Skip Links

Acunetix responds to expert’s challenge

By Paul McNamara on Wed, 02/14/07 - 9:38am.

Actually, the subject line of their e-mail reads - "Acunetix Accepts the Network World Challenge" - but, as you'll see, that claim isn't any more supportable than the company's "apocalyptic" survey that sparked this little exchange of Valentines.

For those just tuning in: Yesterday, Acunetix issued a press release about its survey of 3,200 Web sites that purports to show that 70% of them had vulnerabilities that pose a medium- to high-level risk of a serious data breach. Joel Snyder, a senior partner at Opus One and a Network World Lab Alliance member, called that conclusion "sensationalist nonsense" - and said he would wager $1,000 of his own money to challenge it.

Here is the complete text of the Acunetix reply:

Dear Mr. McNamara and Mr. Snyder,

We read the blog published yesterday by yourself together with the subsequent comment by Joel Snyder and would like to make the following comments while also addressing the issues raised.

The point of publishing the results of the 3,200-strong survey was to address the lack of awareness among organizations of the critical dangers of such Web application vulnerabilities as Cross Site Scripting, SQL Injection and Cross Site Request Forgery. We are merely pointing out a trend corroborated by other published studies concluding that Web security is a problem. It surprises us that Mr. Snyder is among those who do not take the present situation seriously by, indeed, making a mockery of the results through claims that these are incorrect.

This further proves our point that Web application security is one of the least understood and often misconceived aspects of online security today.

Several experts in the field (for example, Jeremiah Grossman) have been stating these facts and dangers for a few years now. So we are not the only ones when it comes to Web application security concerns.

I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the commercial and non-commercial entities that we scanned were seriously vulnerable to hacking during the time we scanned them. Others believe that these figures are much greater.

We are available to put Mr. Snyder's doubts of the validity of our results at rest by submitting all the reports to a trusted third party with proven Web security experience and knowledge. Given appropriate authorization and permission from the owners of the Web sites we scanned during January 2006-7, Mr. Snyder would be able to see any of the full reports of our scans - these highlight where and when the vulnerabilities were found. Of course, we cannot vouch that these vulnerabilities have not been fixed but are willing

to do this for the sake of professional correctness. And, after all, we stand behind our data.

We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World Web site, rather then - as Mr. Snyder suggested - an innocent third-party Web site. After all, making a wager with someone else's Web site would be unfair, and furthermore illegal.

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its Web site is secure and any data it holds is unbreachable.

Should Network World accept, we will start the audit immediately and point out any vulnerabilities found to the public. If we do manage to breach the Network World Web site, we would expect Network World to make a public statement, - published on the home page and first page of the next Network World issue - that its Web site was actually vulnerable and that Acunetix were able to hack it.

We do expect a response within the next 24 hours that the company authorizes us to immediately perform the security audit and that the company takes full legal responsibility and holds us harmless for any resulting outages and damages.

Our team thanks you for this opportunity and looks forward to the challenge!

Signed,

Nick Galea, CEO and Kevin J.Vella, VP Sales and Operations

Nice try, gentlemen, but the issue here is your study and what you've conceded is the "apocalyptic" nature of your press release. The security of our Web site is irrelevant to that discussion. Moreover, Snyder, who issued the challenge personally, is not a Network World employee nor does he have anything to do with the operation of our Web site. We've contacted Snyder and his challenge still stands. You may accept it or decline on the terms that were offered (details/permissions to be worked out), but so far all you've done is try to change the subject.

Snyder, who is in Singapore on business, also offers these thoughts regarding your reply:

I think that they are missing the point. I am (as you are noting) challenging the conclusion, not the data. I believe that they think that they have found vulnerabilities. But there is a huge difference between that and turning a vulnerability into a breach.

Let me give you an example. A lot of Cross-Site Scripting attacks let you steal cookies. So they probably found those. But the question is: When you have a cookie, what can you do with it? A lot of Web sites also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs. So the point is not that there are these vulnerabilities, but that they have done nothing to show whether these vulnerabilities are truly breachable and able to get people real data.

Same for things like directory listing. You can do that to our (Opus One) site. Is that a security problem? No, in fact, I turned it on specifically. If I didn't want people to read it, I wouldn't have put it on the Web server. So the point is not that they've found a lot of theoretical issues, but whether they've actually found issues. And the only way, in my mind, to see whether they have is to see if the issues can be exploited. If they can, I'll pay up. If they can't be exploited, then all they've done is made long lists of things that don't matter.

Feel free to leave your comments, folks. They're also discussing this over at Slashdot this morning.

Happy Valentine's Day to all of you Slashdotters, regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

Buy prepaid credit cards without an ID or age limits? ... What could go wrong?

Do free Web hosting services welcome phishers?

Did Gates fib about H-1B business?

The Onion tees up Vista ... hilarity fails to ensue.

Gates sees no humor in 'Mac vs. PC' ads.

Vyatta VP undresses Richard Stallman.

Was the Nokia PR guy just doing his job? Jerking me around? Or both?