(Originally I wanted to tweet this, but it grew far longer than 140 characters.)
I tried a free version of Chorizo security scanner. It’s one of those tools that should make secure web applications much easier.
I liked the idea of the proxy setup.Â Instead of downloading any software or scanning a web site generating lots of extra traffic, it works in a proxy mode.Â You configure a proxy server in your browser, add the domain to Chorizo profile, verify the domain by uploading a signature file to the server, and then simply browse around.Â There are a couple of nice windows hanging around, showing you things, etc.Â It even works in Konqueror…
What I didn’t like that the scanner didn’t find any problems with an obviously problematic web site.Â I can easily do SQL injections on the pages that I browsed and I am sure cross-site scripting isn’t any more difficult.Â Yet, the scanner showed “0 vulnerabilities found” message.
There is also a commercial offering of the service, where you can add more than one domain and have some advanced reports and stuff.Â But, I don’t feel like paying a couple of hundred EUR per year for something that didn’t find obvious problems.
Maybe they are a new service or have some temporary problems. Maybe I’ll give them another try some time later.Â But for now the answer isÂ a definite “No”.Â Pity.