Trusting vulnerability detection tools

As we all know keeping web sites safe from SQLIA is critical, but detecting vulnerabilities on large websites can be difficult. Luckily there are a selection of both premium and free automated tools to help detect such vulnerabilities. However developers have to be careful no to let these tools lull them into a false sense of security, especially when you discover most commercial tools include a clause in there EULA which prevents users from publishing test results or comparisons to other prevention tools.

“Let us assume that a burglar creates a robot that identifies houses which are easy targets...the robot sets off around the neighbourhood and comes across the first house, tries to open the door but it is locked. It then follows the next instruction which is to check under the doormat, but there is no key. The house is therefore marked as not vulnerable. However, the key was actually sitting on top of the door mat...”

Drawbacks of automated vulnerability tools (7Safe, 2010)

If you do decide to use a free automated detection tool then you will need to do your homework OR have a look at someone else's! Lucky for you the security researcher and consultant Chen Shay has done all the hard work for you, putting over 50 automated tools through their paces and publishing the results in handy tables. He has also just launched his new website SecToolMarket, giving easy access to his results.

Now go make Mr. Holmes proud and get detecting!