McAfee isn't "McAfee Secure" or "Hacker Safe"
In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for...
Russ McRee on his Hollistic InfoSec Blog posted the following:
"A challenge was put forth on Zero Day, and it has been answered. Apparently, McAfee doesn't care about XSS on their own sites either. I'll let the video speak for itself.
For the love of all things good and proper, McAfee, please address this issue...for yourselves and the consumers who look to you to do the right thing.
Sincerely, Russ McRee"
Yess, that is what you think it is, it's video of an XSS exposure on one of McAfee's sites. I'm not sure what to think about this... clearly, from some of McAfee's previous comments, we can reasonably assume that they don't truly understand how big of an issue XSS is; further, I find it a bit disturbing that they aren't running McAfee Secure on their own sites if it is in fact a product that they are confident in selling off to customers. So I think we have one of two possibilities here:
1.) McAfee is not using their own security tool on their own sites... hmm, that really spells brand confidence, doesn't it? 2.) McAfee is using the tool, but the tool doesn't do an adequate job of reporting security issues.
Now, I'm not one to say that I'm free of XSS... I'm fairly positive that ZDNet has XSS issues, but that's not the point. The point is, I don't try to sell a tool that is the magic silver bullet for protecting web applications, nor do I certify any of those applications by saying they are "Hacker Safe" or "Nate McFeters Secure".
I think it is time that McAfee change its stance about XSS... it is a major issue and it deserves attention, certainly from a tool that certifies an application as being "Hacker Safe". I think it's also time they change their stance about their certification tool altogether... a simple scan will never be able to catch all the issues a web application faces.
-Nate