Would you be willing to pay more for vbseo for improved security?

First of all, I wanted to say this post is not intended to be a rant or overly negative. Just realistic about risk.

My background is in IT security, software engineering, and network engineering and likewise I am very concerned about any system or Web application with vulnerabilities. Nobody is perfect including me and and any software developers. To err is human.

The positives:
vbseo is a really great product that has had really positives results for my site overall. The vbseo team does notify customers about vulnerabilities quickly most of the time. I have great respect for the vbseo team.

The negatives:
vbseo has had some pretty bad security flaws. Anyone using the Internet can do some research on these and find out what specifically. These flaws do pose a risk to any business using vbseo. When a serious flaw is announced, I ask myself "what might have happened during the last 3 months as a result of this just announced vulnerability?" I ask myself what vulnerability will be next. I don't want to have to worry about this. I find myself in a bind. Yes vbseo helps search rankings, but the fact is there is increased security risk with using this product. And the fact is one exploited vulnerability could cause serious harm to a company or possibly put someone out of business.

My perspective:

I come from the banking industry where my company had absolutely zero tolerance for security flaws in our web apps. We invested in automated vulnerability scanning tools like WhiteHat which were extremely valuable. We had security metrics which measured vulnerabilities by programmer per week. People had incentives to write secure code.

So what should be done? I think vbseo needs to hire a programmer to focus only on security and nothing else at all. I would easily be willing to pay $100 more for this. I need to have some comfort going to sleep at night that there isn't some random flaw in vbseo that could result in my site being hacked. I don't want to have to wake up at 8AM before work to patch VBSEO. I don't want to have to worry about these vulnerabilities. They need to stop.

Other options: use an automated vulnerability scanning tool like WhiteHat. Do something to reduce the likelihood of flaws. Have yearly training budget for security training for coders.

I am not expecting security to ever be "perfect" but it needs improvement here. I don't care at all about new features in vbseo. It means nothing to me if the product is not secure. Focus 95% on security and 5% on new features. This product "works". Nothing else is needed. Make it secure. Nothing else. I need to be able to sit back and relax knowing it is secure. One thing I expect to be perfect is *never* a SQL injection flaw. Input validation and parameterized functions will prevent this.


As a business owner I value data integrity, confidentiality, and availability, and these flaws pose a risk to all of them. Although the product does help with search results.

I am not trying to make anyone look "bad". I am just trying to help.


Best Regards,

m0rgulvale

We at vBSEO do take security very seriously. We always attempt to release the most secure software possible with every release. All changes are reviewed by at least 3 development staff members for code QA prior to every release.

Hackers are very creative people. They think of things that honestly don't even make sense to a programmer and sometimes find a hole in one of the many layers involved in the network, the server, the core software/os, the scripts and/or the db on the server itself.

Staying on the latest release is always the best thing to do as it gives hackers the least amount of time with 'having' the software. In this particular case as well, the latest release, 3.6.0, was not effected.

To the topic at hand, bringing on a new team member for the sole purpose of security investigation is not in our budget right now. From a customer point of view, while many are big board owners making a profit, the vast majority of our customer base run 'medium' sized sites and make make a few bucks here and there. But the cost of the software going up $100 in most cases would put that completely out of their budget, rivaling the cost of vb itself at $250.. To pay a code security expert, that person would demand at least $80-100k USD salary. Can we get 10,000 people to spend an extra $100 a year with us for security purposes alone? Maybe, but it would need to be thought out. And what happens when that person misses something? Everyone who paid more for this will revolt over paying for it and like you said, no one is perfect.

It is nearly impossible to make 100% exploit/bug free software when it is designed to run on 1000s of combinations of servers, platforms, vb versions, php versions, and all the rest once you get beyond a 'Hello World' echo. Most of the 'bigger' issues that were reported stemmed from people leaving their config files or other files/folders writable. This isn't a code issue. We released a version shortly there after that included better htacces files in directories and put a banner notice about writable files but the core issue was not with the codebase. No matter how much we QA and print directions, there are people that can't/won't/didn't follow the directions correctly. Even the old versions of vbseo 3.x series has a note about locking down the config file via chmod when settings are done and so forth.

We purchased and ran McCafe Secure (used to be called HackerSafe) in the past. We found it basically useless as it only tested the most basic form post and cookie events. Had we been running currently, it likely would not have reported the exploit that was patched in the 3.5.2 update either due to the inventive way the exploit was run.

Reporting piracy will also help stop security issues. If they can't obtain the software in the first place, they will have a harder time hacking it. and if they do pay for it and get a license, we may be able to stop them because we have their information on record. Unfortunately, paying customers keep submitting their personal paid software to warez sites and groups. We ban and remove them as customers we find them, but it's an on-going effort and blocking it completely will likely never happen.
Report Piracy

We appreciate your concerns and I assure you that we always do all that we can without being able to predict the future for every release with the very competent team that we have in place here now.

thx for the reply Brian. i know u guys care and that matter a lot b/c lots of companies dont care at all about security stuff

keep up the great work overall

hopefully other ppl would be willing to pay more too.

take care
peace
-M0rgulvale