to view presentation slides - Synercomm IT Summit 2013

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 7 months ago)

241 views

1

WhiteHat Security

Dave Goetz

Senior Sales Director

Manager, North Central Region

847.840.0836

Dave.Goetz@WhiteHatSec.com


April 19, 2012




Jim Manico

VP of Security Architecture

808.652.3805

Jim.Manico@WhiteHatSec.com






Website Security Strategies are Evolving…


TO THIS




Security throughout
the SDLC


Continuous Monitoring


Strategic
program to secure all
Web assets


Adopt “
Hack Yourself First


methodology in all stages of
the SDLC


FROM





Checkbox Compliance



Point
in time assessments



Tactical
efforts to secure
specific websites



Taking precautions
and
accepting a certain level of
risk


Top 3 Drivers for CIO’s Enterprise Security
Initiatives

Reduce
Risk




Identify and prioritize web assets



Reduce Exploitability

Reduce Costs



Identification



Remediation

Improve Visibility



Real time awareness of security posture



Real time metrics


WhiteHat

Security’s
Sentinel



Industry’s #1 Platform

8100+ Websites

continuously monitoring and verifying


10,000
’s of
Assessments

concurrently run at any moment


Over 7,000,000


vulnerabilities processed per week


All Results Manually Verified


Overall Top Vulnerability Classes

% of Likelihood of a Web Site having a
Vulnerability

(Includes OWASP and WASC Vulnerability Classes)

Source: WhiteHat Website Security Statistic Report, 10th Edition



Benchmark Time
-
to
-
Fix (Days)

There is no longer an acceptable level of risk…

6

Cross
-
Site Scripting

Information Leakage

Content Spoofing

Insufficient Authorization

SQL Injection

Pred. Res. Loc.

Session Fixation

Cross
-
Site Request Forgery

Abuse of Functionality

HTTP Response Splitting

Number

of

days

a

website

is

exposed

to

at

least

one

serious*

reported

vulnerability
.

Most

websites

were

exposed

to

at

least

one

serious*

vulnerability

every

day

of

2010
,

or

nearly

(
9
-
12

months

of

the

year)
.
16
%

of

websites

were

vulnerable

less

than

30

days
.

Intelligence Reduces Windows of Exposure

WhiteHat

Security
Throughout the Application Lifecycle

Sentinel PL

Preproduction

Sentinel

Source

Development

Production

Reduces Overall Risk Across the Enterprise

WhiteHat Sentinel Security Platform

Pre Production

Production

Development

Sentinel

BE/SE/PE

Accessibility



Anytime, Anywhere

Expertise



Recognized Security Experts

Intelligence



Benchmarking Metrics

WhiteHat

Sentinel


Assessment Platform


SaaS

(Annual Subscription)

-
Unlimited Assessments / Users

-
Fixed Flat Rate per Website


Assessment
Methodology

-
Proprietary scanning technology

-
Direct access to Security Experts

-
Continuous Monitoring


100% Vulnerability Verification


eliminating
false positives, prioritizing enterprise risk


XML API
leverages
other security
investments


Easy to get started



-
Need URL and Credentials

-
No Management of Hardware or Software

-
No Additional Training


Sentinel Baseline Edition


Enterprise


Compare with Generic Scanner
PLUS


Asset
Discovery / Prioritization of Websites


Broad based


Continuous
Monitoring


Unauthenticated


Technical
Vulnerabilities


Sentinel Standard Edition Upgrade (SE)


Compare with Professional
running Generic
Scanner
PLUS


Authenticated
-

Technical Vulnerabilities


Continuous
Monitoring


Automated Testing


Fully customized and configured


Sentinel Premium Edition Upgrade (PE)


Compare with Traditional Consultant
PLUS


Authenticated
Technical and Business Logic Vulnerabilities


Continuous
Monitoring


Automated &
Manual Testing


Fully customized and
configured

WhiteHat Sentinel


Maps to Almost any Website

Continuous Monitoring | All Vulnerabilities Manually Verified

NEW Sentinel PL Edition

Assigned TAM will help determine
the appropriate level of service

Sentinel
PreLaunch

Edition (PL)


Fast
& Flexible Assessments in a QA
Environment


© 2009 WhiteHat Security | page
11

How WhiteHat Sentinel Works

Attain a Secure State with
WhiteHat

Security


Cost Effective
Enterprise Solution


Combines
Automation with Human Intelligence


Provides
Speed and Scalability
throughout the entire SDLC


Offers
Consistent
Methodology and Processes


Awareness and Prioritization
of
all of your websites


Continuous Monitoring with
100% Human Verification


Anchors your website security program


WhiteHat

Sentinel Source


How it Works


SAST Solutions by Generation

WhiteHat

Security


the “Measuring Stick”

© 2009 WhiteHat Security | page
16


WhiteHat Sentinel Vulnerability Coverage


Technical
: Identify with
Automation

Command Execution


Buffer Overflow


Format String Attack


LDAP Injection


OS Commanding


SQL Injection


SSI Injection


XPath Injection

Information Disclosure


Directory Indexing


Information Leakage


Path Traversal


Predictable Resource Location

Client
-
Side


Content Spoofing


Cross
-
site Scripting


HTTP Response Splitting


Insecure Content

Business Logic
: Human
Analysis

Authentication


Brute Force


Insufficient Authentication


Weak Password Recovery Validation


CSRF

Authorization


Credential/Session Prediction


Insufficient Authorization


Insufficient Session Expiration


Session Fixation

Logical Attacks


Abuse of Functionality


Denial of Service


Insufficient Anti
-
automation


Insufficient Process Validation

Premium Edition

Baseline Edition

Standard & PL Edition

Protection
-

WAF Integration


WhiteHat Security (WASC)


Coverage vs. OWASP Top 10

19

WhiteHat Security

Dave Goetz

Senior Sales Director

Manager, North Central Region

847.840.0836

Dave.Goetz@WhiteHatSec.com


April 19, 2012




Jim Manico

VP of Security Architecture

808.652.3805

Jim.Manico@WhiteHatSec.com