WHITEHAT SECURITY DECEMBER 2012 T.C. NIEDZIALKOWSKI Technical Evangelist tc@whitehatsec.com
WhiteHat Security Company Overview Headquartered in Santa Clara, CA WhiteHat Sentinel SaaS end-to-end website risk management platform Employees: 250+ Customers: 650+ 2012 WhiteHat Security, Inc. 2
OVERVIEW Web Application Security Across the SDLC Security throughout application the lifecycle reduces website risks across the enterprise Development Preproduction Production Production Sentinel Source Sentinel PL Sentinel BE/SE/PE WhiteHat Sentinel Security Platform Expertise: Threat Research Center Intelligence: Security Metrics and Real Time Reporting Accessibility: Anytime / Anywhere via the Internet 2012 WhiteHat Security, Inc. 3
WhiteHat Sentinel Software as a Service SaaS (Annual Subscription) Unlimited Assessments / Users Fixed Flat Rate per Website Unique Methodology Proprietary scanning technology Expert website security analysis (TRC) Satisfies PCI 6.6 requirements Vulnerability Verification and prioritization XML API links other security solutions Easy to get started Need URL and Credentials No Management of Hardware or Software No Additional Training 2012 WhiteHat Security, Inc. 4
How WhiteHat Sentinel Works 2012 WhiteHat Security, Inc. 5
CYBERCRIME IS NOW THE SECOND BIGGEST CAUSE OF ECONOMIC CRIME EXPERIENCED BY THE FINANCIAL SERVICES SECTOR 2012 WhiteHat Security, Inc. 6
ATTACK LANDSCAPE 1 million accounts with 1 SQL Injection attack 2012 WhiteHat Security, Inc. 7
ATTACK LANDSCAPE XSS from 2009 used by Lulzsec to announce Murdoch s death in 2011 2012 WhiteHat Security, Inc. 8
ATTACK LANDSCAPE Sophisticated, targeted fraud on Ebay.com 2012 WhiteHat Security, Inc. 9
ATTACK LANDSCAPE Attacker Profiles Random Opportunistic Fully automated scripts Unauthenticated scans Targets chosen indiscriminately Directed Opportunistic Commercial and Open Source Tools Authentication scans Multi-step processes (forms) Fully Targeted Customize their own tools Focused on business logic Clever and profit driven ($$$) 2012 WhiteHat Security, Inc. 10
BIG DATA CAN TELL US WHAT IS REALLY GOING ON 2012 WhiteHat Security, Inc. 11
METRICS 2012 WhiteHat Security, Inc. 12
METRICS 8/10 websites have serious vulnerabilities Average number of new serious* vulnerabilities discovered per website per year Serious vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI- DSS severity HIGH, CRITICAL, or URGENT) 2012 WhiteHat Security, Inc. 13
METRICS WhiteHat Security Top Ten (2011) Percentage likelihood of a website having at least one vulnerability sorted by class 2012 WhiteHat Security, Inc. 14
METRICS 37% of Vulnerabilities are Never Fixed The overall Remediation Rate in 2011 was 63%, up from 53% in 2010, and almost double the rate of 35% in 2007. Roughly 7% average improvement per year in the percentage resolved during each of the last four years. 2012 WhiteHat Security, Inc. 15
METRICS Serious Vulnerabilities take 38 days to fix 2012 WhiteHat Security, Inc. 16
METRICS Window of exposure 2012 WhiteHat Security, Inc. 17
METRICS Why Do Vulnerabilities Go Unfixed? No one at the organization understands or is responsible for maintaining the code. Development group does not understand or respect the vulnerability. Affected code is owned by unresponsive third-party. Website will be decommissioned or replaced soon. Risk of exploitation is accepted. Feature enhancements are prioritized ahead of security fixes. 2012 WhiteHat Security, Inc. 18
HOW TO SOLVE VULNERABILITY OVERLOAD 2012 WhiteHat Security, Inc. 19
INTEGRATION Targeting and Evolving Security Strategies FROM TO Fulfilling checkbox requirements Point in time assessments Tactical efforts to secure specific websites Taking precautions but accept a certain level of risk Securing all Web assets throughout the SDLC Continuous concurrent assessments Strategic security program to secure all websites Perform security analysis in all stages of the SDLC 2012 WhiteHat Security, Inc. 20
INTEGRATION WAF is strategic control to mitigate risk Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say: A WAF could feasibly help mitigate the risk of at least 71% of all custom Web application vulnerabilities. 2012 WhiteHat Security, Inc. 21
INTEGRATION How to solve Vulnerability Overload Sentinel Baseline Service finds on average of 7 vulnerabilities per site in the unauthenticated space It is common for Customers to run Baseline on all of their assets 200 sites X 7 Vulnerabilities = 1400 problems! The WhiteHat Sentinel / F5 ASM solution will eliminate 71% Leaving the other 29% to be solve by code remediation or irules 2012 WhiteHat Security, Inc. 22
INTEGRATION Integration Overview Finds a vulnerability Virtual-patching with one-click on BIG-IP ASM Vulnerability checking, detection and remediation Complete website protection Verify, assess, resolve and retest in one UI Automatic or manual creation of policies Discovery and remediation in minutes 2012 WhiteHat Security, Inc. 23
INTEGRATION Why past attempts at DAST+WAF failed DAST can disrupt production if not carefully configured Testing QA won t provide accurate measurement Hundreds or thousands of unvalidated false positives and duplicates Slowed WAF performance and blocked valid traffic Without up-to-date, validated input, can t move WAF into blocking mode False negatives in scanning methodology (not testing certain functionality) still required broad rules 2012 WhiteHat Security, Inc. 24
INTEGRATION WhiteHat Sentinel Ideal Solution for ASM WhiteHat s unique methodology allows service to find more vulnerabilities and have less false positives than other DAST vendors, all while testing production safely F5 ASM + WhiteHat enables twice the number of automatically resolvable vulnerability classes of any other similar integration F5 is the only WAF vendor that can consume WhiteHat Sentinel's unique Vuln ID Allows continuous, historical tracking of vulnerabilities, and better integration with WAF and SDLC Live team of experts to provide assistance, explanation, and demonstration of vulnerabilities 2012 WhiteHat Security, Inc. 25
INTEGRATION Unique to WH+ASM integration Vuln ID to historically track vulnerability status 100% verified vulnerability results Retest Now to confirm virtual patch effectiveness Mitigated by WAF flag in Sentinel interface 2012 WhiteHat Security, Inc. 26
INTEGRATION WAF roadmap Virtual patching support for atypical vulnerabilities Expand coverage to more vulnerability classes Bi-directional integration to better inform DAST of web application attack surface 2012 WhiteHat Security, Inc. 27
FREE TRIAL http://www.f5networks.co.jp/info/whitehat.html 2012 WhiteHat Security, Inc. 28
THANK YOU T.C. NIEDZIALKOWSKI Technical Evangelist tc@whitehatsec.com