Powered by Invision Power Board

  Reply to this topicStart new topicStart Poll

> Can you recommend ScanAlert?
Posted: Jan 8 2007, 06:49 AM
Quote Post

Group: Members
Posts: 57
Member No.: 238
Joined: 25-April 03

My most successful ecommerce client is considering subscribing to ScanAlert. This would enable her to include the "Hacker SAFE" logo on her homepage. This is possible on a shared server, but with a twist: The site-specific vunerabilites, if found, are reported to the site owner. The server-specific problems, if found, are reported to the host (you).

Does Advantagecom have any experience with this service? Can you recommend it?

Happy New Year and thanks in advance!

PMUsers WebsiteMSN
Posted: Jan 8 2007, 10:09 AM
Quote Post

Group: Advantagecom Staff
Posts: 4,295
Member No.: 9
Joined: 12-July 02

I don't know about ScanAlert specifically, but we've seen several "security" scanning systems that are so poor that they border on scams. Usually, it's just opportunists capitalizing on the paranoid. To date, I haven't seen a good free or cheap security scanning service. The good ones cost hundreds or thousands of dollars.

That being said, there might be some value in having the HackerSafe logo on your web site regardless of how useful the security scanning service is. That logo might serve to differentiate a site if its clientele tend to be concerned about such things.

We have no problem with a security service scanning one of our web servers at the request of one of our clients as long as they don't cause service problems.

That being said, many times, the security service just coughs up a long list of "potential problems" that they either can't or haven't tested for. For instance, it is common for us to use security patches without changing the version number of a web server. Many security services just look for the version number that included that patch rather than actually testing for the vulnerability. Clearly, that is flawed methodology and results in a lot of unwarranted concern on the part of our clients.

Add to that inflexible administration and procedures at many of the security scanning services (assuming there are even people there) and you can run into a scenario in which they will not state something is secure unless we change version numbers even though the vulnerabilities are patched already.

Obviously, changing version numbers has stability and compatibility issues that require careful planning and rigorous testing to avoid service problems when deploying the new version. It makes no sense to do it if we've already patched the vulnerabilities.

We've never seen a customer go away happy after using a security scanning service. The nature of the service pits the security scanning service against us and if they're screwy and report false security risks, it puts us on the defensive. When our customer takes our response back to the security company, it often puts the security scanning company on the defensive because it points out the flaws in their own testing methodology (if they even have one). In the end, our customer feels scammed regardless of which party they choose to believe.

To date, no security scanning service has ever found a security flaw in our shared hosting server software or hardware.

Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll