![WhiteHat Security Website Risk Management Mark G. Meyer Director of Sales – Northeast 212-422-9400 [email_address]](https://image.slidesharecdn.com/whpresentation102809-12570946116822-phpapp02/85/WhiteHat-Security-Presentation-1-320.jpg)
WhiteHat Security Presentation
- 1. WhiteHat Security Website Risk Management Mark G. Meyer Director of Sales – Northeast 212-422-9400 [email_address]
- 2. Web Application - User’s View
- 3. Session Hijacking Parameter Manipulation Cross-site scripting Buffer Overflow Password Guessing Denial of Service Account Enumeration SQL Injection Web Application – Hacker’s View
- 4. WhiteHat Security – Website Risk Management Evolution of End-to-End Website Risk Management WhiteHat Security Founded 2001 Premium Edition Service launched in 2003 Sentinel Standard Edition introduced 2007, Baseline Edition, 2009 Visibility into risk enables oversight, measurement, process control, management Control Web Application Security Costs Scalable, SaaS – Annual Subscription 10,000’s of assessments performed annually Unlimited assessments during term of agreement Fixed annual fee, cost-efficient Proven Methodology Hundreds of Enterprise Customers ALL Vulnerabilities verified for accuracy Turnkey No installation of Hardware or Software No need to hire, train, and retain additional personnel :
- 5. Website Risk Management – 4 Phase Approach
- 6. WhiteHat Sentinel – Vulnerability Management Sentinel PE (Fully Targeted) High Impact / Production Sites – assessed by Consultants or scanning tools Performs critical business functions Configured assessment delivery Manual testing for business logic issues Verified vulnerability reporting Sentinel SE (Directed) Internal / Customer Facing Sites – assessed by scanning tools Configured assessment delivery Verified vulnerability reporting Sentinel BE (Random) Broad Based Coverage – less-complex sites Self-service assessment delivery Verified vulnerability reporting
- 7. WhiteHat Sentinel Vulnerability Coverage Technical : Identify with Automation Command Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection Information Disclosure Directory Indexing Information Leakage Path Traversal Predictable Resource Location Client-Side Content Spoofing Cross-site Scripting HTTP Response Splitting Insecure Content Business Logic : Human Analysis Authentication Brute Force Insufficient Authentication Weak Password Recovery Validation CSRF Authorization Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation Logical Attacks Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation Premium Edition Standard Edition Baseline Edition
- 8. WhiteHat Sentinel – Key Functionality Per Website Subscription Combination of advanced proprietary technology and expert analysis On-Demand Turnkey solution 24x7 Reporting / Communication Unlimited Assessments / Users All Vulnerabilities Verified for Accuracy Geared for Development & Production Accurate prioritization of risk XML API Integration WAF Integration – Protection Layer Website Security Certification
- 9. How WhiteHat Sentinel Works
- 10. Secure Protection Layer – Education / WAF Introduction to Website Security Overview of Web application security. Understand how Web applications work, how to find and exploit vulnerabilities, and solutions for protection. Secure Coding for Java Developers The dangers of insecure coding practices. Specific ways code can be exploited, and how to write code to avoid introducing vulnerabilities.
- 11. Questions?
- 13. Alerts – Message Center
- 14. Executive Summary – Enterprise Visibility
- 15. Website Summary – Individual Activity
- 16. Vulnerability Viewer – Remediation / Mitigation
- 17. Attack Vector Details – Code Level
- 18. Findings Summary – Auditing / Compliance
- 19. Scan Scheduler – Control Center
- 20. Reporting – Custom Analytics
- 21. Resources – API / Best Practices
Editor's Notes
- #3: So lets take a look at how these attacks work. This is a normal web page and how a user looks at it. You have a login form, where you can enter your username and password. There is a register now functionality if you don’t have an account. You can go to forgot password if you forgot your password. You can also contact them with your feedback, etc
- #4: We saw how a normal user looks at a web page. This is how a hacker looks at your webpage. A user looks at a functionality whereas a hacker looks at an opportunity. So as you can see, he is trying to figure out where he can perform what kind of attack. There is an opportunity to guess password by brute force attack, he can do denial of service or byapss login using SQL injection. He can go to register now functionality and enumerate registered users for that website. He could do XSS or session hijacking and parameter manipulation. So as you can see hacker looks at an opportunity and he only needs one. View web applications through a magnifying lens. This is what you should be able to do once the class is over: Spot opportunity where none is visible to the untrained eye.
- #6: 4 stages: * Discover assets * Build a risk profile * Select service level that gives appropriate visibility * Report and communicate those findings, provide flexibility to remediate them in the code, with a WAF, or IDS
- #7: Goal: Select a service level that provides the proper visibility for the asset’s risk level.
- #8: Before we drill down into the methodology of the Sentinel Service, I’d like to spend a couple minutes discussing the WASC 24 because this is an integral and very key component of our assessment process. To help ensure the Sentinel Service is thorough, WhiteHat relies on the WASC 26 classes of attacks as a reference point against which we test for website vulnerabilities - in case you aren’t familiar with the WASC it stands for Web Application Security Consortium and the WASC 26 has been adopted as a global standard by the security community as a way to measure the level of security associated with any specific web application. Many of you are probably more familiar w/ the OWASP Top 10 – and while the OWASP Top 10 is also an important criteria, it’s a essentially a subset of the WASC 26 – in short, the WASC 26 is WAY more comprehensive as a checklist for assessing web applications which is why we use it as our standard. At WH, we’ve incorporated these 26 classes of attacks into our internal assessment process to enforce consistency, reliability, and thoroughness each time the Sentinel Service is delivered - we’re not just taking rifle shots at customer websites HOPING we get lucky and uncover website security holes. The vulnerabilities on the left column of this slide are those that require human expertise to uncover, and those on the right can be discovered if you know how to effectively customize automated scanning technology and in fact, the legacy scanning tools are pretty good at finding these types of vulnerabilities. The important takeaway here is that when we say that automation can identify roughly ½ of all web application vulnerabilities, this is what we mean – automation has the capability to identify those 13 classes of attacks listed on the right hand column that we refer to as being technical vulnerabilities, ones that can be found syntactically. And while these vulnerabilities represent roughly 75% of ALL vulnerabilities found according to our trending statistics, the business logic flaws – the other 25% or so listed in green - are often the ones that are the most egregious and REQUIRE human intervention to uncover. Bottom line – being thorough in the assessment process is critical and using the WASC 26 as a measuring stick is one important way in which comprehensiveness and consistency is enforced within WhiteHat’s assessment process.
- #9: All Service levels share these features. Most important: SaaS, repeatable assessments, production safe, verified results
- #10: Step 1: Customer provides urls, logins, & schedule Step 2: Initial testing includes a lot of up-front configuration work (2-3 weeks), but we are delivering results immediately as we progress through the site Step 3: Results are up to date and complete after initial configuration is done, and now detailed, repeatable assessments occur on a continual/scheduled basis Step 4: Results made available through website. API integrates with everything (WAFs, IDS, bug tracking).
- #11: Goal: provide flexibility in remediating vulnerabilities through the code, WAFs, IDS, or Security Training for your developers.
- #19: We are here because we are concerned about these people
- #20: We are here because we are concerned about these people