• Support   |   Contact a Representative   |   Contact WhiteHat

• Website Risk Management
  • Asset Identification
  • Vulnerability Management
  • Reporting/Communication
  • Protection
• Sentinel Services
  • Cost-effective Solution
  • Benefits
  • Core Features
  • Unique Methodology
  • Selection Guidelines
  • Sentinel Premium Edition
  • Sentinel Standard Edition
  • Sentinel Baseline Edition
  • Sentinel for QA
  • PCI Compliance
  • Integration – via XML API
  • Certification Program
  • How Sentinel Works
  • WAF Integration
• Support Plus
  • Gold Service Level
  • Silver Service Level
  • Standard Service Level
  • Service Levels
• Education Services
  • Guidelines
  • Intro to Web App Security
  • Secure Coding for Java
  • .NET
• Events & News
  • News Coverage
  • Press Releases
  • Interviews
  • Awards
• Resources
  • Whitepapers
  • Webinars & Presentations
  • Jeremiah Grossman Blog
  • Website Statistics Report
  • Website Security Glossary
• Partners
  • Strategic Partners
  • Partner Application Form
  • Partner Portal Login
• About WhiteHat Security
  • Leadership Team
  • Board of Directors
  • Success Stories
  • Careers
  • Contact Us
  • Support

• Resources
• Whitepapers
• Webinars & Presentations
• Jeremiah Grossman Blog
• Website Statistics Report
• Website Security Glossary
• Sentinel Videos

Website Security Webinars & Presentations

WhiteHat Webinar: Breaking Browsers: Hacking Auto-CompleteAugust 2010
Listen to Presentation (1 hour 24 minutes) ››
Download a PDF of the Presentation (4.9 MB PDF) ››

Did you know a malicious website, laced with JavaScript malware, can steal passwords for other websites stored in Firefox's Password Manager using nothing but garden variety Cross-Site Scripting? How about JavaScript's ability to mine out HTML form auto-complete data in Internet Explorer 6 and 7 (about one-third of the Web)? This hack could be used to reveal a user's first name, last name, aliases, email addresses, physical address, etc. What about forcing Web browsers to evict all of their cookies—thereby automatically logging users out of all their current sessions, delete tracking cookies, and so on?

Technically speaking, all of these Web hacking techniques and others are publicly documented, only just not very well-known or advertised. For whatever reason they've been ignored by the browser vendors and Web security researchers. Time to bring them up to the surface.

Live demos on display!

WhiteHat Webinar: 2010: A Web Hacking Odyssey –
The Top Ten Hacks of the YearMarch 2010
Listen to Presentation (1 hour 32 minutes) ››
Download a PDF of the Presentation (4.2 MB ZIPPED PDF) ››

If you missed Jeremiah Grossman's presentation at RSA last week, don't miss it again...WhiteHat Security invites you to an encore presentation of "2010: A Web Hacking Odyssey - The Top Ten Hacks of the Year."

Every year, powerful new Web hacking techniques are revealed, many of which are highly sophisticated and esoteric. Staying up-to-date on these threats is a full-time job. This session separates the best from the rest and selects the top ten to cover in technical detail. The session will explore how Web security is impacted, the business risks posed and which are likely to be used maliciously.

WhiteHat & Aspect Webinar: A Real World Application Security Success StoryFebruary 2010
Listen to the Presentation (63 minutes) ››
Download a PDF of the Presentation (16 MB PDF) ››

Organizations are desperate for effective guidance on the best ways to introduce and manage Web application security within their software development life-cycle. Success comes by learning the techniques on how to quickly and efficiently fix immediate issues and implement incremental long-term changes that are neither expensive nor disruptive to the software development process. There is no better way to learn that than through a genuine case-study walk through.

Jeremiah Grossman, Founder and CTO of WhiteHat Security and Jeff Williams, CEO of Aspect Security will review a real company with an application security crisis. This company faced serious business hurdles and needed to get the problem solved in a hurry. WhiteHat quickly identified the most critical problems needing to be fixed and got the organization focused; Aspect helped eliminate these flaws quickly and established a program for managing application security across their portfolio. The process and results were nothing short of a roadmap that other organizations may follow.

Aspect Security & WhiteHat Security have joined forces to provide organizations the solution they need to build more secure Web applications and create a sound risk management program. The on-demand assessment capabilities of WhiteHat Sentinel enable Aspect Security consultants to manage vulnerability analysis across a large portfolio of Web applications while developing a custom program to eliminate flaws from being introduced early in the software development life-cycle.

