13 comments

[ 1.8 ms ] story [ 41.0 ms ] thread
That was terribly devoid of data and the only link in the article links back to their paid app. The choice in colors of the pie chart was just terrible.

Also, what do databases have to do with anything? Obviously MySQL would be heavily used since it's commonly used with PHP and other web frameworks.

Also, how is their scanner false positive free?

Here is the raw data,

https://docs.google.com/a/mavitunasecurity.com/spreadsheet/c...

We'll update the blog with link to this as well.

> Also, how is their scanner false positive free?

Because it exploits the identified vulnerabilities and if a vulnerability is exploited it can't be a false positive. That's how a human confirms a vulnerability as well. If you like, there is more information on the website:

http://www.mavitunasecurity.com/blog/false-positives-the-dir...

http://www.mavitunasecurity.com/blog/false-positive-free-sca...

P.S. in case that it's not obvious I'm the founder and OP.

I don't understand how SQL injection still exists as a problem. Isn't it pretty much completely solved by using an ORM or prepared statements? Is it just laziness that allows it to fester on, or is there something I'm missing?
It's a combination of laziness, ignorance and a reluctance to migrate/fix legacy code.
Prepared statements won't handle variable table names. Thus if your application builds a table name from user-influenced input, you need to do an extra step of sanitization that prepared statements won't do.
Shame this isn't an unbiased/independent report.
Your tinfoil hat should start buzzing when you see the word 'infographic.' Instead of data to backup the analysis, you should expect back links to a product or website (possibly far from the topic).

It is a well known art that infographics are highly popular on voting sites and a cheap way to build quality back links.

Sorry about the lack of data, here it's:

https://docs.google.com/a/mavitunasecurity.com/spreadsheet/c...

Sure we added infographic to get more traffic and marketing purposes, not because it's fun to create infographics.

FYI, it's not really easy to install and scan 235 OSS applications then get in touch with vendors to reports those issues in details, so it's not really just cheap marketing trick. AFAIK no one has produced this kind big statistical report on security of OSS applications before, there are reports from Whitehat - https://www.whitehatsec.com/resource/stats.html but mostly on commercial applications.

Now you've transitioned me from skeptic to potential client.

Yet, my reasons are for evil purposes. Could I not feed countless lists of websites to the Professional version? I believe I see support for proxy(ies). In turn, could I not sell these lists of vulnerable sites to some market?

Understand, my position comes as a product of prior environments. This is basically a script kiddie's paradise. Could I use Google tricks to find lists of sites that use all of the softwares mentioned in your spreadsheet, set out a list of 500 proxies to do my bidding, and reap the black-hat rewards?

I could be a good guy, find the vulnerable sites, and use the list to WHOIS every domain and email the owners with Perl/Python.

If you give me a product that can brute force my bitcoin wallet password, but for an extra $1000, I can brute force unlimited bitcoin wallets, you attract a certain breed.

There are people who can write this stuff from scratch. Some of those people have "evil purposes". Do you propose making all the information secret? It still won't change things. Check out Metasploit, that improves the overall state of security because the good guys can do more in less time. This may be a similar tool.
Sorry about the lack of disclosing the raw data, here is the document that infographic produced from:

https://docs.google.com/a/mavitunasecurity.com/spreadsheet/c...

You can see the list of all scanned applications with versions and brief information about the results, including the advisory link (if published).

From advisory you can see technical details of the vulnerabilities, i.e. http://www.mavitunasecurity.com/xss-and-blind-sql-injection-...

List of all advisories from us (all found by Netsparker)

http://www.mavitunasecurity.com/netsparker-advisories/

Not really on topic, but in that article, why would the paragraph "title" texts made up of images? (that appear to be in-page data).