Most security scanning services that claim to test a site for vulnerabilities only test application version numbers rather than the actual vulnerabilities themselves. It is common for us to use security patches without changing the version number of web server applications. Testing only application version numbers is a flawed testing methodology and results in a lot of unwarranted concern on the part of our clients.
Security services frequently respond with specific items listed on the Common Vulnerabilities and Exposures (CVE) list. Many of these services are sloppy enough to not even test for the specific versions of software that are outlined in that CVE. These services report a vulnerability if the version number is not later than the latest version of the software marked as having that vulnerability. In reality, many CVEs do not exist in older versions of a program and only exist for a narrow range of program versions.
Obviously, changing version numbers has stability and compatibility issues that require careful planning and rigorous testing to avoid service problems when deploying the new version. It makes no sense to do it if we've already patched the vulnerabilities.
Add to that inflexible administration and procedures at many of the security scanning services (assuming there are even people there) and you can run into a scenario in which they will not state something is secure unless we change version numbers even though the vulnerabilities are patched already.
It is rare for a customer go away happy after using a security scanning service. The nature of the service pits the security scanning service against us and if they incorrectly report false security risks, it puts us on the defensive. When our customer takes our response back to the security company, it often puts the security scanning company on the defensive because it points out the flaws in their own testing methodology (if they even have one). In the end, our customer feels scammed regardless of which party they choose to believe.
Before relying on a security scanning service, we recommend that you do the following:
- Check with the security service to determine the methodology they use for testing. Do they test the actual vulnerability, or do they only test program versions?
- If the security service gives specific CVE names, check the specific CVE at the National Vulnerability Database:
Match the version number of the software program on your server with the versions that have been listed to contain that vulnerability. Note that even if the version number matches, the particular software in question may have had the vulnerability fixed in a patch. However, if the version number does not match it is most likely the security service is using sloppy methodology.
You can find the version numbers for Apache, PHP, SSL, and many other web software programs through a PHP info page. For information on how to create a PHP info page see the following Knowledgebase article:
If your primary concern is to pass a specific security service test, you will likely receive better results from our newer hosting plans. For example, our cPanel WebPro shared hosting plans have been created more recently than our Upipe or OHP hosting accounts, and will show less erroneous vulnerabilities on security scans.
If you are looking for the most secure environment for your website, a dedicated server can be configured more securely than a shared hosting account. A dedicated server can also be regularly updated via an RPM updater (such as YUM), to keep version numbers current to appease most security service programs.