Most PCI Companies Are Insecure
The McAfee XSS got slashdotted. I think that all this attention is a good thing, putting a spotlight on XSS issues, but I have to say, I'm surprised by it. It's not like XSS attacks are news anymore, and it's not as if this is the first McAfee XSS to be published. Last night, I found an XSS hole in the verification script for their SiteAdvisor service (for extra irony).
But really, focusing on these XSS holes is missing the point. I never thought I'd say this, but in my experience, McAfee is one of the better ASVs out there. This isn't a compliment to them, it's an insult to the entire industry. Here are a few examples of other ASVs.
Until last week, atsec.com was vulnerable to XSS.
Until last week, secureconnect.com was vulnerable to XSS.
Until last week, ncircle.com was still vulnerable to XSS.
sungard.com is still vulnerable to XSS.
controlcase.com is still vulnerable to XSS.
support.foundstone.com (McAfee's premium brand) is still vulnerable to Cross-site Framing.
Up until a few weeks ago, there were also open redirects on the websites of Qualys, SecurityMetrics, and others. Is it any wonder I'm not at all shocked at a few XSS holes in McAfee's web site?
Some of these companies should be commended for handling the vulnerabilities correctly- nCircle, SecureConnect, Qualys, and even McAfee responded admirably- sometimes the issue was fixed within minutes of my vulnerability report. Others- Foundstone, ControlCase, and Sungard, belong in the doghouse- none of them even responded.
However, the glaring fact is that the entire PCI scanning industry is, frankly, bad at scanning for vulnerabilities. Most of these websites use their own scanning service on their own websites. While I still hold that in-depth audits for these sites should have taken place long ago, the scanners should have caught the problems as well. Some of these domains contain the portals for customers to manage their PCI compliance scans.
People, let's take the focus off of McAfee, and put it where it belongs. The PCI scanning industry as a whole is a joke, and across the board, these Web Security companies are themselves bad at security.
But really, focusing on these XSS holes is missing the point. I never thought I'd say this, but in my experience, McAfee is one of the better ASVs out there. This isn't a compliment to them, it's an insult to the entire industry. Here are a few examples of other ASVs.
Until last week, atsec.com was vulnerable to XSS.
Until last week, secureconnect.com was vulnerable to XSS.
Until last week, ncircle.com was still vulnerable to XSS.
sungard.com is still vulnerable to XSS.
controlcase.com is still vulnerable to XSS.
support.foundstone.com (McAfee's premium brand) is still vulnerable to Cross-site Framing.
Up until a few weeks ago, there were also open redirects on the websites of Qualys, SecurityMetrics, and others. Is it any wonder I'm not at all shocked at a few XSS holes in McAfee's web site?
Some of these companies should be commended for handling the vulnerabilities correctly- nCircle, SecureConnect, Qualys, and even McAfee responded admirably- sometimes the issue was fixed within minutes of my vulnerability report. Others- Foundstone, ControlCase, and Sungard, belong in the doghouse- none of them even responded.
However, the glaring fact is that the entire PCI scanning industry is, frankly, bad at scanning for vulnerabilities. Most of these websites use their own scanning service on their own websites. While I still hold that in-depth audits for these sites should have taken place long ago, the scanners should have caught the problems as well. Some of these domains contain the portals for customers to manage their PCI compliance scans.
People, let's take the focus off of McAfee, and put it where it belongs. The PCI scanning industry as a whole is a joke, and across the board, these Web Security companies are themselves bad at security.
Edit 5-6-2009: nCircle was one of the fast-responders.
I mistakenly listed them as one of the "doghouse" ASVs.
Labels: 0-Day, Exploits, Full Disclosure, McAfee, mcktfail, PCI-DSS, Snake Oil, Web Applications, XSS
posted by mckt at
6:45 AM
5 Comments:
atsec is still vuln :-(
http://www.atsec.com/01/index.php?intAktuellesBild=%22%27%3E%3Cscript%3Eeval%28String.fromCharCode%2897%2C108%2C101%2C114%2C116%2C40%2C34%2C88%2C83%2C83%2C32%2C102%2C111%2C117%2C110%2C100%2C32%2C98%2C121%2C32%2C84%2C104%2C101%2C84%2C101%2C115%2C116%2C77%2C97%2C110%2C97%2C103%2C101%2C114%2C46%2C99%2C111%2C109%2C32%2C45%2C32%2C83%2C116%2C105%2C108%2C108%2C32%2C69%2C120%2C105%2C115%2C116%2C115%2C34%2C41%2C59%29%29%3C%2Fscript%3E%3C%21--&id=03-0101-01
I'm sure the others are as well but I was in a rush so only checked the top link in your post.
By
Martin H, At
November 30, 2009 2:06 PM
"McAfee is one of the better ASVs out there. This isn't a compliment to them, it's an insult to the entire industry."
I might be biased, but I agree 100%
By
James, At
November 30, 2009 2:06 PM
it's not fair and it's really not OK ....
dont trust the automation process use only manual scan !!!!
By
Anonymous, At
December 7, 2009 2:20 AM
Post a Comment
<< Home