Join Aspect Security and WhiteHat Security in an informative webinar to learn more about this unique partnership and how it can help you and your environment.

WhiteHat Webinar – 10 Steps to Prevent a SQL Injection AttackFebruary 2010
Listen to the Presentation (57 minutes) ››
Download a PDF of the Presentation (20 MB PDF) ››
Download the Whitepaper 10 Steps to Protect your Websites from SQL Injection Attacks››

With data theft becoming so common that the price of a stolen credit card number on the black market has come down from $10 in 2006 to just a few pennies in 2009. Very recently, Verizon did a study of over 600 incidents in the past 5 years and found that the single largest attack vector responsible for data theft is a SQL injection attack.

In this 30 minute presentation, Anurag Agarwal, Director of Education Services, will show you how easy it is to perform a SQL injection attack which would allow an attacker to profile your database, run an OS command or even remotely backup your entire database by exploiting certain vulnerable fields.

This presentation will show you how to test whether your application is vulnerable to a SQL injection attack and how it can easily be fixed by your developers. In conclusion, Anurag will walk you through the 10 steps needed to prevent your applications from being vulnerable to SQL injection attacks. These 10 steps are not just for the developers but for database administrators as well.

How to Keep Hackers on Ice While Your Code is FrozenDecember 2009
Listen to the Presentation (60 minutes) ››

Join Jeremiah Grossman, founder and CTO of WhiteHat Security and Brian Contos, Chief Security Strategist for Imperva for an interactive presentation that leverages live audience feedback, expert insight and end-user experience to illustrate the most effective methods for combating Web application abuse and fraud.

Every organization has periods of time where IT assets are frozen and modifications (i.e. patching or code changes) are restricted. In fact, with the holiday shopping season in full swing, your company may be under a code freeze right now. While the development team must remain hands-off at this time, scores of hackers and fraud-artists – both external and internal – remain hyper-active in their efforts to exploit any application security vulnerabilities. This educational webinar will explore the security risks that accompany a code freeze and will offer real world examples of organizations that have mitigated those risks through proven web application security and vulnerability assessment solutions that allow your code to remain frozen and keeps dangerous hackers on ice.

Topics covered during the webinar will include:

• The good, the bad, and the ugly regarding code freezes
• How to use Virtual Patching and Vulnerability Assessment to provide 24/7/365 security for your Web applications – even during a code freeze
• The current state of application security - stats, charts and stories from the trenches
• The limitations of purely preventative controls, including reasons why they don’t work in “real world” business operations environments
• How to reduce the exposure for your application vulnerabilities so that the “bad guys” can’t exploit them

WhiteHat Webinar – Website Statistics ReportNovember 2009
Download a PDF of the the report ››
Download a PDF of the presentation (1.9 MB PDF) ››
Listen to the presentation (53 minutes)››

Hear WhiteHat Security Founder and CTO, Jeremiah Grossman present findings from the eighth installment of the WhiteHat Web Application Security Statistics Report on November 12th.

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. This report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations.

In this webinar you will learn more about these key findings and more:

* 83% of websites have had at least one serious vulnerability
* 64% of websites currently have at least one serious vulnerability
* Vulnerability resolution percentages are nudging higher across the range, particularly within the Cross-Site Scripting and SQL Injection classes.

Web Hacking: Tricks of the Trade October, 2009
Listen to the Webinar (1 hour 12 minutes) ››
Download a PDF of the Presentation Part 1 of 2 (9.67 MB PDF) ››
Download a PDF of the Presentation Part 2 of 2 (21.76 MB PDF) ››

This one hour session will reveal why website vulnerabilities present such a big threat to organizations and how easy it can be to hack into a website. Anurag Agarwal, Director, Education Services, WhiteHat Security will demonstrate how a small error message can allow a hacker to control a website and steal all the credit card numbers in a matter of minutes. Anurag will also highlight real life case studies on how some of the global 500's websites were hacked.

This interactive session will be an eye opener for developers and security executives building a website risk management program. In this webinar you will learn:

• How a hacker can easily exploit a website
• It's not just about data; there are other ways to make money
• How multiple vulnerabilities can be used together to break encryption, etc.
• How WhiteHat Security can help

How to Jump-Start Your Application Security Knowledge: For the Network Security Guy Who Knows Nothing about Application Security
WhiteHat Webinar with Denim Group October, 2009
Listen to the Webinar (1 hour 22 minutes) ››
Download a PDF of the Presentation (788 KB PDF) ››

Most security officers are not software developers, and rarely do they have control over the security associated with internally developed software systems. However, CSO's are still frequently held accountable when externally-facing software is compromised and a breach occurs. Unless security professionals radically upgrade their knowledge of software and software development techniques, they will continue to inadequately manage the risk that custom software systems represents to the enterprise.

Presented by John Dickson of Denim Group and Jeremiah Grossman of WhiteHat Security, this webinar will help non-development security managers understand the salient aspects of the software development process and to upgrade their IQ on software. It will help them to identify risks with different assessment approaches, how to inject themselves into the development process at key "waypoints," and to understand ways to influence development peers to write more secure code.

Security Religions and Risk Windows
September 2009
Listen to the Webinar (1 hour 12 minutes) ››
Download a PDF of the presentation (21 MB PDF) ››

Information security threats are way up, fraud losses continue to rise, regulatory fines are increasingly common, and budgeted dollars to solve these myriad of problems are in short supply. Hampered by a sluggish economy, organizations simply cannot afford to hire all the talent they need, implement every best-practice, or buy every blinking light widget out there. Sacrifices are unavoidable, risk must be managed. Each organization must decide for themselves the level of risk they are willing to accept.

In this webinar, Jeremiah Grossman will discuss the two prevailing but opposing security religions - Depth Religion and Breadth Religion. Jeremiah will then review the common misconceptions associated with each religion as it pertains to website security.

Dan Carcone from Imperva will then review inherent design flaws found in the majority of today's web applications as well as demonstrate SQL Injection, Cross Site Scripting, Discount Cookie Poisoning, direct database attacks and several other website and database attacks.
The presentation will end with a general discussion of prevention techniques and then an interactive Q&A session.

Together WhiteHat and Imperva provide a multi-layered approach to website protection and data security featuring the industry’s leading website vulnerability management solutions and Web Application Firewall (WAF) to create a robust website risk management security strategy.

Mo' Money Mo' Problems – Making A LOT More Money on the Web
the Black Hat Way
August 2009
Listen to the webinar (1 hour 10 minutes) ››
Download a PDF of the presentat ion (5.33 MB PDF) ››

Hear WhiteHat Security Founder and CTO, Jeremiah Grossman, present his sequel to the much acclaimed Get Rich or Die Trying presentation.

Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss – business logic flaws.

Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.

WhiteHat/Imperva Webinar: The Web Attack Defense Playbook:
An End-User Case Study
June 2009
Listen to the webinar (60 minutes) ›››

The Target: Highly sensitive (and valuable) corporate and customer data accessible through a website.

The Enemy: A long line of hackers deploying a steady barrage of complex website attacks such as SQL Injection, Cross-Site Scripting (CSS) and Cross-Site Request Forgery (CSRF).

The Defense Playbook: A multi-layered, end user-tested approach to website protection and data security featuring the industry’s leading Web Application Firewall (WAF) and website vulnerability management solutions.

Join Joe White, Information Security Architect from SuccessFactors, as he details the robust data security strategy that has enabled his organization to successfully defend itself against dangerous website attacks. Mr. White will provide first-hand insight into the unique benefits that an integrated WAF-vulnerability management solution provides while highlighting SuccessFactors’ ability to execute data policies that are unmatched in their level of accuracy and granularity.

Also featured in this educational webinar will be an overview of Web Application Firewalls (WAFs) from Imperva Co-Founder and CTO, Amichai Shulman and website vulnerability management solutions from Jeremiah Grossman, founder and CTO of WhiteHat Security. Topics covered during this webinar will include:

• Real world game-plan for data security from Web Application Security expert and SuccessFactors Information Security Architect, Joe White
  
  
• Best practices for protecting against web attacks such as SQL Injection and Cross-Site Scripting
  
  
• Detailed instructions for deploying a close-looped website vulnerability detection and mitigation solution
  
  
• Expert insight into the critical components of the industry’s leading WAF and website vulnerability management solutions
  

Spring 2009 – 7th Edition – Website Security Statistics Report
May 2009
Download a PDF of the the report ›››
Listen to the presentation (46 minutes) ›››
Download a PDF of the presentat ion (1.3 MB PDF) ›››

