The world of IT security is very complex. There are few people who understand it. Security vendors take advantage of this and often try to sell their products and services by using pitches. Here are some common examples related to web application security.

“Our Tool Is All You Need” – It Never Is

This sales pitch should immediately trigger a warning, not just in the case of web application security. If any vendor says that their solution is the only one that you need to achieve security, they are stretching the truth. No matter what area of IT security, there is never a single solution that guarantees full protection. You always need to have a combination of different tools and human skills.

“Our Solution Guarantees 100% Protection” – Impossible

There is no way to ensure 100% protection. If a threat actor is very intent on breaking into a particular system, there is a good chance that sooner or later they will find a way to succeed, and most probably the victim will never even know it. Security tools and humans can only work together to make it as close to 100% as possible.

“Our Product Finds Zero-days” – Every Web Vulnerability Scanner Does

If a dynamic application security testing (DAST) tool is advertised as unique because it finds zero-day vulnerabilities, it’s like advertising that it does its job. By design, web vulnerability scanners do not work based on signatures of known vulnerabilities but instead attempt to exploit vulnerabilities in a safe way by acting just like a malicious hacker would act. This means that the primary goal of such a tool is to find vulnerabilities that were never discovered before (i.e. zero-day vulnerabilities).

“We Guarantee No False Positives” – It Is Impossible to Guarantee

Just like we mentioned before, there is no “100%” in IT security. You can strive to be the best and get close to it but there is never any guarantee. By design, all DAST tools are susceptible to false positives. We could create a DAST tool that would find only verified vulnerabilities (with evidence using our proof of exploit technology) but then such a tool would miss out on many vulnerabilities that simply cannot be proven.

It is impossible to eliminate false positives because a tool can never fully replace a human being. Web applications have elements that can only be fully understood by a human, for example, business logic flows. That is why, while technologies such as proof of exploit and IAST can help reduce the number of false positives, it will never reach zero.

Also, note that some non-specialized vendors claim very low false-positive numbers based on generic input data. While their claims are true, they are based on statistics from multiple classes of tools, such as network scanners, which are much simpler and much less prone to false positives than web vulnerability scanners. You may end up with a web vulnerability scanner that is not 99.99% but rather less than 95% accurate because the 99.99% was based on the accuracy of 50,000 very simple signature checks in a network security product.

“We Find Every Vulnerability” – No Scanner or Penetration Tester Can Guarantee That

Just like in the case of false positives, there is no tool that can be completely devoid of false negatives. There is always a chance that some complex vulnerabilities will be missed, no matter how advanced the scanner claims to be. Therefore, any manufacturer that claims that their product can replace penetration testing is in the wrong.

Replacing penetration testers should never be the ultimate goal of a web vulnerability scanner. The goal is to optimize penetration tester work by automatically and efficiently finding easy-to-find vulnerabilities – the ones that are simply a waste of time for a precious professional. Just like a spell and grammar checker will never replace a writer – it simply makes the writer’s work easier and more enjoyable by eliminating boring, repeatable tasks.

Your Cut-Out-And-Keep Wild Claim Detector

When faced with an IT security sales pitch, run through the following checklist to filter out the marketing hyperbole:

  1. Are they trying to tell you that security is not complicated?
  2. Are they offering a silver bullet, all-in-one, one-size-fits-all solution to all your problems?
  3. Are they giving you lots of fashionable buzzwords and promises but very little information?
  4. Are they avoiding technical details to back up the sales pitch?
  5. Are they bad-mouthing competitors without providing proof?
  6. Are they offering a wide range of solutions instead of focusing on a specific area of expertise?
  7. Are they offering a low-cost solution with all the features of its upmarket competitors and no compromises?
  8. How long have they been in their industry?

Of course, most sales pitches can be verified in a very quick and simple manner – by actually seeing the software in action (for example, getting a demo). However, you may want to go through this list even if you verify that the product looks good. This is because the truthfulness of the sales pitch often goes in line with later service and support quality.

Tomasz Andrzej Nidecki
Technical Content Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.