Tuesday, February 13, 2007

Useless Statistics

Today, Dark Reading posted a press release from web-app-sec vendor Acunetix that claims, "70% of Websites Hackable." This is based on the results of 10,000 scans of 3,200 sites with Acunetix free on-line scanner. One word: useless.

First, Acunetix uses the free scanner in its sales cycle to attract clients that might buy their full-featured scanner. So, it would be safe to say that some fraction of targets scanned were HacMe sites that are intentionally vulnerable to SQL injection and XSS.

Second, there's absolutely no way that an automated scanning tool can assess the "hackability" of a web application. I used to do lots of web-app-sec work, with and without scanners, and here's the thing: inserting '%27%2D%2D' into a URL and getting a 500 code back from the web server doesn't mean that SQL injection is possible, let alone that that SQL injection will lead to a compromise of the application. All it means is that something, somewhere, did a poor job of handling input.

Third, the tell-tale sign that this "article" is meaningless is that all of the quotes from Acunetix come from Kevin Vella, their sales veep.

But here's the bone I'm going to throw Kevin; based on my experience, 70% is a conservative estimate. Maybe things have changed for the better in the two years since I was doing live web-app-sec work, but I would put that number between 85-90% in terms of sites where privilege escalation is possible within the app.

Update: It seems that the idiocy surrounding this thing knows no bounds. Watch as Paul McNamara and Joel Snyder of NetworkWorld throw their careers away over a piece of marketing. Hope that story was online only. Thanks to Thomas Ptacek at Matasano for pointing out this fascinating turn of events.

Update II: It's a train wreck. Snyder responded to criticisms yesterday by backpedaling and changing his story to something more rational. (And it sounds an awful lot like my second point from Tuesday.) But he can't un-ring that $1,000.00 bell. I have changed my mind about Acunetix's part in all of this - I wish them all of the free press they can gain at the expense of Joel Snyder. Naturally, Tom at Matasano has a nice analysis of Joel's rambling Slashdot post.

2 comments:

Kevin J. Vella said...

Thanks for your post.

I would like to point out that we are not the only vendor who uses the download trial version of the product to attract sales. This version tests our own test websites sites purposely to show how the product would work in a scenario of web application scanning. It is already difficult as it is to explain to people that their website may be manipulated to do things it shouldn't be doing; let alone without the help of visuals.

With regard to how our product works, I would like to offer you the opportunity to see how it works through an evaluation you may be able to use on your test sites.

You are so right in saying that an automated scan is not a replacment to manual intervention. What automation does is it relaxes the burden on the tester. Yet we always advise customers to temper their scans with manual ones - nothing beats human creativity when you are trying to stay ahead of hackers. These people, as you know, are creative professionals themselves.

With regard to the bone you have thrown my way, you might be interested in reviewing our latest press release on the subject. We've also added quotes from our CEO ;-)

Let's pick up the conversation after you have had the time to analyze the data posted.

Kevin J Vella, Acunetix

PaulM said...

Kevin,

Thanks for your reponse. Of course, since Joel Snyder opened his mouth, you're having the best week ever! ;-)

I don't doubt that your scanner works well for web-app testing. I am of the opinion that vulnerability scanners of any type can be a valuable tool, and I have used several of your competition's products over the years with positive results. I have never used Acunetix's scanner, and my post is not a review of your product.

That said, I am calling bull on the statistics in your "study" because the sample it's based on is flawed. But Acunetix holds no patent on meaningless statistics in marketing literature. I was just disappointed to see a company make a valid point - that the state of security of most web apps is awful - with poor data.

And heck, if you hadn't published that article, McNamara & Snyder might not have made that ridiculous bet. So, for that, I thank you! Pass the popcorn!

PaulM