Videos ::

Spring 2009 – 7th Edition – Website Security Statistics ReportDownload a PDF of the the report ››› PDF
Listen to the presentation (46 minutes) ››› WebEx
Download a PDF of the presentation (1.3 MB PDF) ››› PDF

There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

Q1 2009 Key Findings

  • 82% of websites have had a HIGH, CRITICAL, or URGENT issue
  • 63% of websites currently have a HIGH, CRITICAL, or URGENT issue
  • 60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09
  • Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution.
  • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17
  • Average number of serious unresolved vulnerabilities per website: 7
  • Average number of inputs (attack surface) per website: 227
  • Average ratio of vulnerability count / number of inputs: 2.58%

Fourth Quarter 2008 Website Security Statistics Listen to the presentation (55 minutes) ››› WebEx
Download a PDF of the presentation (1.3 MB PDF) ›››PDF

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.

The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

Listen to WhiteHat Security Director of Solutions Architecture, Trey Ford, as he presents findings from the fourth quarter 2008 WhiteHat Web Application Security Statistics Report.

Strategically Blocking Cross-Site Scripting & SQL Injection Attacks WebEx Listen to the presentation (63 minutes) ››› WebEx
Download a PDF of the presentation (1.6 MB PDF) ›››PDF

F5 Networks and Whitehat Security present a revolutionary new solution that closes the loop from Web application vulnerability detection to remediation – an integrated solution delivering TOTAL website security.

The F5 Networks and WhiteHat Security technology partnership gives security professionals a uniquely powerful and efficient system to combat the onslaught of website attacks that place customer and corporate data at risk. The combination of WhiteHat Sentinel website vulnerability management solution and F5 BIG-IP® Application Security Manager (ASM) delivers a new level of website protection – with extreme accuracy, efficiency and control.

Join Jeremiah Grossman, Founder and CTO, WhiteHat Security and Lori MacVittie, Technical Marketing Manager, F5 Networks as they offer a look at a technology breakthrough that:

  • Enables security professionals to take control of the security of their websites
  • Closes the loop from vulnerability detection to remediation
  • Allows you to rapidly block website attacks with laser-focused rules
  • Meets and exceeds PCI 6.6 Compliance.

Developer Training - The Missing Link in the Web Application Security LifeCycle with guest speaker Anna Sherony from Sammons Financial Group :: October 2008

Listen to the presentation (74 minutes) ››› WebEx
Download a PDF of the presentation (1.2 MB PDF) ›››PDF

In this webinar, you will learn how Anna Sherony, Privacy and Information Protection Officer at Sammons Financial Group, used WhiteHat Security to successfully address her Web application security needs. She invested in her team with Web developer training from WhiteHat Security and incorporated WhiteHat Sentinel to secure her Web applications.

WhiteHat Security's training helped Sammons Financial Group:

1. Train developers on the latest Web application vulnerabilities
2. Raise awareness about the importance of secure coding practices
3. Implement security as a culture among the development teams

Afterwards, Anurag Anarwal, WhiteHat Security Director of Education Services, will provide a review of WhiteHat Security's education offerings.

Get Rich or Die Trying - Making Money on the Web, The Black Hat Way

WhiteHat Security founder and CTO, Jeremiah Grossman, will repeat his Black Hat presentation: Get Rich or Die Trying - Making Money on the Web, The Black Hat Way. Nows your chance if you missed it at the Black Hat Briefings in August or you just want to hear it again.

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t block them. In fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.

Listen to Jeremiah Grossman's presentation (74 minutes) ››› WebEx
Download a PDF of the presentation (849 KB PDF) ››› PDF

WhiteHat Website Security Statistics Report AvailableThe WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations.  WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
Listen to Jeremiah Grossman's presentation (68 minutes) ››› WebEx
Download a PDF of the presentation (849 KB PDF) ›››PDF
Download a PDF of the the report ››› PDF

PCI 6.6 Webinar: Don't Get Caught out of ComplianceDid you "slide past" the PCI 6.6 June 30th deadline?

End the panic, and respond to this requirement with a plan to ensure compliance - today and the years to follow. Act now and take advantage of a limited time offer – 2 additional months FREE of the WhiteHat Sentinel Service. That's 14 months for the price of 12!

The WhiteHat Sentinel Service exceeds PCI requirements by offering customers unlimited assessments during its annual 1-year subscription period. In addition, Sentinel maps to PCI vulnerability severity levels for simplified customer reporting.

WhiteHat developed the Sentinel Service to control the cost of frequent, accurate website security testing. The WhiteHat Sentinel Service:

* Detects vulnerabilities in Web-facing application code
* Ranks and prioritizes vulnerabilities
* Validates and documents that vulnerabilities have been corrected
* Performs enterprise level, continual, real-time analysis

Listen to the presentation* ››› (65 minutes)WebEx

Latest Website Security Statistics :: March 28, 2008Web application layer attacks continue unabated. The issue is gaining awareness in the media and the enterprise as attacks become more targeted and organizations seek solutions.

After two years of examining the state of website security in this report, we have seen the number and type of website attacks continue to rise. That means more sensitive information including social security numbers, credit card, names, addresses, birth dates, financial records, trade secrets, medical data are at risk than ever before. This data must be rigorously protected to reduce the risk of financial losses, brand damage, theft of intellectual property, legal liability and fines.
Listen to the presentation* ››› (65 minutes)WebEx
Download a PDF of the presentation (849 KB PDF) PDF
Download a PDF of the the report PDF

Software-as-a-Service :: January 24, 2008WhiteHat Security CEO, Stephanie Fohn, will dicuss the strategic advantage of employing a Software (or Security)-as-a-Service (SaaS) model for website vulnerability management. She will examine why a SaaS solution is the only practical and secure approach to find and fix vulnerabilities that attackers are exploiting to break into websites. Ms. Fohn will also describe how a SaaS solution extends beyond vulnerability discovery and becomes the basis for an effective ongoing remediation process and implementing web security best practices. In addition, former Security Architect, PayCycle, Inc., Anurag Agarwal will discuss his experience in adopting and managing a website vulnerability management SaaS.
Listen to the discussion* ››› (40 minutes)WebEx
Download a PDF of the Presentation (849 KB PDF) PDF

Industry Roundtable Webinar :: November 8, 2007Listen to a light and humourous conversation as website security industry experts discuss current topics regarding website vulnerability. Jeremiah Grossman, WhiteHat Security founder and CTO, Robert “RSnake” Hansen, CEO of SecTheory, Chris Paggen, senior manager, application delivery and network security business unit at Cisco, and Jordan Wiens, Security Beat Editor at Network Computing, will take on today’s hot button issue of website security in a unscripted one-hour event.
Listen to the discussion* ››› (61 minutes) WebEx

Business Logic Flaws Webinar :: October 31, 2007 Session handling, credit card transactions, and password recovery are just a few examples of Web-enabled business logic processes that malicious hackers have abused to compromise major websites. These types of vulnerabilities are routinely overlooked during QA because the process is intended to test what a piece of code is supposed to do and not what it can be made to do. The other problem(s) with business logic flaws is scanners can’t identify them, IDS can’t detect them, and Web application firewalls can’t defend them. Hard hitting trifecta. Plus, the more sophisticated and Web 2.0 feature-rich a website, the more prone it is to have flaws in business logic.
View the Video* ››› (51 minutes) WebEx
Download a PDF of the Presentation (3.83 MB PDF) PDF

Hacking Intranet Websites from the Outside (Take 2) :: "Fun with and without JavaScript Malware" Webinar :: August 21, 2007 Hear Jeremiah Grossman, WhiteHat Security founder and CTO, and Robert Hansen (RSnake), CEO of SecTheory deliver their internationally acclaimed presentation, Hacking Intranet Websites from the Outside (Take 2) – "Fun with and without JavaScript Malware." The ultimate goal of this presentation is to demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management.
View the Video››› (73 minutes) WebEx
Download a PDF PDF

Cross Site Request Forgery Webinar :: July 24, 2007Attackers have begun to actively exploit CSRF vulnerabilities across the Web. Why now? Because its incredibly easy and the vast majority of websites are vulnerable to it. How do you stop an attack originating from a “real user,” who appears to be properly logged-in, and making a legitimate request - except that they did not intend to make the request? Hear WhiteHat Security founder and CTO, Jeremiah Grossman present "Cross-Site Request Forgery: The Sleeping Giant."
View the Video ››› (32 minutes) WebEx
Download a PDF of the Presentation (2.7 MB PDF) PDF

Other Videos :• Top 10 Things You Need to Know about Website Security WebEx
• Top 10 Hacks of 2006 and What They Mean for 2007 WebEx

Sentinel Overview :: Take a look at some of the cool Sentinel features in our brief Quicktime movie (8 minutes). quicktime View movie ›››

WhiteHat Sentinel and F5 WAF Integration :: Watch our brief Quicktime movie (no sound). quicktime View movie ›››


dudeviewingvideo

Sentinel Overview :: Take a look at some of the cool Sentinel features in our brief Quicktime movie (8 minutes).
quicktime View movie ›››

Sentinel and F5 WAF Integration :: Watch a short overview of how Sentinel integrates with an F5 WAF for total website security
quicktime View movie ›››