tag:blogger.com,1999:blog-13756280.post6337368973207126024..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Acunetix, NetworkWorld, and $1000, oh my!Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13756280.post-21754439535109423522007-02-15T08:14:00.000-08:002007-02-15T08:14:00.000-08:00Heya Andrew, we see about the same thing here, and...Heya Andrew, we see about the same thing here, and I get the point Network World is trying to make, but sheesh. I just don't think the network sec guys understand how wide open the Web has become. It'll take hacks upon hacks I guess before they realize.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-82150856935133275522007-02-14T20:37:00.000-08:002007-02-14T20:37:00.000-08:00Jeremiah, The 70% statistic would have to include ...Jeremiah, <BR/><BR/>The 70% statistic would have to include sites which have been previously tested, or it would be higher. I've done around 150 serious large scale audits over the last few years, and I've only come across two large, serious financial apps that were secure. <BR/><BR/>They are the hardest to review, as an app with no issues is like an all you can eat challenge. <BR/><BR/>The rest ranged from laughable to pretty hard. Most are in the laughable to moderate section, often with one or more serious privacy issues. <BR/><BR/>There are plenty of places that want to get reviews done - and pay for them. I bet it wouldn't be hard to get a few small and medium sized firms to agree to have their security tested for free or a reduced rate given certain ground rules in return from anonymity of results (ie the guys only reported, like this: <BR/><BR/>"We 0wned:<BR/><BR/>4 - SME shopping cart sites<BR/>3 - Medium to large corporate sites<BR/>and in the time we had, we couldn't do the other three"<BR/><BR/>Given a heads up and for free, I'm sure there would be a few takers for that as long as the T&C's of the VA could be agreed (such as indeminity and scope). <BR/><BR/>Personally, I can't imagine the insurance folks who back our industry going for it without some serious CYA T&Cs protecting them.<BR/><BR/>AndrewAnonymousnoreply@blogger.com