[charliesome]

I'm sorry but you can't fix 'failing Web startup security' with automated scans. Automated scans are useless for finding all but the most trivial of vulnerabilities.

There's almost no doubt in my mind that the only way to fix the situation is with education. I think that if your goal is to fix poor security practises, you should change your strategy to teaching developers how to be security aware, rather than offering a service that merely pokes around for a few well known vulnerabilities.

[quesera]

This is absolutely true.

BUT, there are charlatans armed with little more than nmap and a cursory understanding of the output that sell themselves as penetration testers, for a whole lot more than I assume this service will cost.

This, at least, is normalized, repeated, reported consistently, and history is kept. That's worth something.

It's incomplete, but I assume at the price point, it will be more cost efficient and trustworthy than the other options -- the most popular of which is doing nothing.

Usual rant about false senses of security elided for brevity.

[fmavituna]

Just as educated programmers can introduce bugs and it’s impossible to find a programmer that will write bug-free code, it’s also impossible to find one that will write vulnerability free code. Therefore educating programmers is not the solution; it’s part of the solution. And automated scanning is also not the solution, but it’s a big part of that solution.

> Automated scans are useless for finding all but the most trivial of vulnerabilities

I’m really curious about how you can make that claim. Automated scanning can find many very important vulnerabilities in a very accurate manner. We regularly receive user comments like this one:

“We have external scan performed by third party that found some vulnerabilities of our sites. Using Netsparker we were able to validate them and work on fixing them. More than this we found few others not reported by them that we had to patch.”

This proves that even a highly-paid security consultant can miss vulnerabilities that can be found by automated scanners. Not to mention that lots of security consultants also use automated scanners to speed up their task.

Finally, there are so many other issues to learn about that you can’t expect your developers to keep up-to-date with all of them: new attack techniques, new vulnerabilities that affect a framework, etc. So, even when your developers are educated about writing secure code, you can still create vulnerabilities in your application. Or when your code is secure in your staging environment, it can be not-so-secure on the production environment because certain settings are different etc.

> merely pokes around for a few well known vulnerabilities.

Modern web app scanners don't really work around the concept of testing well known vulnerabilities, there are classes of vulnerabilities such as LFI, SQLI, XSS etc. and scanners are intelligently (similar to an actual attacker / penetration tester) test these out.

You might be thinking about old school tools such as Nikto (also referred as CGI Scanners). Today, even those tools are doing a little bit more than just looking for well known vulnerabilities.