Re: Web site security scanning/"certification" services?

["O'Callaghan, Daniel" <Daniel.OCallaghan () SINCLAIR EDU>]

> Do you use a web site security scanning service such as McAfee Secure on your public-facing websites? If so:

- Which service(s) do you use?  --McAfee Secure (ScanAlert "Hacker Safe" prior to acquisition)
- Are you happy with them?   --Mostly.  Cost is reasonable. One-time "on-demand" scans are inexpensive. Web developers 
know vulnerabilities are likely to be caught, so typically are more careful about checking before publishing. Scans are 
pretty good at identifying XSS, SQL Injection, SSL/Cert issues, etc., and the reports offer suggested remediation.  
When scans detect something, I can simply attach the report and send it to the developer/admin, they can see where the 
vulnerability is and how to fix it.
- Do they offer a "seal" (little graphic that you display on the site)?   --Yes.
- If they do offer a seal, do you display it? Why or why not (just curious)?    --On some pages/sites.  The service was 
initially requested by our marketing folks, specifically so they could place the logo on any of our sites where 
personal/sensitive information is collected.  I was pleasantly surprised to find the scan data is actually useful.

___________________________________
Daniel V. O'Callaghan, Jr., MBA, CISSP
Chief Information Security Officer
Sinclair Community College
444 W Third St, 13-000B
Dayton, OH 45402
937.512.2452