WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat...
Transcript of WHITEHAT SECURITY - F5ネットワークス · WhiteHat Security – Company ... • The WhiteHat...
WhiteHat Security – Company Overview • Headquartered in Santa Clara, CA
• WhiteHat Sentinel – SaaS end-to-end website risk management platform
• Employees: 250+
• Customers: 650+
© 2012 WhiteHat Security, Inc. 2
Web Application Security Across the SDLC Security throughout application the lifecycle reduces website risks across the enterprise
© 2012 WhiteHat Security, Inc. 3
OVERVIEW
Preproduction
Sentinel BE/SE/PE
Sentinel Source
Development Production
Expertise: Threat Research Center
Intelligence: Security Metrics and Real Time Reporting
Accessibility: Anytime / Anywhere via the Internet
Pre Production Production Development
Sentinel PL
WhiteHat Sentinel Security Platform
WhiteHat Sentinel Software as a Service • SaaS (Annual Subscription)
– Unlimited Assessments / Users
– Fixed Flat Rate per Website
• Unique Methodology – Proprietary scanning technology
– Expert website security analysis (TRC)
– Satisfies PCI 6.6 requirements
• Vulnerability Verification and prioritization – XML API links other security solutions
• Easy to get started – Need URL and Credentials
– No Management of Hardware or Software
– No Additional Training
© 2012 WhiteHat Security, Inc. 4
How WhiteHat Sentinel Works
© 2012 WhiteHat Security, Inc. 5
CYBERCRIME IS NOW THE SECOND BIGGEST CAUSE OF
ECONOMIC CRIME EXPERIENCED BY THE FINANCIAL SERVICES
SECTOR
© 2012 WhiteHat Security, Inc. 6
1 million accounts with 1 SQL Injection attack
© 2012 WhiteHat Security, Inc. 7
ATTACK LANDSCAPE
XSS from 2009 used by Lulzsec to announce Murdoch’s death in 2011
© 2012 WhiteHat Security, Inc. 8
ATTACK LANDSCAPE
Sophisticated, targeted fraud on Ebay.com
© 2012 WhiteHat Security, Inc. 9
ATTACK LANDSCAPE
Attacker Profiles • Random Opportunistic
– Fully automated scripts
– Unauthenticated scans
– Targets chosen indiscriminately
• Directed Opportunistic – Commercial and Open Source Tools
– Authentication scans
– Multi-step processes (forms)
• Fully Targeted – Customize their own tools
– Focused on business logic
– Clever and profit driven ($$$)
© 2012 WhiteHat Security, Inc. 10
ATTACK LANDSCAPE
BIG DATA CAN TELL US WHAT IS REALLY GOING ON
© 2012 WhiteHat Security, Inc. 11
© 2012 WhiteHat Security, Inc. 12
METRICS
8/10 websites have serious vulnerabilities Average number of new serious* vulnerabilities discovered per website per year
Serious vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
© 2012 WhiteHat Security, Inc. 13
METRICS
WhiteHat Security Top Ten (2011)
Percentage likelihood of a website having at least one vulnerability sorted by class
© 2012 WhiteHat Security, Inc. 14
METRICS
37% of Vulnerabilities are Never Fixed
• The overall Remediation Rate in 2011 was 63%, up from 53% in 2010, and almost double the rate of 35% in 2007. Roughly 7% average improvement per year in the percentage resolved during each of the last four years.
© 2012 WhiteHat Security, Inc. 15
METRICS
Serious Vulnerabilities take 38 days to fix
© 2012 WhiteHat Security, Inc. 16
METRICS
Window of exposure
© 2012 WhiteHat Security, Inc. 17
METRICS
Why Do Vulnerabilities Go Unfixed? • No one at the organization understands or is
responsible for maintaining the code.
• Development group does not understand or respect the vulnerability.
• Affected code is owned by unresponsive third-party.
• Website will be decommissioned or replaced “soon.”
• Risk of exploitation is accepted.
• Feature enhancements are prioritized ahead of security fixes.
© 2012 WhiteHat Security, Inc. 18
METRICS
HOW TO SOLVE VULNERABILITY OVERLOAD
© 2012 WhiteHat Security, Inc. 19
Targeting and Evolving Security Strategies
© 2012 WhiteHat Security, Inc. 20
INTEGRATION
FROM
• Fulfilling checkbox requirements
• Point in time assessments • Tactical efforts to secure
specific websites • Taking precautions but
accept a certain level of risk
TO
• Securing all Web assets throughout the SDLC
• Continuous concurrent assessments
• Strategic security program to secure all websites
• Perform security analysis in all stages of the SDLC
WAF is strategic control to mitigate risk Web Application Firewalls are best at mitigating vulnerabilities such as Cross-Site Scripting, Content Spoofing, SQL Injection, Response Splitting, etc. By summing all these percentages up we might safely say:
A WAF could feasibly help mitigate the risk of at least 71% of all custom Web application vulnerabilities.
© 2012 WhiteHat Security, Inc. 21
INTEGRATION
How to solve Vulnerability Overload • Sentinel Baseline Service finds on average of 7
vulnerabilities per site in the unauthenticated space
• It is common for Customers to run Baseline on all of their assets
• 200 sites X 7 Vulnerabilities = 1400 problems!
• The WhiteHat Sentinel / F5 ASM solution will eliminate 71%
• Leaving the other 29% to be solve by code remediation or iRules
© 2012 WhiteHat Security, Inc. 22
INTEGRATION
Integration Overview
© 2012 WhiteHat Security, Inc. 23
INTEGRATION
• Finds a vulnerability • Virtual-patching with
one-click on BIG-IP ASM
• Verify, assess, resolve and retest in one UI • Automatic or manual creation of policies • Discovery and remediation in minutes
• Vulnerability checking, detection and remediation
• Complete website protection
Why past attempts at DAST+WAF failed • DAST can disrupt production if not carefully configured
– Testing QA won’t provide accurate measurement
• Hundreds or thousands of unvalidated “false positives” and “duplicates” – Slowed WAF performance and blocked valid traffic
• Without up-to-date, validated input, can’t move WAF into blocking mode
• False negatives in scanning methodology (not testing certain functionality) still required broad rules
© 2012 WhiteHat Security, Inc. 24
INTEGRATION
WhiteHat Sentinel Ideal Solution for ASM • WhiteHat’s unique methodology
– allows service to find more vulnerabilities and have less false positives than other DAST vendors, all while testing production safely
• F5 ASM + WhiteHat enables twice the number of automatically resolvable vulnerability classes of any other similar integration
• F5 is the only WAF vendor that can consume WhiteHat Sentinel's unique “Vuln ID” – Allows continuous, historical tracking of vulnerabilities, and better
integration with WAF and SDLC
• Live team of experts to provide assistance, explanation, and demonstration of vulnerabilities
© 2012 WhiteHat Security, Inc. 25
INTEGRATION
Unique to WH+ASM integration
• “Vuln ID” to historically track vulnerability status
• 100% verified vulnerability results
© 2012 WhiteHat Security, Inc. 26
INTEGRATION
• “Retest Now” to confirm virtual patch effectiveness
• “Mitigated by WAF” flag in Sentinel interface
WAF roadmap • Virtual patching support for atypical vulnerabilities
• Expand coverage to more vulnerability classes
• Bi-directional integration to better inform DAST of web application attack surface
© 2012 WhiteHat Security, Inc. 27
INTEGRATION
http://www.f5networks.co.jp/info/whitehat.html
© 2012 WhiteHat Security, Inc. 28
FREE TRIAL