Not to beat a dead horse, that's already been beaten to death time and time again, but...
Update 05/12/08: Russ McRee has actually just posted a story about "Why PCI DSS is Doomed".
Came across this page on McAfee's site about their "McAfee Secure", "McAfee Secure Search", and "McAfee PCI Compliance Service". My favorite quote from this promotional page is the following:
"With the integration of Hacker Safe and other ScanAlert products and the partnership with Yahoo!, McAfee positions itself as a leader in the Secure Internet arena."
Which seems to really contradict what we've actually seen, which is tons of sites left open to Cross-Site Scripting, etc. and proudly displaying the Hacker Safe logo, as covered here.
I also find it interesting that they term the tools "McAfee Secure"... I mean, even after you rebrand it, it still stinks of a tool that knows only how to look for SQL Injection and XSS, oh and by the way, it doesn't even strip certification from someone vulnerable to cross-site scripting.
Going back to my previous article, which covered a great article by Dan Goodin, there was a really interesting section where I gave my thoughts on some of the irresponsible comments made by McAfee spokespeople:
A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. “Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification,” she said. “When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities.”
Seriously? XSS doesn’t cause a site to fail the HackerSafe certification? It damn well should… if it’s vulnerable to XSS it is definitely NOT hacker safe. The article continues:
These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman told InformationWeek at the time the bugs couldn’t be used to hack a server.
Really? Can’t be used to hack a server? Ok, I’ll buy that, but they can one hundred percent be used to compromise a victim’s personal information, authorized account, operating system, and possibly even local area network. So, to date, I've seen nothing change in McAfee's stance on XSS as a serious issue. Also, what's probably even scarier, is that these tools are very much like the other web application scanning tools and web application firewalls in that the are only capable of preventing certain issues. I covered this in my comments on the PCI standard and how openly flawed it is on what it forces companies to protect both here and here.
I thought you all might like to see a few more examples of these problems though. I've been in touch with two sharp characters, Russ McRee (of holisticinfosec.blogspot.com) and Rafal Los (of preachsecurity.blogspot.com), who have covered the blunders of PCI and Certification companies even more extensively than I have. The following host of blog postings are absolutely excellent, and you should bookmark these guys sites:
From Russ: http://holisticinfosec.blogspot.com/2008/04/still-not-hacker-safe-roll-video.html http://holisticinfosec.blogspot.com/2008/01/open-letter-to-ken-leonard-ceo.html http://holisticinfosec.blogspot.com/2008/01/xss-and-pci-not-compliant-or-hacker.html http://holisticinfosec.blogspot.com/2008/01/hacker-safe-not-so-much.html
From Rafal: [HackerProof saga]
http://preachsecurity.blogspot.com/2008/05/mcafee-security-web.html http://preachsecurity.blogspot.com/2008/03/this-time-its-hackerproof-oh-boy.html http://preachsecurity.blogspot.com/2008/03/hacker-proof-update-1.html http://preachsecurity.blogspot.com/2008/03/hacker-proof-update-2.html
XSSed.com has hit this pretty hard too: http://xssed.com/news/67/Hacker_Safe_or_not_Read_on_watch_the_video_and_vote_now/ http://xssed.com/news/59/Open_letter_to_ScanAlerts_CEO_about_Hacker_Safe_label/ http://xssed.com/news/55/ScanAlerts_Hacker_Safe_badge_not_so_safe_and_PCI_compliant/
Don't buy the hype, a rebrand is just a rebrand. The only Shakespere line I remember from high school says, "What's in a name? That which we call a rose by any other name would smell as sweet." Of course, in this case, it isn't a rose and it doesn't smell very good at all.
Wouldn't it be hilarious if tomorrow they decided to call PCI something like SSC (Super Secure Certification), or Web Application Firewalls (WAFs) something like SMBPTSAYP (Super Magic Blue Pill That Solves All Your Problems)?