The document discusses Whitehat Security's comprehensive website risk management services, including various vulnerability assessment editions designed for different types of web applications. It outlines the evolution of their services since 2001, emphasizing cost-efficient, scalable SaaS solutions with verified vulnerability reporting. Additionally, the document details key functionalities, automated identification of security issues, and the importance of secure coding practices.

1. WhiteHat Security Website Risk Management Mark G. Meyer Director of Sales – Northeast 212-422-9400 [email_address]

2. Web Application - User’s View

3. Session Hijacking Parameter Manipulation Cross-site scripting Buffer Overflow Password Guessing Denial of Service Account Enumeration SQL Injection Web Application – Hacker’s View

4. WhiteHat Security – Website Risk Management Evolution of End-to-End Website Risk Management WhiteHat Security Founded 2001 Premium Edition Service launched in 2003 Sentinel Standard Edition introduced 2007, Baseline Edition, 2009 Visibility into risk enables oversight, measurement, process control, management Control Web Application Security Costs Scalable, SaaS – Annual Subscription 10,000’s of assessments performed annually Unlimited assessments during term of agreement Fixed annual fee, cost-efficient Proven Methodology Hundreds of Enterprise Customers ALL Vulnerabilities verified for accuracy Turnkey No installation of Hardware or Software No need to hire, train, and retain additional personnel :

5. Website Risk Management – 4 Phase Approach

6. WhiteHat Sentinel – Vulnerability Management Sentinel PE (Fully Targeted) High Impact / Production Sites – assessed by Consultants or scanning tools Performs critical business functions Configured assessment delivery Manual testing for business logic issues Verified vulnerability reporting Sentinel SE (Directed) Internal / Customer Facing Sites – assessed by scanning tools Configured assessment delivery Verified vulnerability reporting Sentinel BE (Random) Broad Based Coverage – less-complex sites Self-service assessment delivery Verified vulnerability reporting

7. WhiteHat Sentinel Vulnerability Coverage Technical : Identify with Automation Command Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection Information Disclosure Directory Indexing Information Leakage Path Traversal Predictable Resource Location Client-Side Content Spoofing Cross-site Scripting HTTP Response Splitting Insecure Content Business Logic : Human Analysis Authentication Brute Force Insufficient Authentication Weak Password Recovery Validation CSRF Authorization Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation Logical Attacks Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation Premium Edition Standard Edition Baseline Edition

8. WhiteHat Sentinel – Key Functionality Per Website Subscription Combination of advanced proprietary technology and expert analysis On-Demand Turnkey solution 24x7 Reporting / Communication Unlimited Assessments / Users All Vulnerabilities Verified for Accuracy Geared for Development & Production Accurate prioritization of risk XML API Integration WAF Integration – Protection Layer Website Security Certification

9. How WhiteHat Sentinel Works

10. Secure Protection Layer – Education / WAF Introduction to Website Security Overview of Web application security. Understand how Web applications work, how to find and exploit vulnerabilities, and solutions for protection. Secure Coding for Java Developers The dangers of insecure coding practices. Specific ways code can be exploited, and how to write code to avoid introducing vulnerabilities.

11. Questions?

12. Supplemental Slides

13. Alerts – Message Center

14. Executive Summary – Enterprise Visibility

15. Website Summary – Individual Activity

16. Vulnerability Viewer – Remediation / Mitigation

17. Attack Vector Details – Code Level

18. Findings Summary – Auditing / Compliance

19. Scan Scheduler – Control Center

20. Reporting – Custom Analytics

21. Resources – API / Best Practices