• Support Plus   |   Contact a Representative   |   Contact WhiteHat

• Website Risk Management
  • Asset Identification
  • Vulnerability Management
  • Reporting/Communication
  • Protection
• Sentinel Services
  • Cost-effective Solution
  • Benefits
  • Core Features
  • Unique Methodology
  • Selection Guidelines
  • Sentinel Premium Edition
  • Sentinel Standard Edition
  • Sentinel Baseline Edition
  • Sentinel for QA
  • PCI Compliance
  • Integration – via XML API
  • Certification Program
  • How Sentinel Works
  • WAF Integration
• Support Plus
  • Gold Service Level
  • Silver Service Level
  • Standard Service Level
  • Service Levels
• Education Services
  • Onsite Training
  •    Guidelines
  •    Building Secure Web Applications
  •    Adv. Secure Coding for Java
  •    Adv. Secure Coding for .NET
  • e-Learning
  •    Intro to Web App Security
  •    Secure Coding for Java
  •    Secure Coding for .NET
  •    Threat Modeling
• Events & News
  • News Coverage
  • Press Releases
  • Interviews
  • Awards
  
  
  
  • Sentinel Videos
• Resources
  • Whitepapers
  • Webinars & Presentations
  • Jeremiah Grossman Blog
  • Website Statistics Report
  • Website Security Glossary
• Partners
  • Strategic Partners
  • Partner Portal Login
• About WhiteHat Security
  • Leadership Team
  • Board of Directors
  • Success Stories
  • Careers
  • Contact Us
  • Support

• Resources
• Whitepapers
• Webinars & Presentations
• Jeremiah Grossman Blog
• Website Statistics Report
• Sentinel Videos

Website Security Whitepaper

Vulnerability Assessment Plus Web Application Firewall (VA+WAF)

Download a Complimentary Copyof this Whitepaper ›››

Inside an enterprise lives an IT security professional responsible for website security. He takes his job seriously, because if his employer’s websites get hacked, he gets the late night call from the boss upstairs. A big part of the job requires educating developers on the importance of secure coding and informing the business owners of Web security risks. He does this because no amount of patching or firewalling will fend off an attacker with a Web browser. While doing everything within his power, there’s still a total lack of control in protecting the websites he’s responsible for. He can’t find the vulnerabilities with a traditional network scanner, nor can he fix them in website(s) when they’re found without developer involvement. But, this is all about to change.

New technology developed by WhiteHat Security enables organizations to immediately mitigate discovered vulnerabilities using a Web application firewall. WhiteHat’s Sentinel service provides continuous assessments of Web applications for vulnerabilities. Once detected and validated by WhiteHat, detailed information about these vulnerabilities are passed to the Web application firewall, where they are implemented as blocking rules and prohibit exploiting the detected vulnerability. IT Security professionals are able to get timely and accurate application security assessments and immediately block exploitation of vulnerabilities using a Web application firewall. The best part is that it all happens almost immediately and under the control of the security group with no dependence upon developers for patches. The end result is responsive and manageable Web security.

The Current State of Vulnerability Management

This situation has become all too familiar with today’s e-business enabled enterprises that are at risk. Recent studies say 9 in 10 websites contain serious security issues ^{1, 2, 3} are now the #1 target for malicious hackers. The problem is: When website vulnerabilities are identified by a pen-tester, developer, outsider or whomever, there is always a certain amount of time required to determine the appropriate solution. Resolution could take the form of a software update, configuration change, Web application firewall rule, etc. In any case, the time to fix should be swift because hackers will exploit the websites’ vulnerabilities when no immediate remedy is implemented. Published reports state that nearly 80% of website hosting malware are legitimate have been hacked4.
While the source code is being fixed or system configuration updated, the an organization has three options:

1. Take the website down
2. Revert to an older version of the website/code (if it’s secure)
3. Stay up while exposed.

The cold reality is vulnerabilities happen despite the most regimented software development lifecycle. Historically option #1 (taking down the website) is employed when an incident has occurred; option #2 (rolling back the code) is preferable when a hot fix is not back-ported to development and is later overwritten. Practically speaking, the vast majority of website owners default to option #3 (do nothing), essentially assuming the risk rather than halt business.

Why do so many companies choose not to act? While organizations and their security teams have good intentions, the challenges associated with remediation vulnerabilities in Web applications are daunting. For most, this involves the time consuming process of allocating the proper personnel, prioritization of tasks, QA / regression testing the fix, and finally scheduling a production release. Figure 1 illustrates just how long it takes for the average organization to fix some of the most pervasive and widely exploited vulnerabilities.

Figure 1: Average Time to Fix by Class of Attack Measured in Days

Clearly, organizations must become more efficient at identifying Web application security problems, remediate more quickly, and adapt better to new attack techniques. When speaking with IT Security personnel, the issues they voice speak to the disconnect between them and the software development groups. IT Security possesses little control over the security of the website in comparison to their control of the network or hosts. Patches cannot be applied to resolve custom Web application vulnerabilities. So, they must coordinate with development, which typically does not report to them, to get a code fix in place. Also, IT Security has a difficult time explaining the details and associated risk of a vulnerability to this less security savvy audience.

Overcoming these challenges requires a cutting-edge yet pragmatic approach: leveraging the tight integration of precise, comprehensive vulnerability assessments with Web application firewall technology. Such a solution:

1. Measurably improves security;
   
2. Drastically reduces the time-to-fix from months or years to days or hours;
   
3. Assists organizations meet industry and governmental regulations, such as PCI-DSS 6.6 compliance;
   
4. Enables vulnerability assessment results to be immediately actionable;
   
5. Eases WAF configuration and management, demonstrates due care. And, most importantly provides a revolutionary fourth remediation option to those discussed above:

“Virtual patching” - allowing IT security professionals to regain control over website security by eliminating vulnerabilities as they are detected without developer intervention.

References:
1. WhiteHat Security Website Security Statistics Report (March)
2. Facing up to the threat of cyber-crime
3. 70% of websites at immediate risk of being hacked!