Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WhiteHat Security Presentation

1,968 views

Published on

WhiteHat Security Sales Presentation. Please contact mark.meyer@whitehatsec.com for more information.

  • Be the first to comment

  • Be the first to like this

WhiteHat Security Presentation

  1. 1. WhiteHat Security Website Risk Management Mark G. Meyer Director of Sales – Northeast 212-422-9400 [email_address]
  2. 2. Web Application - User’s View
  3. 3. Session Hijacking Parameter Manipulation Cross-site scripting Buffer Overflow Password Guessing Denial of Service Account Enumeration SQL Injection Web Application – Hacker’s View
  4. 4. WhiteHat Security – Website Risk Management <ul><ul><ul><li>Evolution of End-to-End Website Risk Management </li></ul></ul></ul><ul><ul><ul><ul><li>WhiteHat Security Founded 2001 </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Premium Edition Service launched in 2003 </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Sentinel Standard Edition introduced 2007, Baseline Edition, 2009 </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Visibility into risk enables oversight, measurement, process control, management </li></ul></ul></ul></ul><ul><ul><ul><li>Control Web Application Security Costs </li></ul></ul></ul><ul><ul><ul><ul><li>Scalable, SaaS – Annual Subscription </li></ul></ul></ul></ul><ul><ul><ul><ul><li>10,000’s of assessments performed annually </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Unlimited assessments during term of agreement </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Fixed annual fee, cost-efficient </li></ul></ul></ul></ul><ul><ul><ul><li>Proven Methodology </li></ul></ul></ul><ul><ul><ul><ul><li>Hundreds of Enterprise Customers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ALL Vulnerabilities verified for accuracy </li></ul></ul></ul></ul><ul><ul><ul><li>Turnkey </li></ul></ul></ul><ul><ul><ul><ul><li>No installation of Hardware or Software </li></ul></ul></ul></ul><ul><ul><ul><ul><li>No need to hire, train, and retain additional personnel </li></ul></ul></ul></ul><ul><ul><ul><li>: </li></ul></ul></ul>
  5. 5. Website Risk Management – 4 Phase Approach
  6. 6. WhiteHat Sentinel – Vulnerability Management <ul><li>Sentinel PE (Fully Targeted) </li></ul><ul><ul><li>High Impact / Production Sites – assessed by Consultants or scanning tools </li></ul></ul><ul><ul><li>Performs critical business functions </li></ul></ul><ul><ul><li>Configured assessment delivery </li></ul></ul><ul><ul><li>Manual testing for business logic issues </li></ul></ul><ul><ul><li>Verified vulnerability reporting </li></ul></ul><ul><li>Sentinel SE (Directed) </li></ul><ul><ul><li>Internal / Customer Facing Sites – assessed by scanning tools </li></ul></ul><ul><ul><li>Configured assessment delivery </li></ul></ul><ul><ul><li>Verified vulnerability reporting </li></ul></ul><ul><li>Sentinel BE (Random) </li></ul><ul><ul><li>Broad Based Coverage – less-complex sites </li></ul></ul><ul><ul><li>Self-service assessment delivery </li></ul></ul><ul><ul><li>Verified vulnerability reporting </li></ul></ul>
  7. 7. WhiteHat Sentinel Vulnerability Coverage <ul><li>Technical : Identify with Automation </li></ul><ul><li>Command Execution </li></ul><ul><ul><li>Buffer Overflow </li></ul></ul><ul><ul><li>Format String Attack </li></ul></ul><ul><ul><li>LDAP Injection </li></ul></ul><ul><ul><li>OS Commanding </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>SSI Injection </li></ul></ul><ul><ul><li>XPath Injection </li></ul></ul><ul><li>Information Disclosure </li></ul><ul><ul><li>Directory Indexing </li></ul></ul><ul><ul><li>Information Leakage </li></ul></ul><ul><ul><li>Path Traversal </li></ul></ul><ul><ul><li>Predictable Resource Location </li></ul></ul><ul><li>Client-Side </li></ul><ul><ul><li>Content Spoofing </li></ul></ul><ul><ul><li>Cross-site Scripting </li></ul></ul><ul><ul><li>HTTP Response Splitting </li></ul></ul><ul><ul><li>Insecure Content </li></ul></ul><ul><li>Business Logic : Human Analysis </li></ul><ul><li>Authentication </li></ul><ul><ul><li>Brute Force </li></ul></ul><ul><ul><li>Insufficient Authentication </li></ul></ul><ul><ul><li>Weak Password Recovery Validation </li></ul></ul><ul><ul><li>CSRF </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>Credential/Session Prediction </li></ul></ul><ul><ul><li>Insufficient Authorization </li></ul></ul><ul><ul><li>Insufficient Session Expiration </li></ul></ul><ul><ul><li>Session Fixation </li></ul></ul><ul><li>Logical Attacks </li></ul><ul><ul><li>Abuse of Functionality </li></ul></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Insufficient Anti-automation </li></ul></ul><ul><ul><li>Insufficient Process Validation </li></ul></ul>Premium Edition Standard Edition Baseline Edition
  8. 8. WhiteHat Sentinel – Key Functionality <ul><ul><li>Per Website Subscription </li></ul></ul><ul><ul><li>Combination of advanced proprietary technology and expert analysis </li></ul></ul><ul><ul><li>On-Demand Turnkey solution </li></ul></ul><ul><ul><li>24x7 Reporting / Communication </li></ul></ul><ul><ul><li>Unlimited Assessments / Users </li></ul></ul><ul><ul><li>All Vulnerabilities Verified for Accuracy </li></ul></ul><ul><ul><li>Geared for Development & Production </li></ul></ul><ul><ul><li>Accurate prioritization of risk </li></ul></ul><ul><ul><li>XML API Integration </li></ul></ul><ul><ul><li>WAF Integration – Protection Layer </li></ul></ul><ul><ul><li>Website Security Certification </li></ul></ul>
  9. 9. How WhiteHat Sentinel Works
  10. 10. Secure Protection Layer – Education / WAF <ul><li>Introduction to Website Security </li></ul><ul><ul><ul><li>Overview of Web application security. Understand how Web applications work, how to find and exploit vulnerabilities, and solutions for protection. </li></ul></ul></ul><ul><li>Secure Coding for Java Developers </li></ul><ul><ul><ul><li>The dangers of insecure coding practices. Specific ways code can be exploited, and how to write code to avoid introducing vulnerabilities. </li></ul></ul></ul>
  11. 11. Questions?
  12. 12. Supplemental Slides
  13. 13. Alerts – Message Center
  14. 14. Executive Summary – Enterprise Visibility
  15. 15. Website Summary – Individual Activity
  16. 16. Vulnerability Viewer – Remediation / Mitigation
  17. 17. Attack Vector Details – Code Level
  18. 18. Findings Summary – Auditing / Compliance
  19. 19. Scan Scheduler – Control Center
  20. 20. Reporting – Custom Analytics
  21. 21. Resources – API / Best Practices

×