White hats and black boxes

WhiteHat Security is able to find significant vulnerabilities in approximately 80 percent of the websites that it analyzes

Jeremiah Grossman wants you to know that firewalls and SSL encryption won't prevent a hacker from breaking into your e-commerce website, compromising your customers' data and possibly stealing your money. That's because most website attacks these days exploit bugs in the Web application itself, rather than in the operating system on which the application is running.

Grossman is the founder and chief technology officer of WhiteHat Security, a Silicon Valley firm that offers an outsourced website vulnerability management service. Using a combination of proprietary scanning and so-called ethical hacking, WhiteHat assesses the security of its clients' websites, looking for exploitable vulnerabilities.

WhiteHat does its scanning without access to the client's source code and from outside the client's firewall using the standard HTTP Web protocol. This approach is sometimes called "black box testing" because the website's contents are opaque to the security assessors. The problem with black box testing, of course, is that it is sure to miss many vulnerabilities and back doors that are hidden in the source code--black box testing can only find vulnerabilities that are visible to someone using your website. But the advantage of this approach is that it precisely mimics how a hacker would most likely conduct his reconnaissance and break-in.

I met Grossman this past February at the RSA Data Security Conference in San Francisco and then had a follow-up meeting with him in early March. What he told me was not all that surprising, but it was tremendously disturbing nonetheless. According to Grossman:

  • WhiteHat is able to find significant vulnerabilities in approximately 80 percent of the websites that it analyzes.
  • The 20 percent that don't have vulnerabilities are usually just "brochure-ware"--just a website with no active e-commerce application.
  • Most C-level executives think that firewalls protect websites against Web-application attacks. (They don't.)
Before founding WhiteHat, Grossman spent two years working in the security group at Yahoo. It took Grossman and his team roughly a week to test each of Yahoo's sites. At that rate, he said, it would have taken more than 10 years to test all of Yahoo's online properties--assuming that they never changed. Of course, websites do change. And every time a website gets a significant makeover it has to be retested; otherwise newly introduced security vulnerabilities can go unnoticed.

Yahoo's systems were protected by firewalls and other kinds of network isolation approaches. But these technologies don't prevent most attacks aimed at Web applications. Firewalls and isolated networks prevent an attacker on the Internet from interacting with a service. But Web applications, by their very nature, need to be open to anyone on the Internet. If a merchant were to use its firewall to block access to its shopping cart system, then none of the website's users would be able to buy anything!

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Simson Garfinkel

CSO (US)
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?