There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

Q1 2009 Key Findings

• 82% of websites have had a HIGH, CRITICAL, or URGENT issue
• 63% of websites currently have a HIGH, CRITICAL, or URGENT issue
• 60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09
• Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution.
• Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17
• Average number of serious unresolved vulnerabilities per website: 7
• Average number of inputs (attack surface) per website: 227
• Average ratio of vulnerability count / number of inputs: 2.58%

Fourth Quarter 2008 Website Security Statistics
February 2009
Listen to the presentation (55 minutes) ›››
Download a PDF of the presentation (1.3 MB PDF) ›››

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.

The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

Strategically Blocking Cross-Site Scripting & SQL Injection Attacks
January 2009
Listen to the presentation (63 minutes) ›››
Download a PDF of the presentation (1.6 MB PDF) ›››

F5 Networks and Whitehat Security present a revolutionary new solution that closes the loop from Web application vulnerability detection to remediation – an integrated solution delivering TOTAL website security.

The F5 Networks and WhiteHat Security technology partnership gives security professionals a uniquely powerful and efficient system to combat the onslaught of website attacks that place customer and corporate data at risk. The combination of WhiteHat Sentinel website vulnerability management solution and F5 BIG-IP® Application Security Manager (ASM) delivers a new level of website protection – with extreme accuracy, efficiency and control.

Join Jeremiah Grossman, Founder and CTO, WhiteHat Security and Lori MacVittie, Technical Marketing Manager, F5 Networks as they offer a look at a technology breakthrough that:

• Enables security professionals to take control of the security of their websites
• Closes the loop from vulnerability detection to remediation
• Allows you to rapidly block website attacks with laser-focused rules
• Meets and exceeds PCI 6.6 Compliance.

Lowering WebApp Sec Total Cost of Ownership (TCO)
November 2008
Listen to the presentation (63 minutes) ›››
Download a PDF of the presentation (1.2 MB PDF) ›››

Let's face it: Website security is critical and complex. With budgets under greater scrutiny, how do you get the most out of your security team and budget, and still have secure, functioning Web applications? Can it be done cheaply without cutting too many corners and placing your organization at risk?

Tools can’t replace expertise; and the soft costs are surprisingly high. Is there a cheaper alternative to consultants without sacrificing accuracy?

Learn how to take control of your website security. From a discussion of where teams lose time and waste resources, how to streamline risk measurement and management activities, as well as eliminating resource drains like one-off reports and babysitting auditors.

Here's what you can expect to learn:

• Be capable of PROVING that we are taking reasonable measures to protect our websites
• Understand your testing options, and grasp the pros and cons of each
• Have a formalized approach to take control of these processes
• What they cost
• Finally: How these approaches benefit the rest of the teams responsible for health and safety of these websites

Afterwards, Mark Meyer, WhiteHat Security Director, will provide a review of WhiteHat Security's Sentinel Service.

Developer Training - The Missing Link in the Web Application Security LifeCycle with Anna Sherony from Sammons Financial Group
October 2008
Listen to the presentation (74 minutes) ›››
Download a PDF of the presentation (1.2 MB PDF) ›››

In this webinar, you will learn how Anna Sherony, Privacy and Information Protection Officer at Sammons Financial Group, used WhiteHat Security to successfully address her Web application security needs. She invested in her team with Web developer training from WhiteHat Security and incorporated WhiteHat Sentinel to secure her Web applications.

WhiteHat Security's training helped Sammons Financial Group:

1. Train developers on the latest Web application vulnerabilities
2. Raise awareness about the importance of secure coding practices
3. Implement security as a culture among the development teams

Afterwards, Anurag Anarwal, WhiteHat Security Director of Education Services, will provide a review of WhiteHat Security's education offerings.

Get Rich or Die Trying - Making Money on the Web, The Black Hat Way
September 2008
Listen to Jeremiah Grossman's presentation (1 hour 14 minutes) ›››
Download a PDF of the presentation (849 KB PDF) ›››

WhiteHat Security founder and CTO, Jeremiah Grossman, will repeat his Black Hat presentation: Get Rich or Die Trying - Making Money on the Web, The Black Hat Way. Nows your chance if you missed it at the Black Hat Briefings in August or you just want to hear it again.

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t block them. In fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.