[megaman22]

If it's an automated scan, I'd be skeptical. Currently dealing with some overzealous security folks who put adherence to their scan tool over common sense, and insist that we lock down Oracle PL/SQL vulnerabilities in an application that doesn't use any flavor of SQL...

[Klathmon]

I absolutely hate these kinds of "security" scans.

I once worked with a company that started using one of these. They said our "vulnerability scores" were significantly too high.

I looked at the report, turns out they were just looking at HTTP headers and throwing up every CVE that matched any version numbers they found. (One of the "worst offenders" on the system was a CVE about a vulnerability in PHP when using "magic quotes", a part of PHP that hadn't been used in many years, and our application never used)

We were officially instructed that the fix would be to hide the PHP and apache version numbers from the headers.

If I were the one running that scan, and someone "fixed" the problem by just hiding the version numbers, I'd be calling for that person to be fired for trying to hide the problem. But here they were instructing us to do just that. And once we did, the system was marked "secure"...

[dasil003]

As annoying as that sort of ignorance is, I would say it's marginally better than the opposite attitude that security scanners are bullshit and therefore unnecessary. The fact is, scanners turn up real issues that slip through whatever manual patching process you have set up.

My feeling is similar to when I started unit testing aggressively a decade ago: it seems like this should be unnecessary, but every time I do it it never fails to pay dividends.

[styfle]

There was a fund raising website written 15 years ago that a team I was on was responsible for (I never actually worked on it).

There were fraudulent credit card donations for $1 which became really obvious when the zip code was garbage.

The “solution” was to disabled the credit card page until the month of the fund raising event when it was enabled again in hopes of the scammers would not try during that month.

[CapacitorSet]

I don't understand, what were the scammers trying to achieve?

[mr_toad]

Trying to validate stolen or generated credit card numbers.

[jacquesm]

That's not always what is going on. In some cases unscrupulous operators will run through large numbers of $1 transactions in order to lower their chargeback rate.

[nicksantamaria]

This sounds interesting - can you explain further?

[megaman22]

Maybe hoping there was an affirmative response if the card did go through?

[rhizome]

In this context it may have been BS, but in general it's a good idea to reduce the attack surface of the entire platform.

[guypod]

Scanning for vulnerable components is different. All the tool has to do is find out the site is using the specific library, the vulnerabilities themselves are manually validated.

[ben_jones]

It's a liability thing. If you get hacked after "addressing" all the vulnerabilities, its not your fault - its the scan tool's fault. Utter bull shit, but hey.