WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Similar documents
A Strategic Approach to Web Application Security

Hacking by Numbers OWASP. The OWASP Foundation

Vulnerability Assessment with Application Security

7 Ways to Scale Web Security

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

90% of data breaches are caused by software vulnerabilities.

Application Security Training Program

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

AKAMAI CLOUD SECURITY SOLUTIONS

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Reinvent Your 2013 Security Management Strategy

Continuously Discover and Eliminate Security Risk in Production Apps

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

OWASP Top 10 The Ten Most Critical Web Application Security Risks

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Compliance Audit Readiness. Bob Kral Tenable Network Security

Presentation Overview

THE CONTRAST ASSESS COST ADVANTAGE

Trustwave Managed Security Testing

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Protect Your Organization from Cyber Attacks

Qualys Cloud Platform

Managed Application Security trends and best practices in application security

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Achieving Java Application Security With Parasoft Jtest

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Security Solutions. Overview. Business Needs

IBM Security Network Protection Solutions

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Penetration testing.

2018 VULNERABILITY STATISTICS REPORT

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

8 Must Have. Features for Risk-Based Vulnerability Management and More

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Imperva Incapsula Website Security

OWASP TOP OWASP TOP

Trustwave Managed Security Testing

Risk Intelligence. Quick Start Guide - Data Breach Risk

Think Like an Attacker

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

SIEMLESS THREAT MANAGEMENT

Will you be PCI DSS Compliant by September 2010?

Machine-Based Penetration Testing

THE ACCENTURE CYBER DEFENSE SOLUTION

Solutions Business Manager Web Application Security Assessment

RiskSense Attack Surface Validation for IoT Systems

INTELLIGENCE DRIVEN GRC FOR SECURITY

Automated, Real-Time Risk Analysis & Remediation

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

STOPS CYBER ATTACKS BEFORE THEY STOP YOU. Prepare, recognize, and respond to today s attacks earlier with Verizon Security Solutions.

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

PROFESSIONAL SERVICES (Solution Brief)

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

An Introduction to the Waratek Application Security Platform

Security Solution. Web Application

Machine-Based Penetration Testing

GOING WHERE NO WAFS HAVE GONE BEFORE

What is Penetration Testing?

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Application Security Buyer s Guide

SIEMLESS THREAT DETECTION FOR AWS

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

Protect your apps and your customers against application layer attacks

EFFECTIVE, SCALABLE, #FULLSTACK VULNERABILITY MANAGEMENT

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

OWASP RFP CRITERIA v 1.1

An Introduction to Runtime Application Self-Protection (RASP)

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Application Security at Scale

PCI Compliance Assessment Module with Inspector

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Effective Strategies for Managing Cybersecurity Risks

CSWAE Certified Secure Web Application Engineer

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

RiskSense Attack Surface Validation for Web Applications

SECURITY TESTING. Towards a safer web world

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Unlocking the Power of the Cloud

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners

QUICK WINS: Why You Must Get Defensive About Application Security

Transcription:

WHITEHAT SECURITY DECEMBER 2012 T.C. NIEDZIALKOWSKI Technical Evangelist tc@whitehatsec.com

WhiteHat Security Company Overview Headquartered in Santa Clara, CA WhiteHat Sentinel SaaS end-to-end website risk management platform Employees: 250+ Customers: 650+ 2012 WhiteHat Security, Inc. 2

OVERVIEW Web Application Security Across the SDLC Security throughout application the lifecycle reduces website risks across the enterprise Development Preproduction Production Production Sentinel Source Sentinel PL Sentinel BE/SE/PE WhiteHat Sentinel Security Platform Expertise: Threat Research Center Intelligence: Security Metrics and Real Time Reporting Accessibility: Anytime / Anywhere via the Internet 2012 WhiteHat Security, Inc. 3

WhiteHat Sentinel Software as a Service SaaS (Annual Subscription) Unlimited Assessments / Users Fixed Flat Rate per Website Unique Methodology Proprietary scanning technology Expert website security analysis (TRC) Satisfies PCI 6.6 requirements Vulnerability Verification and prioritization XML API links other security solutions Easy to get started Need URL and Credentials No Management of Hardware or Software No Additional Training 2012 WhiteHat Security, Inc. 4

How WhiteHat Sentinel Works 2012 WhiteHat Security, Inc. 5

CYBERCRIME IS NOW THE SECOND BIGGEST CAUSE OF ECONOMIC CRIME EXPERIENCED BY THE FINANCIAL SERVICES SECTOR 2012 WhiteHat Security, Inc. 6

ATTACK LANDSCAPE 1 million accounts with 1 SQL Injection attack 2012 WhiteHat Security, Inc. 7

ATTACK LANDSCAPE XSS from 2009 used by Lulzsec to announce Murdoch s death in 2011 2012 WhiteHat Security, Inc. 8

