Thanks for your comment.
they confuse it with XSS
That's because CSRF can't be prevented if there is a sitewide XSS in play as well.
Having spent a lot of time dealing with people in the industry, when I said I've come across people who do not understand XSS, I was referring to people who do not understand what XSS is - period. I was not referring to people who understand what XSS is and are aware of it's business impact compared to XSRF.
(You make a good point about not being able to prevent XSRF should a sitewide XSS issue exist. I agree that it would be very hard to prevent a XSRF condition in this case, but I I'd like to add that I think that the risk caused by a sitewide XSS vulnerability would retain its business impact regardless of XSRF)
Maybe you're not confusing it with XSS?
I don't know what you mean by that. A XSRF vulnerability doesn't require XSS. Maybe you typed that wrong? If not, perhaps you can rephrase so it is more clear.
That said, I think we are both in agreement. In fact, I challenge you to find anyone who feels more strongly than me about the perils of relying on automated application security assessments!
I do agree that organizations who *solely* rely on automated solutions are NOT doing the right thing at all - in fact, as a security purist, my heart aches to see organizations throw money on solutions that are guaranteed to be automated - they think they are saving money, but I think they end up paying more because they don't fix the root cause. I am a huge advocate of implementing a thorough SDLC process with the goal of developing secure software.
The reason I brought up the points about automated assessment tools is to attempt to brainstorm on reasons why we are not seeing any product vendors come up with solutions on XSRF. I think we both know the reasons why, but they dare not admit it. That said, as a scientist, I would be interested in hearing about a proposal that may assess this automatically (I'm not holding my breath however).
In summary, I agree with you that the question 'is an application vulnerable to XSRF?' tends towards a design review rather than something that relies on fuzzing and patterns.