Recently we have been taking a closer look at how website security services are marketed and how they provide what seem like they should be warning signs as to the reality that the services don’t actually provide real security. We ran into another example involving Sucuri, which also involves an odd tag line.
Here was an ad form that showed up in search results while we were looking into for some information for another recent post on this blog:
The tagline there is “Real People, Real Security”. The first part of that is odd, do they believe other website security companies employ unreal people? The second part of that though is more problematic, since Sucuri doesn’t provide real security. That is something that is hinted at by what else is mentioned in the ad. If they could provide real security then websites using their services wouldn’t be getting malware on them that needs to be cleaned, much less repeatedly, and yet one of the things they are touting in that ad is that they provide “Unlimited Malware Cleanup”.
As we noted recently, Sucuri doesn’t present evidence, much less from evidence from independent testing, that their service is actually effective at protecting websites. So it would seem either they don’t know if they provide real security or they know they don’t provide real security, as we assume if they were actually measuring or testing to see if they provide real security they would tout the results if they were good.
There is plenty of reason to believe they don’t provide real security since as we also noted recently, it can be incredibly easy to bypass a critical piece of Sucuri’s offering, their website application firewall (WAF).
As we also noted recently, getting unlimited cleanups from Sucuri isn’t necessarily all that useful since we were recently brought in to deal with a website where Sucuri was repeatedly doing incomplete cleanups that didn’t resolve a hack.
It also worth noting that while Sucuri has real people (again, who wouldn’t?), what is important is if they competent and what we have seen doesn’t point in that direction. For example, just about a year ago SiteLock was telling one of their customers that their website was clean when it seems to us that someone that hasn’t basic competency in the field would have realized that wasn’t true and the employee(s) failed to spot malicious code that we easily found on the website.