White hats and black boxes

WhiteHat Security is able to find significant vulnerabilities in approximately 80 percent of the websites that it analyzes

Jeremiah Grossman wants you to know that firewalls and SSL encryption won't prevent a hacker from breaking into your e-commerce website, compromising your customers' data and possibly stealing your money. That's because most website attacks these days exploit bugs in the Web application itself, rather than in the operating system on which the application is running.

Grossman is the founder and chief technology officer of WhiteHat Security, a Silicon Valley firm that offers an outsourced website vulnerability management service. Using a combination of proprietary scanning and so-called ethical hacking, WhiteHat assesses the security of its clients' websites, looking for exploitable vulnerabilities.

WhiteHat does its scanning without access to the client's source code and from outside the client's firewall using the standard HTTP Web protocol. This approach is sometimes called "black box testing" because the website's contents are opaque to the security assessors. The problem with black box testing, of course, is that it is sure to miss many vulnerabilities and back doors that are hidden in the source code--black box testing can only find vulnerabilities that are visible to someone using your website. But the advantage of this approach is that it precisely mimics how a hacker would most likely conduct his reconnaissance and break-in.

I met Grossman this past February at the RSA Data Security Conference in San Francisco and then had a follow-up meeting with him in early March. What he told me was not all that surprising, but it was tremendously disturbing nonetheless. According to Grossman:

  • WhiteHat is able to find significant vulnerabilities in approximately 80 percent of the websites that it analyzes.
  • The 20 percent that don't have vulnerabilities are usually just "brochure-ware"--just a website with no active e-commerce application.
  • Most C-level executives think that firewalls protect websites against Web-application attacks. (They don't.)
Before founding WhiteHat, Grossman spent two years working in the security group at Yahoo. It took Grossman and his team roughly a week to test each of Yahoo's sites. At that rate, he said, it would have taken more than 10 years to test all of Yahoo's online properties--assuming that they never changed. Of course, websites do change. And every time a website gets a significant makeover it has to be retested; otherwise newly introduced security vulnerabilities can go unnoticed.

Yahoo's systems were protected by firewalls and other kinds of network isolation approaches. But these technologies don't prevent most attacks aimed at Web applications. Firewalls and isolated networks prevent an attacker on the Internet from interacting with a service. But Web applications, by their very nature, need to be open to anyone on the Internet. If a merchant were to use its firewall to block access to its shopping cart system, then none of the website's users would be able to buy anything!

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Simson Garfinkel

CSO (US)
Show Comments

Brand Post

Imou: At home with security

Modern living is all about functionality and security for everybody from the very young to the very old. With Imou anybody can enjoy smart life – the solution is at their fingertips.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?