significance of what it had found; it would have been looking to put it in debugging mode, so to test debug=1 it would be looking for an error message of some sort, not "You are logged in as Admin"

I do understand, however, that neither AppScan nor Hackersafe can possibly find all security vulnerabilities. All it would take for you to avoid AppScan finding your example would be to change the debug parameter to have a slightly less guessable name.

AppScan normally does somewhere between 20,000 and 80,000 tests and based on lowridertj's comment above, HackerSafe does around 3000 although this number probably varies per website. It would also go up (as does AppScan's number) as more exploits are made public knowledge.

So what the HackerSafe sticker says is "There are 3000 known exploits that don't affect my website." and AppScan says "There are 50,000 known exploits that don't affect me."

Not much difference really... especially if HackerSafe's 3000 are the top most likely ones.

I have all of our websites on a rotating schedule for AppScanning. I can't scan every site every day but that doesn't matter. The reason it doesn't matter is that AppScan never finds anything for our sites. Thanks to years of using it, our developers have learned how to write secure code that can only be used in the manner it was intended. This means that when a new exploit comes out, we're already immune.

In the end, being safe from hackers means writing secure code, not scanning your code with any automated vulnerability scanner.

 

No problems. I am on some private leave until monday but will generate some examples as soon as i get back and will post them here.

I would not say that I am "unsually supportive", it just that alot of people here are saying "it does not do this and it does not do that", especially on the issue of SQL/XSS. (Does this make everyone else unusually negative?")

Those people slamming scanalert probably dont even have a scanalert account (becasue if they did they would see that it does support sql/xss exploit scannig) so I dont know how they can say the system does not do it when they dont really know.

I will post a report on monday but I think its only fair that other should post examples of where they say it doesnt do certain things.

 

Hackersafe/Scanalert has allowed me to start writing more secure code.

I have been writing code for 8 years now and thought I was really great in terms of security but using scanalert (and that would apply to any scanning software including appscan etc) I have managed to improve my coding so that its more secure as I have been given reports showing where the problems are. AND YES, its thrown up a few surpises!!

When you work with a big team you do need automated scanning in case someone has put up some wrong code so I would say whther you choose scanalert, alertsite, appscan or whatever your budget allows, if you have a client with a serious web site, then you should have some kind of automated scanning in place.

 

Another update to the great ScanAlert debate... I scanned a site today that had a HackerSafe sticker and they did fairly well.

The funny thing was that AppScan didn't, and probably couldn't find their greatest security mistake. They store user passwords in the clear and print them out on the screen whenever you login or logout. This was obvious to a human but not to an automated scanner.

They were also vulnerable to credential enumeration, http trace and track methods and they had no SSL on the login or signup pages but that's what the automated scanner found. I have no idea whether ScanAlert had already told them about these issues and they had just not done anything about them or if ScanAlert doesn't find these issues.

 

While ScanAlert might be worth the money, it won't really boost sales like they claim. When we started using it the numbers where so marginal I could only blame regular fluctuations in traffic to the differences I had in conversions.

As far as its service I think it is worth money. I was notified of an SQL injection liability on my site, and my programmer couldn't get the fix in time and it wiped out some data. When there is a liability in your web site scan alert emails you and if you do not address the liability they revoke your certificate until you make a change and pass the next scan. It takes a couple of days grace period before the cert is removed.

Different liabilities carry different weight, and smaller liabilities will not revoke your certificate.

I think that scan alert is a good tool, but not fail-safe or bullet proof. For their ridiculous claims and long winded sales pitch I think they deserve so much skepticism. If your site can pull in 50k or more monthly I think it would be negligent not to have a tool to scan your site for frequent errors and liabilities whether or not you choose to display the logo.

 

Trust seals or site seals as they are sometimes called are a great investment imho. It is a third party verification that tells the customer it is safe to purchase from you. The site Trust the Seller talks about various Trust Seals from some of the leading verification sites. Hacker safe is the only one.

I would recommend viewing the site, its quite informative on the subject.

 

hmm i had an idea some one could make an alternative to hacker safe..

say hacking safe lol for example..

 

A couple posts up I put "Hacker safe is the only one" but I meant to say Hacker safe is not the only one.

 

The most reasonably-priced one that I can find is hackerGuardian

 

It's imho a good idea to join a hacker forums in order to learn as many techniques as possible. The best way to beat hackers is to be a hacker.

 

hmm in my experience i think scanalert company is okay, i like the things they do with the checking up your site for any backdoors or any exploitable pages, but the price doesn't seem reasonable, i would certainly see if you can try to bargin, and NEVER NEVER TELL THEM THAT YOUR SITE HAS BEEN HACKED, if it was hacked recently, cause they will change you an extra 600 bucks for it, its dumb.......

 

I refuse to shop on a site that gives this kind of hype. My opinion is if the company is so small it can not employ (as our company does) a full time IT person witht he knowledge to keep the system up to date then for get it.

We host our on site and its safe, and only people that don't know any better which is a lot I will agree is going to find comfort in this. They did I think it was date line or one of those where quit a bit of hacker safe sites got hacked LOL.

 

Okay. hy not put it to the test? What is your site url?

I have a spare slot in my Hacker Safe account so if you are willing maybe I can perform a test to see if Scan Alert finds anything.

Pm me the url if you want.

Once the scan is done I can send you a report showing what tests were done and if there were any vulnerabilities found.

 

I think what you mean is "The best way to beat a hacker is to study the habits of a hacker" becasue your logic is the same as the example below.

"The best way to beat a __________ is to be a ______."

Just feel free to fill in the blank spaces with any of the following...

Murderer
Child Molestor
Wife Beater
Hit and Run Driver

....you get the idea.

 

do anyone think that security is a vicious cycle ? hackers hack , security companies secure for a fee then hacker hack again .. ultimately its not really safe ..

 

The only safe way is to not put anything on the internet in the first place but of course that would not be possible.

There is always a degree of risk whether you have hackersafe or not.