Google Online Security Blog: Meet skipfish, our automated web security scanner: “Today, we are happy to announce the availability of skipfish – our free, open source, fully automated, active web application security reconnaissance tool. We think this project is interesting for a few reasons:
High speed: written in pure C, with highly optimized HTTP handling and a minimal CPU footprint, the tool easily achieves 2000 requests per second with responsive targets.
Ease of use: the tool features heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
Cutting-edge security logic: we incorporated high quality, low false positive, differential security checks capable of spotting a range of subtle flaws, including blind injection vectors.”
Lets assume that Skipfish is a reasonable product and delivers as promised. The issue here is that Google feels that overall, web security is so profoundly bad that developing and releasing a tool to improve web security is necessary and worthy of investment. In short, IT Security is failing to keep the web secure and Google is moving into the security space to help keep the Internet alive.
The Etherealmind View
My general opinion of the entire IT Security Software industry is pretty low. They offer little value by consistently failing to engage the business process and consequentially being underfunded and under appreciated. Any delivery from Security Consultants is so complicated, dreary and shrouded in technobabble that no one listens or appreciates what they do. Even if you find a worthwhile practitioner, they are unlikely to make an impact having been framed by their colleagues. The worst offender here is Microsoft, who make a product so insecure, and profoundly dysfunctional that there is an entire ecosystem of add ons that attempt to make their Windows product secure. If the product is so poor and requires , why do we continue to use it ? …. long suffering sigh…..
Here hoping that this shakes up the Security software vendors. I doubt it though, but it should put a few of them out of business and that might create some opportunity for change.