Web Application Security Services
Web applications have become the Achilles heel of IT security. Web application vulnerabilities are now the most prevalent at more than 55 percent of all server vulnerability disclosures. This figure does not include vulnerabilities in custom-developed web applications, so it may be just the “tip of the iceberg,” according to IBM’s analysis.
Vulnerabilities in web applications may take any of two dozen forms. Many attacks use fault injection, which exploits vulnerabilities in a web application’s syntax and semantics. In simple terms, here an attacker manipulates data in a web page Uniform Resource Indicator (URL) link to force an exploitable malfunction in the application. The two most common varieties are SQL Injection and Cross-site Scripting. The outcome often gives an attacker control over the application and easy access to the server, database, and other back-end IT resources.
Countermeasures for Securing Web Applications
Asset Identification and Risk Profiling
See if this sounds familiar: Individual business units create new websites without involving your security team. Acquisitions and mergers quickly add many new sites to your roster. And one-off promotional websites proliferate faster than you can count.
Welcome to today’s Web-centric enterprise, where identifying hundreds, thousands or even tens of thousands of website assets within your organization can be a daunting task – and one where doing that through host names is [quaintly] unrealistic.
WhiteHat’s website security offering includes an asset identification and risk profiling solution that can help you identify your website assets – even the ones you didn’t know you had – quickly. And once all your websites are identified, we’ll help you prioritize which are the most important, based on the following factors.
Does the website:
- Generate revenue?
- Store and retrieve regulated data?
- Contain company-specific confidential data?
- Contain customer-specific data?
The answers to these questions determine the overall security risk to your organization, and what kind of resources must be allocated to keep you secure.
For those with hundreds to thousands of websites that require a more thorough understanding of the types of websites in your network, WhiteHat can help identify additional risk characteristics such as:
- Is it a website? (Often, companies secure domains but do not actually build a site under it, in which case no action is required)
- Is there a load balancer in front of the website?
- Is there a log-in?
- Does it employ SSL?
- Are there forms on the site?
Once these questions are answered by WhiteHat, it’s easy to decide on the appropriate Sentinel service levels. The more the answers are “yes,” the greater likelihood that a more robust service level is required.
We’ll provide you with a full risk profile for your sites – along with comprehensive recommendations on how to secure them as never before.
Indeed, with WhiteHat Sentinel deployed across your websites, you’ll have the website intelligence you need to establish a proper risk profile of each site so you can make intelligent decisions on any additional website security investments.
Once you’ve got a solid read on your inventory of websites – with each site identified by its risk profile – you’re ready to select the website vulnerability management solutions that meet your specific needs.
Built on an SaaS (Software-as-a-Service) or cloud-based technology platform, the WhiteHat Sentinel family of services are designed from the ground up to scale massively – providing support for even the most complex websites, 100, 1,000 or even 10,000 of them – throughout the enterprise.
And unlike traditional website scanning software or consultants, WhiteHat Sentinel is the only solution to combine highly-advanced scanning technology with custom testing from our Threat Research Center (TRC), a team of website security experts who are a key component of our offering.
Every service offered by WhiteHat provides the same rigorous vulnerability testing and verification process. So, your team and your developers can be sure that they are fixing real issues, not chasing false positives.
The result: The ultimate in security. Greater efficiencies. And a much lower total cost of ownership. And what’s not to love about that?
Four Levels of Website Protection
Sentinel Premium Edition (PE)
Ideal for websites that are permanent, mission-critical, and governed by compliance requirements (think transactional, forms-based capabilities). PE includes testing for both technical vulnerabilities and custom testing for business logic flaws by the WhiteHat Threat Research Center.
Sentinel Standard Edition (SE)
Designed for websites that are permanent fixtures, but are not necessarily mission-critical. SE tests for and verifies technical vulnerabilities and multi-step forms.
Sentinel Baseline Edition (BE)
The foundational solution for covering all your website assets or for protecting basic, less-critical sites. Tests for and verifies technical vulnerabilities.
Sentinel PreLaunch (PL)
Provides fast and accurate technical vulnerability assessments in preproduction, enabling users to assess and fix code prior to production deployment.
Reporting and Communication
Let’s face it: Most large organizations have numerous stakeholders who need an instant read on the current risk posture of their websites.
No problem. WhiteHat Security is the only solution that provides reliable and precise website vulnerability intelligence and the ability to share and use that intelligence throughout your existing communications and reporting infrastructure.
The result: Your risk management & compliance, product management and software development teams have greater insight into their risk posture, and can take corrective action while communicating that action across the different compliance and reporting components within the organization’s infrastructure.
How We Do It
Our open, RESTful (Representational State Transfer) XML API supports vulnerability data, website configurations, and policy information. And it can be accessed with either a specially generated API key or an authenticated session ID token.
WhiteHat Sentinel integrates with industry-leading bug tracking, Security Information and Event Management (SIEM), and Web Application Firewall (WAF) products to allow sharing of website security data across departments.
All of which is to say that for the first time ever, an organization can integrate website security into its operations while also delivering new levels of visibility throughout the organization and greater levels of control to its security professionals.
Best of all: Users also can easily build their own integrations to streamline internal risk management processes and direct WhiteHat Sentinel’s succinct, actionable data to the correct resources, so everyone’s in the know – and acting on it.
Successful Integrations include:
- Snort IPS developed by Sourcefire – creates ultra-targeted Snort rules, which expand the capability of an IPS to reliably detect application layer attacks
- Archer Technologies – manages enterprise risk by proactively identifying, tracking and managing the remediation of critical vulnerabilities in websites
- Jira bugtracking system – gives developers easy access to the information necessary to fix problems in custom website code
- F5 Networks ASM and Imperva SecureSphere Web Application Firewalls (WAFs) – enable real-time mitigation of website attacks
Now, we move to the final phase of our website security management approach, which uses four different methods for managing vulnerabilities:
1. Open-Source Intrusion Prevention Systems (IPS) & Snort Integration
WhiteHat Sentinel is the first website vulnerability management solution to integrate verified website vulnerability data with Snort. This integration:
- Extends IPS from the network space to websites, the #1 target for today’s hackers
- Enables you to fine tune Snort alerts and correlate findings to reduce noise so security teams can focus on what matters most
2. Developer Remediation
WhiteHat Sentinel’s Web-based reporting provides granular customized reports that include:
- Detailed vulnerability descriptions
- “Retest now” functionality to confirm effective remediation
- Trend reporting across enterprise websites
- Open XML API for data export to bug-tracking systems
3. Security Education & Training
We don’t just install solutions, pat you on the back and be on our way. Our courses for developers and security professionals are unmatched for their high value and wealth of information.
4. WAF Integration/Virtual Patching
Integration of a WAF with WhiteHat Sentinel detects and defends against website vulnerabilities via virtual patching. We’re talking rapid identification and repair of vulnerabilities with extreme accuracy and efficiency that will rock your world.