{"id":2892,"date":"2016-09-26T13:07:40","date_gmt":"2016-09-26T19:07:40","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2892"},"modified":"2016-09-26T13:07:40","modified_gmt":"2016-09-26T19:07:40","slug":"where-are-the-vulnerabilities-that-sitelocks-vulnerability-scanning-should-have-found","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2016\/09\/26\/where-are-the-vulnerabilities-that-sitelocks-vulnerability-scanning-should-have-found\/","title":{"rendered":"Where Are The Vulnerabilities That SiteLock’s Vulnerability Scanning Should Have Found?"},"content":{"rendered":"

In looking over things for a possible future post about the web security company SiteLock we have noticed that one of the features\u00a0prominently promoted by its hosting “partners”<\/a>\u00a0when selling\u00a0SiteLock’s\u00a0services is vulnerability scanning. For example, at HostGator, one of their hosting “partners” that is also run by the owners of SiteLock<\/a>, vulnerabilities scans of varying frequency are included in each package:<\/p>\n

\"hostgator-sitelock-packages\"<\/a><\/p>\n

It also promoted on their\u00a0page for the services<\/a>\u00a0as helping to prevent hacks:<\/p>\n

\"Make<\/a><\/p>\n

What is missing on the “partners'” websites or SiteLock’s\u00a0as far as we can tell is any evidence on the claimed effectiveness of their vulnerability scanning.\u00a0Vulnerability scanning of the type that it appears\u00a0SiteLock does, doesn’t have a reputation for being of much value. In a study<\/a>\u00a0(PDF) from 2014 that looked at vulnerability scanners tied to security seals (SiteLock has one of those and its accuracy has been poor<\/a> from what we have seen<\/a>), it was found that two of the 8 vulnerability scanners tested detected none of the vulnerabilities that existed on a website set up with a number of vulnerabilities, which\u00a0was due to those scanners using third party software that “are not meant to discover vulnerabilities in web applications”.\u00a0Five of the six remaining scanners only discovered a third or less of the vulnerabilities that existed.<\/p>\n

If their vulnerability scanner was in fact detecting vulnerabilities we would expect to have seen evidence of it elsewhere.\u00a0SiteLock claims<\/a> that as of 2015 they were “serving over 1 million WordPress customers”. If there vulnerability scanning was actual effective we would expect that would have found quite a few vulnerabilities in plugins based on the number of vulnerabilities we\u00a0see being discovered in WordPress plugins while collecting data for our\u00a0Plugin Vulnerabilities<\/a> service. But we are only aware of two<\/a> vulnerabilities<\/a> that they have discovered in recent times and both of those don’t appear to have been discovered during the running of their vulnerabilities scanner. By comparison over at the blog for our\u00a0Plugin Vulnerabilities service we have over 90 posts for vulnerabilities we have discovered this year<\/a>\u00a0(some of the post include multiple vulnerabilities, so the total number of vulnerabilities is even higher).\u00a0If their vulnerabilities scanner was discovering other vulnerabilities in plugins on website, even if SiteLock\u00a0were not aware of it, we would expect to see some mentions of that in changelogs of the impacted plugins or discussions of the vulnerabilities and yet what we haven’t seen any reference to their scanning having identified any\u00a0vulnerabilities and the vast majority of vulnerability disclosures and fixes we have reviewed can be traced back to a source that\u00a0wasn’t their scanner.<\/p>\n

Whether you are looking at SiteLock or another provider of\u00a0security services and products you should look for evidence from the provider that products can perform as claimed, as we\u00a0often see claims made that seem rather unbelievable and from some of the claims we have taken a look into\u00a0they\u00a0often turn out to be at least widely inaccurate.<\/p>\n","protected":false},"excerpt":{"rendered":"

In looking over things for a possible future post about the web security company SiteLock we have noticed that one of the features\u00a0prominently promoted by its hosting “partners”\u00a0when selling\u00a0SiteLock’s\u00a0services is vulnerability scanning. For example, at HostGator, one of their hosting “partners” that is also run by the owners of SiteLock, vulnerabilities scans of varying frequency … Continue reading “Where Are The Vulnerabilities That SiteLock’s Vulnerability Scanning Should Have Found?”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[39],"class_list":["post-2892","post","type-post","status-publish","format-standard","hentry","category-bad-security","tag-sitelock"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2892","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2892"}],"version-history":[{"count":6,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2892\/revisions"}],"predecessor-version":[{"id":2908,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2892\/revisions\/2908"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}