Hacker safe? No it isn't.

There are a number of reasons why I have never recommended making use of services such as ScanAlert for certifying any of my own organisations hundreds of websites, but they all really boil down to one thing. I think they are a complete waste of money and recent news only serves to back-up my opinion.

The ScanAlert website brags

When you display the HACKER SAFE certification mark, you not only increase sales by increasing shopper confidence, you build your brand with the security seal seen on more top sites than any other.

You can’t really deny any of the claims made in that statement. Yes, you might increase confidence and yes you are displaying a security seal seen on many other web sites, but that is not to say it is secure because as you, me, and every hacker worth his salt knows, there is no automated scanning service in existence that can beat even a half decent hacker.

I’ve spoken at length on this blog, in various journals, magazines and conferences on the same subject but there remains something about automated scanning that makes organisations believe that they are covered. It’s really the same as taking out life insurance cover while failing to tell the insurer about a history of heart disease. The policy is never going to pay out – it’s false hope.

The Hacker-Safe mark is a futile effort to secure websites. I’ll stand by my opinion and lastly, even if I could get assurance that my website is secure, I’d never be so bold as to display a big rubber stamp that says so. Talk about red rag to a bull.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I used to work for a company that was using a pen-testing approved company but they charged, a pretty penny for their professional pen-testing work. They're strategy was they used qualified certified security professionals & skilled IT experienced staff to use Well known tools, on hosts exposed to the internet. They did a great job of informing immediately, giving instant remedies & first class advice on all aspects of the exposed systems. This to me as the security officer for the company was an excellent way to have a person to build rapport with & a team of highly skilled individuals to build confidence in, plus they were in the same time zone. There was no need for any labels of approval to say the sites were hack proof as that is always known as impossible.. Just a signoff sent to myself that the systems were currently uptodate end to end, & no known security holes were currently seen. The service I considered 1st class. Then in the IT director's infinite wisdom he decided to change from a personal fully functional trusted highly recognized security company to Scanalert.. Purely because of two things 1. HackerSafe banner guarantee 2. Cost per site scan. To cut this story short I left the company & heard later by staff members that one of the approved websites by Scanalert was hacked.. So the red rag to a bull kind of stung the IT director & company ... So as the moral goes, buyer beware as not all that shines is golden ;-)
Great feedback. There are some very good pen testing companies out there - I'll name two: NGS and IRM who I know from experience employ committed professionals who take a pride in their work. As soon as you move to a "cost per scan" model you're heading for choppy waters.