Three weeks ago it was disclosed that McAfee’s website contained numerous security vulnerabilities. What make this disclosure significant is that at the time the website was found vulnerable, the McAfee Secure service, which scans websites for security issues, was certifying that the website was secure and McAfee’s website contained a trustmark from McAfee Secure letting visitors know this. This claim was obviously not true at the time. This situation underscores the fact that the McAfee Secure service and other companies security scanning services, as well as the trustmarks they provide to websites, cannot be trusted to identify if a website is secure. This is because scanners can only actually determine is that the website does not contain specific security issues that the maker of the scanner knows about and is testing for. If, as in the case of McAfee’s website, they do not know about the specific security issue they would never detect it and the trustmark would still claim the website is secure.
In the case of McAfee they don’t even seem to be very focused on the security that their scanner is supposed to provide. On the web page for McAfee Secure, the emphasize is placed not on any increased security the product provides but on claims that having their trustmark on the website will increase sales for the website.
While those scanners limitation in only being albe to detect known security issues is a big issue there is also a much bigger problem with these scanners, they scan the website from the outside. This is often touted as a feature, but it is a major weakness of the services. What it means is that anything that is not accessible from the outside cannot be scanned, so even if a scanner could detect all possibilities security issues that are detectable from the outside the website can still be insecure. Here are a couple of real world examples we have dealt with where these scanners failed in this way:
We were contacted about a website in which files on the website were having spam links added to them repeatedly. The client had run two of these scanners and they hadn’t found the security issue allowing this to happen. After discussing the situation with them we were able to assist them in finding a backdoor script which was allowing this to occur. A backdoor script allows a hacker remote access to the website. In their simplest form they execute code sent to them. More advanced ones provide a variety of tools and the ability to view the websites files. It is almost impossible for one these scanners to detect a backdoor script. The backdoor script can be given a random name and placed anywhere in a website. So the scanner would need to scan a nearly unlimited number of URLs to be able to request the backdoor script. Depending on the backdoor script, they might also need to request the backdoor script in a certain way for it to be possible to detect that it is a backdoor that is at the location. Needless to say, these scanners do not attempt this.
In a more serious situation we had a client where credit card information entered on their website was being transmitted to someone who was using it to attempt to make fraudulent purchases. They had run it through one these scanners without it finding any issues. What we found was that a hacker had placed some code into the file that handled credit card input, which transmitted the information to another website. The web page were you inputted the credit card information was exactly the same as it would be without the code, so it is impossible for a scanner to detect this type of thing.
For webmasters who utilize widely used software like WordPress, Joomla, Drupal, etc., the software will have already been run through these security scanners, so as long you keep the software updated the scanners are of little use. If you use custom written software you’re much better off having someone who is a familiar with handling security in programming language the website is written in review your website. They might use one these security scanners as part of their process in addition to other methods. They would also be able to correct the insecure code, which something that is going to need to done if the scanner identifies anything anyway.