ATTACK LANDSCAPE Sophisticated, targeted fraud on Ebay.com 2012 WhiteHat Security, Inc. 9

ATTACK LANDSCAPE Attacker Profiles Random Opportunistic Fully automated scripts Unauthenticated scans Targets chosen indiscriminately Directed Opportunistic Commercial and Open Source Tools Authentication scans Multi-step processes (forms) Fully Targeted Customize their own tools Focused on business logic Clever and profit driven ($$$) 2012 WhiteHat Security, Inc. 10

BIG DATA CAN TELL US WHAT IS REALLY GOING ON 2012 WhiteHat Security, Inc. 11

METRICS 2012 WhiteHat Security, Inc. 12

METRICS 8/10 websites have serious vulnerabilities Average number of new serious* vulnerabilities discovered per website per year Serious vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI- DSS severity HIGH, CRITICAL, or URGENT) 2012 WhiteHat Security, Inc. 13

METRICS WhiteHat Security Top Ten (2011) Percentage likelihood of a website having at least one vulnerability sorted by class 2012 WhiteHat Security, Inc. 14

METRICS 37% of Vulnerabilities are Never Fixed The overall Remediation Rate in 2011 was 63%, up from 53% in 2010, and almost double the rate of 35% in 2007. Roughly 7% average improvement per year in the percentage resolved during each of the last four years. 2012 WhiteHat Security, Inc. 15

METRICS Serious Vulnerabilities take 38 days to fix 2012 WhiteHat Security, Inc. 16

METRICS Window of exposure 2012 WhiteHat Security, Inc. 17

METRICS Why Do Vulnerabilities Go Unfixed? No one at the organization understands or is responsible for maintaining the code. Development group does not understand or respect the vulnerability. Affected code is owned by unresponsive third-party. Website will be decommissioned or replaced soon. Risk of exploitation is accepted. Feature enhancements are prioritized ahead of security fixes. 2012 WhiteHat Security, Inc. 18

HOW TO SOLVE VULNERABILITY OVERLOAD 2012 WhiteHat Security, Inc. 19

INTEGRATION Targeting and Evolving Security Strategies FROM TO Fulfilling checkbox requirements Point in time assessments Tactical efforts to secure specific websites Taking precautions but accept a certain level of risk Securing all Web assets throughout the SDLC Continuous concurrent assessments Strategic security program to secure all websites Perform security analysis in all stages of the SDLC 2012 WhiteHat Security, Inc. 20

INTEGRATION WAF is strategic control to mitigate risk Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say: A WAF could feasibly help mitigate the risk of at least 71% of all custom Web application vulnerabilities. 2012 WhiteHat Security, Inc. 21

INTEGRATION How to solve Vulnerability Overload Sentinel Baseline Service finds on average of 7 vulnerabilities per site in the unauthenticated space It is common for Customers to run Baseline on all of their assets 200 sites X 7 Vulnerabilities = 1400 problems! The WhiteHat Sentinel / F5 ASM solution will eliminate 71% Leaving the other 29% to be solve by code remediation or irules 2012 WhiteHat Security, Inc. 22

INTEGRATION Integration Overview Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM Vulnerability checking, detection and remediation Complete website protection Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes 2012 WhiteHat Security, Inc. 23

INTEGRATION Why past attempts at DAST+WAF failed DAST can disrupt production if not carefully configured Testing QA won t provide accurate measurement Hundreds or thousands of unvalidated false positives and duplicates Slowed WAF performance and blocked valid traffic Without up-to-date, validated input, can t move WAF into blocking mode False negatives in scanning methodology (not testing certain functionality) still required broad rules 2012 WhiteHat Security, Inc. 24

INTEGRATION WhiteHat Sentinel Ideal Solution for ASM WhiteHat s unique methodology allows service to find more vulnerabilities and have less false positives than other DAST vendors, all while testing production safely F5 ASM + WhiteHat enables twice the number of automatically resolvable vulnerability classes of any other similar integration F5 is the only WAF vendor that can consume WhiteHat Sentinel's unique Vuln ID Allows continuous, historical tracking of vulnerabilities, and better integration with WAF and SDLC Live team of experts to provide assistance, explanation, and demonstration of vulnerabilities 2012 WhiteHat Security, Inc. 25

INTEGRATION Unique to WH+ASM integration Vuln ID to historically track vulnerability status 100% verified vulnerability results Retest Now to confirm virtual patch effectiveness Mitigated by WAF flag in Sentinel interface 2012 WhiteHat Security, Inc. 26

INTEGRATION WAF roadmap Virtual patching support for atypical vulnerabilities Expand coverage to more vulnerability classes Bi-directional integration to better inform DAST of web application attack surface 2012 WhiteHat Security, Inc. 27

FREE TRIAL http://www.f5networks.co.jp/info/whitehat.html 2012 WhiteHat Security, Inc. 28

THANK YOU T.C. NIEDZIALKOWSKI Technical Evangelist tc@whitehatsec.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback