• Support Plus   |   Contact a Representative   |   Contact WhiteHat

• Website Risk Management
  • Asset Identification
  • Vulnerability Management
  • Reporting/Communication
  • Protection
• Sentinel Services
  • Cost-effective Solution
  • Benefits
  • Core Features
  • Unique Methodology
  • Selection Guidelines
  • Sentinel Premium Edition
  • Sentinel Standard Edition
  • Sentinel Baseline Edition
  • Sentinel for QA
  • PCI Compliance
  • Integration – via XML API
  • Certification Program
  • How Sentinel Works
  • WAF Integration
• Support Plus
  • Gold Service Level
  • Silver Service Level
  • Standard Service Level
  • Service Levels
• Education Services
  • Guidelines
  • Intro to Web App Security
  • Secure Coding for Java
  • .NET
• Events & News
  • News Coverage
  • Press Releases
  • Interviews
  • Awards
• Resources
  • Whitepapers
  • Webinars & Presentations
  • Jeremiah Grossman Blog
  • Website Statistics Report
  • Website Security Glossary
• Partners
  • Strategic Partners
  • Partner Application Form
  • Partner Portal Login
• About WhiteHat Security
  • Leadership Team
  • Board of Directors
  • Success Stories
  • Careers
  • Contact Us
  • Support

• Resources
• Whitepapers
• Webinars & Presentations
• Jeremiah Grossman Blog
• Website Statistics Report
• Website Security Glossary
• Sentinel Videos

Website Security Whitepapers

Provided below are short overviews of WhiteHat's website security whitepapers. Click on "read more" to review an excerpt from the whitepaper or click on "download now." Our new whitpapers require registration, all others are complimentary. If you would like multiple whitepapers please send an email to WhiteHat listing the whitepapers you require. A representative will forward the information to you within 1-business day.

NEW WHITEPAPER › › 10 Steps to Protect your Websites from SQL Injection Attacks

Data theft has become so common that the price of a stolen credit card number in the black market has fallen from $10 in 2006 to a few pennies in 2009. Consumers are losing confidence in commerce, online banking and other electronic means of doing business. Meanwhile, attackers are devising even more clever ways to steal data and increasing numbers of companies are falling prey to those techniques. Legal and compliance requirements are getting stricter to protect the consumer, but still new incidents are on the rise in 2009. In a recent Verizon Business Data Breach Investigations Report1, studying over 600 incidents in the past five years, SQL Injection was identified as the single largest attack vector responsible for data theft.
Read More ›››
Download Whitepaper ›››

10 Things You Should Know About Web Application Security

Phishing schemes. Stolen credit card numbers. Identity theft. Websites have emerged as the target of choice for money hungry hackers. Attacks have moved from the network layer to the Web application layer that people use to manage their lives everyday: online shopping and banking, healthcare information management, insurance payments, travel booking and college applications.
The ramifications for companies are clear: Loss of data, loss of consumer confidence and loss of brand integrity. No company can afford the black mark of a website hack. With many states mandating full disclosure, and the federal government close behind with its own efforts, the luxury of keeping these incidents behind closed doors has passed. Organizations must develop a strategy for complete website vulnerability management.
Read More ›››
Download Whitepaper ›››

Top 5 Myths of Website Security

With network firewalls and patch management now standard practice, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the website itself. Gartner Group has stated that over 70% of cyber attacks occur at the application layer. Even more alarming, WhiteHat Security has found that 8 in 10 websites currently have serious vulnerabilities.
Read More ›››
Download Whitepaper ›››

Complimentary Website Security Whitepapers –
No Registration Required

Automated Scanning vs. the OWASP Top Ten

The OWASP Top Ten is a list of the most critical website security flaws – a list also often used as a minimum standard for website vulnerability assessment (VA) and compliance. There is an ongoing industry dialog about the possibility of identifying the OWASP Top Ten in a purely automated fashion (scanning). People frequently ask what can and can’t be found using either white box or black box scanners. This is important because a single missed vulnerability, or more accurately exploited vulnerability, can cause an organization significant financial harm. Proper expectations must be set when it comes to the various vulnerability assessment solutions.
Read More ›››

Cross Site Request Forgery (CSRF)

Attackers have begun to actively exploit CSRF vulnerabilities across the Web. Why now? Because it’s incredibly easy and the vast majority of websites are vulnerable to it. How do you stop an attack originating from a “real user,” who could be properly logged-in, from making a legitimate request - except the problem is they did not intend to make the request?
Read More ›››

Cross-Site Scripting Worms and Viruses

In this white paper we will provide an overview of XSS; define XSS worms; and, examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their websites.
Read More ›››

Software-as-a-Service (SaaS) Brief

Software-as-a-Service (SaaS) is the efficient, modern way of delivering applications and securing them. Google, Salesforce.com, Amazon, and many other forward thinking companies have set the stage for SaaS adoption. Payroll, email, spam & malware filtering, CRM, financial services, order processing, and even network vulnerability management are popular solutions already rapidly taking advantage of the SaaS model. The economics and business efficiencies are simply too compelling to pass up. As the industry leader for website vulnerability management delivered via SaaS, WhiteHat Security is demonstrating its value to the enterprise.
Read More ›››

Seven Business Logic Flaws That Put Your Website At Risk

As the number of common vulnerabilities such as SQL Injection and Cross-Site Scripting are reduced, the bad guys are increasing their attacks on business logic flaws. See real-world scenarios that demonstrate how pernicious and dangerous business logic flaws are to the security of a website. We’ll also show how best to spot them and provide organizations with a simple and rational game plan to prevent them.
Read More ›››

Technology Alone cannot Defeat Website Attacks: Understanding Technical vs. Logical Vulnerabilities

For many years, security professionals have thought that there would come a day when technology alone could identify all Web application vulnerabilities and prevent all attacks, eliminating the need for the Kasparovs of the world. What we’ve come to understand is website security is a fundamentally different game than chess, or even network security. It’s highly unlikely that machines will ever replace man completely in the process of assessing website security. What’s important to understand is why.
Read More ›››

Web Application Security 101

The best way to begin exploring website security is by learning how the Web works. While most IT professionals are very comfortable with using a Web browser to surf the Web, few of us look behind the application, at the client-server structure that powers the Web. This structure governs the way Web browsers (Firefox, Microsoft Internet Explorer) must communicate with Web servers (Apache, Microsoft IIS) to retrieve Web pages. To peer deeper into the world of the Web, we’ll begin by looking at the Web browser location bar.
Read More ›››

VA + WAF (F5 Networks) Whitepaper

Inside an enterprise lives an IT security professional responsible for website security. He takes his job seriously, because if his employer’s websites get hacked, he gets the late night call from the boss upstairs. A big part of the job requires educating developers on the importance of secure coding and informing the business owners of Web security risks. He does this because no amount of patching or firewalling will fend off an attacker with a Web browser. While doing everything within his power, there’s still a total lack of control in protecting the websites he’s responsible for. He can’t find the vulnerabilities with a traditional network scanner, nor can he fix them in website(s) when they’re found without developer involvement. But, this is all about to change.
Read More ››