• Support Plus   |   Contact a Representative   |   Contact WhiteHat

• Website Risk Management
  • Asset Identification
  • Vulnerability Management
  • Reporting/Communication
  • Protection
• Sentinel Services
  • Cost-effective Solution
  • Benefits
  • Core Features
  • Unique Methodology
  • Selection Guidelines
  • Sentinel Premium Edition
  • Sentinel Standard Edition
  • Sentinel Baseline Edition
  • Sentinel for QA
  • PCI Compliance
  • Integration – via XML API
  • Certification Program
  • How Sentinel Works
  • WAF Integration
• Support Plus
  • Gold Service Level
  • Silver Service Level
  • Standard Service Level
  • Service Levels
• Education Services
  • Onsite Training
  •    Guidelines
  •    Building Secure Web Applications
  •    Adv. Secure Coding for Java
  •    Adv. Secure Coding for .NET
  • e-Learning
  •    Intro to Web App Security
  •    Secure Coding for Java
  •    Secure Coding for .NET
  •    Threat Modeling
• Events & News
  • News Coverage
  • Press Releases
  • Interviews
  • Awards
  
  
  
  • Sentinel Videos
• Resources
  • Whitepapers
  • Webinars & Presentations
  • Jeremiah Grossman Blog
  • Website Statistics Report
  • Website Security Glossary
• Partners
  • Strategic Partners
  • Partner Portal Login
• About WhiteHat Security
  • Leadership Team
  • Board of Directors
  • Success Stories
  • Careers
  • Contact Us
  • Support

• Resources
• Whitepapers
• Webinars & Presentations
• Jeremiah Grossman Blog
• Website Statistics Report
• Sentinel Videos

Website Security Whitepaper

Top 5 Myths of Website Security

Download Whitepaper (registration required ) ›››

Hackers behave like water, taking the path of least resistance. Today this path leads over SSL, and past the firewall, where nothing exists between them, the website, and the information it holds. This is how a Web hacker views the world. Using a browser and a few simple tricks, hackers can penetrate a website, access the credit card database, and make off with critical data, customer databases or even intranet information, unseen.

With network firewalls and patch management now standard practice, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the website itself. Gartner Group has stated that over 70% of cyber attacks occur at the application layer. Even more alarming, WhiteHat Security has found that 8 in 10 websites currently have serious vulnerabilities.

These website vulnerabilities may have familiar names like SQL Injection and Cross-Site Scripting, or less common monikers like Insufficient Authorization or Predictable Resource Location. When securing our networks, we are conditioned to immediately think of firewalls, SSL, Intrusion Detection, and Anti-Virus as components of a complete solution. While they improve certain aspects of security, their impact on protecting the website is marginal. New vulnerabilities require new solutions. Contrary to popular belief, deploying a network firewall will not prevent a hacker from penetrating a gaping hole in your website. To improve the security of the Web, we must dispel this and other widely held misconceptions including:

“A website that uses SSL is secure.”

“A firewall protects the website, so it’s safe from hackers.”

“The vulnerability scanner did not report any website security issues, so it’s secure.”

“Website security is a developer problem.”

“We conduct annual security assessments on our website, so it’s secure.”

Let’s examine these myths and find the truth behind them.

Myth #1: Secure Socket Layer (SSL) Will Secure My Website

SSL does NOT make a website secure. The tiny SSL lock symbol located at the bottom of a Web browser indicates that the information sent to and from a website is encrypted. Nothing more. SSL has no ability to protect the information stored on the website once it arrives.

Websites using strong 128-bit SSL have been hacked with the same frequency as those that do not. WhiteHat has found that the use of SSL has virtually no impact on the difficulty of breaking into a website and pillaging its confidential information.
It’s important to understand what the lock symbol represents in the security landscape. Secure Socket Layer (SSL) is an encryption protocol that enables a website to prove to a user that it is what it claims to be, and not an imposter eavesdropping on the conversation. SSL also ensures that if someone intercepts the conversation between the user and the website, the exchange cannot be read. SSL has absolutely no impact on website security or the manner in which a user’s private information is safeguarded. When private data is stored on the website, the risk is at the server level, not in the connection.

“Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit card information from
someone living in a cardboard box to someone living on a park bench.”
– Gene Spafford Ph.D.
Professor of Computer Sciences, Purdue University

Read More...Download Whitepaper (registration required) ›››