I need to ensure and increment (if i need) my website security. Do you know some vulnerability scan service?
Hello Stima,
We are using Guardian Security: www.security-guardian.com. They do online intrusion tests and you are able to watch scan results in the Security Guardia’s control panel. In addition if you have not critical vulnerabilities, they certify your web as “secure site”.
Hope that helps.
Guys,
please do not fight, both are right in some things.
The idea, here, is to help STima.
Hyllho, reading this i though you defend SG and HarryR I though you are competitor of SG. Of course it is a crazy idea and it is not the true then be quite please.
I analyzed many tools: WebInspect, Appscan, Acunetix, Mcafeesecure (old hackersafe), Sqlme; XSSme BUT NOT YET Security Guardian.
I am pen tester and normally I complete a manual scan with a previous automated scan.
I agree with you HarryR in False Positives, also if all offline tool produce many FP, online software should produce the minimum number of FP, you are right, if you got a big number of FP they should improve this!!!
WebInspect, Appscan,… maybe generate a low number of FPs but only if you configure the scan correctly ( eg:indicating custom error pages and so on…). It is because automated tools need these actions in order to reduce the number of false positives.
XSSMe and SQLMe are just for xss and sqli and are not good as others tools.
Mcafeesecure has low number of FP when they configure the scan but I did not like the scan quality. I got few things. Guys did you tried it? What do you think about Mcafeesecure? And what do you think about others solutions like qualys and controlscan that Hyllho reported? I did not tried these solutions.
The best offline tool for my experience is Appscan!!! after that is WebInspect and for you guys?
Can you provide an example of a report that brought something to your attention?
The report I got from a sample scan contained a thousand for “Possible internal IP address disclosure”, which doesn’t at all correlate with what I see.
Then the entries for “Application error message”, but it didn’t elaborate at all (was it HTTP 500 error? Something picked up in the text?) Nor does it correlate with what I see on the site.
“Possible server path disclosure (Unix)” because my URLs end with “.html” ?
“Email address found” - WHICH EMAIL? There are two public point of contact e-mails, ones I expect to send e-mails to for DMCA/copyright/service problems.
“Email addresses posted on Web sites may attract spam.”, holy crap… somebody should’ve told me this years ago. I never would have known.
“Possible internal IP address disclosure” - Which IP? With every other item listed on the report there’s absolutely no other information, extremely vague.
“Broken Links” - The only useful piece of information contained in this entire report.
And finally it lists the paths I’ve explicitly disallowed in “robots.txt”.
The expansion.com article is a press release, a brief overview of the company. Almost all of the references I can find on google are user posts which are worded extremely similarly to yours.
I can’t find in-depth technical reviews, let alone from reputable security companies or experienced pen-testers, absolutely none.
IBM is quite upfront about what Rational AppScan can and cannot do, there are in-depth technical reviews (such as the Information Week article), they also provide reports in a manner suitable for supplement and/or augment a security testers job - there is no halfassed “certification” that says the site is “secure”.
From actually testing the Security-Guardian.com service I can see pretty easily that it’s just a re-branded version of Acunetix WVS.
Having used Acunetix WVS quite extensively I can tell you that security-guardian is poor in comparison, it’s a blunt hammer for a delicate job, and at the end of the day I still consider security-guardian.com to be nothing but snake-oil.
How about you compare the reports you’re getting to the style Acunetix provide?
What does security-guardian provide? A little graphic to put on customers sites which is intended to “increase ROI”, you’re not paying for actual security nor a tool that any pentester worth their salt would use… and for those prices I think it’s a scam, a thin veil of technical jargon covering up the emptyness.
Dear Buddy,
also if we had never problems with Security Guardian,
I got scared by your message and then i started to perform a research, i report here the conclusions and facts:
1)we tested it for a long time and I can assure that it is not a scam and neither useless.
2)I visited again their web page and they have more than one business case, the most important is dlink.cl
3)Searching more I saw that they also were in a very important the spanish press (expansion) and other journals.
http://www.expansion.com/2010/04/14/catalunya/1271274457.html
4)As we tried it i can tell you how it works: you have one 30 trial days and after you decide if you want to buy or not. prices are public available on their web. 
5)About the number of vulnerabilities tested, all similar software and solutions scan more than 20-30K vulns, it is a true. See: watchfire, and similars
I released my experience and opinions, basing on real facts and public available researches results .
I tried mcafeesecure, i agree with you.
In offline scan i can confirm that the best is Appscan.
Hello,
It is not my company neither some friend but i have to be fair.
I was searching and it seems that exists many companies similar to security-guardian: mcafeesecure, controlscan, qualys and more…all works in a similar way. And i compared prices and are more or less similar. I do not think that they are scam as you consider
About scan result, in first scan my fried had also some false positives but they contacted with them and they resolved it. He told me that it is possible to mark an alert as false positive in the user control panel and that after they review this and fix your scan.
We had not false positives than i can not judge it for this.
I tried many products a Watchfire and Acunetix and also they have a lot of false positives that can be configured.
The Report is simple but useful, maybe can be graphically improved… as user i could appreciate it also if it is not essential for me.
The article on expansion is not a press release, buy the 14 or 15 Aipr 2010 version (same day of web article). If is a full new that appear in two pages. In the web they put the short version.
Of course the manual penetration test is different and a secure 100% site does not exists. A tool is good for crawling the entire site and manual is good for smart hack.
I used Acunetix too but they are different.
I just tried “www.security-guardian.com”, the service is absolutely and entirely useless, I’d even consider it a scam if you paid any money.
The reporting frontend is slow, the reports are vague (3000+ non-critical vulnerabilities you say?) and the whole thing is beyond amateurish.
Have they found any confirmable vulnerabilities? And to what kind of auditing do they perform?
I’d be extremely dubious of anybody who can certify a “secure site” from an automated test like that, unless it’s pointing out the glaringly obvious “old version of phpMyAdmin in default location” kinda thing.
not that i feel i can talk about 
try to keep any software up-to-date and add new patches quickly, also keep your coding clean and secure.
For individual computers take a look at http://secunia.com/vulnerability_scanning/personal/