[Puts]

This scan is so limited that I wonder if it even could be directly damaging. If the average Joe who set up a CMS for his business runs this and thinks "Great I got a 90% score our site is secure".

[lexokoh]

I think it's more of a start. I don't think an average Joe who got 90% will assume this. 90% is big.

[arghwhat]

Average Joe and businesses alike will assume that a tool telling them their site is secure means that they don't have to worry much about it. A tool that can easily be made to report "100% secure" is then quite harmful.

Even large corporations rely largely on buying reports, and in turn buying products to fix the results of those reports as their primary security strategy.

[lexokoh]

I get your point, but I still can't believe the average Joe would think like this. Also, large corps get SOC2, yet they are still not secure.

Also, auditors use tools like this or have their tools to get reports telling them they are 100% secure.

No one should ever assume 100% security, even when the odds suggest otherwise. Maybe you are right.

[arghwhat]

> Also, large corps get SOC2, yet they are still not secure.

SOC2/ISO27001 audits are just "are you living up to the processes you defined yourself for SOC2 compliance", not "are you secure". It is dealt with by whatever Compliance unit the company has and only serves to avoid legal issues, and has nothing to do with whoever runs IT security.

Security audits is usually quite laughable, and work tends to be initiated by security vendors who happen to have a scan that gives some "very bad" result which they just so happen to have a silver bullet product to fix. Then the company uses that scan until the next company comes along...

Few companies take security seriously, designing things for security rather than just buying whatever bandaids they see in the store.