(Originally I wanted to tweet this, but it grew far longer than 140 characters.)
I tried a free version of Chorizo security scanner. It’s one of those tools that should make secure web applications much easier.
I liked the idea of the proxy setup. Instead of downloading any software or scanning a web site generating lots of extra traffic, it works in a proxy mode. You configure a proxy server in your browser, add the domain to Chorizo profile, verify the domain by uploading a signature file to the server, and then simply browse around. There are a couple of nice windows hanging around, showing you things, etc. It even works in Konqueror…
What I didn’t like that the scanner didn’t find any problems with an obviously problematic web site. I can easily do SQL injections on the pages that I browsed and I am sure cross-site scripting isn’t any more difficult. Yet, the scanner showed “0 vulnerabilities found” message.
There is also a commercial offering of the service, where you can add more than one domain and have some advanced reports and stuff. But, I don’t feel like paying a couple of hundred EUR per year for something that didn’t find obvious problems.
Maybe they are a new service or have some temporary problems. Maybe I’ll give them another try some time later. But for now the answer is a definite “No”. Pity.