Today, Dark Reading posted a press release from web-app-sec vendor Acunetix that claims, "70% of Websites Hackable." This is based on the results of 10,000 scans of 3,200 sites with Acunetix free on-line scanner. One word: useless.
First, Acunetix uses the free scanner in its sales cycle to attract clients that might buy their full-featured scanner. So, it would be safe to say that some fraction of targets scanned were HacMe sites that are intentionally vulnerable to SQL injection and XSS.
Second, there's absolutely no way that an automated scanning tool can assess the "hackability" of a web application. I used to do lots of web-app-sec work, with and without scanners, and here's the thing: inserting '%27%2D%2D' into a URL and getting a 500 code back from the web server doesn't mean that SQL injection is possible, let alone that that SQL injection will lead to a compromise of the application. All it means is that something, somewhere, did a poor job of handling input.
Third, the tell-tale sign that this "article" is meaningless is that all of the quotes from Acunetix come from Kevin Vella, their sales veep.
But here's the bone I'm going to throw Kevin; based on my experience, 70% is a conservative estimate. Maybe things have changed for the better in the two years since I was doing live web-app-sec work, but I would put that number between 85-90% in terms of sites where privilege escalation is possible within the app.
Update: It seems that the idiocy surrounding this thing knows no bounds. Watch as Paul McNamara and Joel Snyder of NetworkWorld throw their careers away over a piece of marketing. Hope that story was online only. Thanks to Thomas Ptacek at Matasano for pointing out this fascinating turn of events.
Update II: It's a train wreck. Snyder responded to criticisms yesterday by backpedaling and changing his story to something more rational. (And it sounds an awful lot like my second point from Tuesday.) But he can't un-ring that $1,000.00 bell. I have changed my mind about Acunetix's part in all of this - I wish them all of the free press they can gain at the expense of Joel Snyder. Naturally, Tom at Matasano has a nice analysis of Joel's rambling Slashdot post.