Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

10/30/2007
09:35 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Website Security Seals Get a Boost

McAfee's purchase of ScanAlert could bring more big players, and better technology, to Website security seal programs

Some security experts have dismissed Website seals such as Hacker Safe and ControlScan as more marketing ploy than security, and hackers have fueled the debate by exposing cross-site scripting vulnerabilities on sites proudly emblazoned with seals from Hacker Safe and other security seal providers. (See Hackers Reveal Vulnerable Websites and Are 'Sealed' Websites Any Safer?.)

But ScanAlert's Hacker Safe seal -- and security Good Housekeeping seals overall -- could gain more credibility now, with McAfee's announcement today that it intends to buy ScanAlert for $51 million. Even with its critics, ScanAlert's Hacker Safe seal has captured plenty of business -- the seal is stamped on 75,000 Websites, and the company has 8,000 customers, including Petco, Toshiba, and Warner Brothers -- with its security scanning service. (See McAfee to Acquire ScanAlert.)

Todd Gebhart, senior vice president and general manager of McAfee's consumer and mobile small business unit, says that the company plans to enhance and expand Hacker Safe's vulnerability scanning technology, using its own enterprise-class vulnerability scanning technology under its Foundstone unit, as well as making future enhancements to ScanAlert's service. "We will be augmenting what they do... We intend to keep their technology involved and improving and evolving," Gebhart says.

Still, critics say Hacker Safe is more of a least-common denominator checkbox. "Lots of security people feel that ScanAlert’s business model preys on the low-hanging fruit of the PCI fallout -- people trying to do the least possible to get by. While I think they are a good low-cost solution to getting into compliance, I don’t think ScanAlert is doing much in the way of actual security mitigation," says Robert Hansen, aka RSnake, and CEO of SecTheory LLC.

Andrew Jacquith, senior security analyst with The Yankee Group, says the problem is there's a limit to what these security seal programs can provide for the money. "Hacker Safe costs a few thousand dollars, and it's an automated scan. You are only going to get a least-common denominator assurance for something like that -- making sure that you are practicing 'good hygiene,' like making sure your servers are patched, that there aren't any really obvious Web server config issues, and the like," Jacquith says. "This is a lot better than nothing, but not as good as a real assessment by a professional security analyst."

Still, research has shown that Websites with these seals do get more business, so despite their technical shortcomings, these seals do provide consumers some reassurance of a site's security. ScanAlert claims that its customers realize an approximate 14 percent increase in transaction conversion rates. "The data is pretty conclusive that certified sites get more transactions than those that are not certified," McAfee's Gebhart says. "One thing we can bring to the acquisition is our name behind it, our technology to bear, and more folks will adopt this. It's in their best interest."

But these programs can't survive on consumer psychology alone, however, experts say. "I really think McAfee is going to have to put a significant investment into ScanAlert -- of similar quality to its Foundstone offerings -- to bring [Hacker Safe] up to a respectable ability to find vulnerabilities, otherwise [Hacker Safe] will continue to be a joke amongst the hardcore security community," SecTheory's Hansen says.

The McAfee name behind the Hacker Safe seal could open the floodgates to further consolidation and cooperation in other security seal programs, Yankee Group's Jacquith predicts. "I think we might see some more creative acquisitions and joint ventures in this space," he says. "Perhaps somebody like RSA or Symantec buys TrustE, or partners with the Better Business Bureau to run their [seal] program. You'd have to put Qualys on the list of potential partners or acquisition targets, too."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • McAfee Inc. (NYSE: MFE)
  • ScanAlert Inc.
  • SecTheory LLC
  • Yankee Group Research Inc.

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    Slideshows
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    Commentary
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-36124
    PUBLISHED: 2021-05-07
    Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
    CVE-2020-36125
    PUBLISHED: 2021-05-07
    Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
    CVE-2020-36126
    PUBLISHED: 2021-05-07
    Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
    CVE-2020-36127
    PUBLISHED: 2021-05-07
    Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
    CVE-2020-36128
    PUBLISHED: 2021-05-07
    Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...