Whitepapers
Hackers behave like water, taking the path of least resistance. Today this path leads over SSL, and past the firewall, where nothing exists between them, the website, and the information it holds. This is how a Web hacker views the world. Using a browser and a few simple tricks, hackers can penetrate a website, access the credit card database, and make off with critical data, customer databases or even intranet information, unseen. With network firewalls and patch management now standard practice, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the website itself. Gartner Group has stated that over 70% of cyber attacks occur at the application layer. Even more alarming, WhiteHat Security has found that 8 in 10 websites currently have serious vulnerabilities. read more...
Automated Scanning vs the OWASP Top Ten:
The OWASP Top Ten1 is a list of the most critical website security flaws – a list also
often used as a minimum standard for website vulnerability assessment (VA) and
compliance. There is an ongoing industry dialog about the possibility of identifying the
OWASP Top Ten in a purely automated fashion (scanning). People frequently ask what can
and can’t be found using either white box or black box scanners. This is important because a
single missed vulnerability, or more accurately exploited vulnerability, can cause an
organization significant financial harm. Proper expectations must be set when it comes to the
various vulnerability assessment solutions. read more...
Website Security Risk Report
Websites are now the top target for malicious attacks. Why? Firstly, 8 out of
10 websites have serious vulnerabilities making them easy targets for criminals seeking
to cash in on cyber crime. Secondly, enterprises that want to reduce the risk of
financial losses, brand damage, theft of intellectual property, legal liability, among
others, are often unaware that these website vulnerabilities exist, their
possible business impact, and how they are best prevented. Currently, this lack of
knowledge limits visibility into an enterprise’s actual security posture. In an effort to
deliver actionable information, and raise awareness of actual website threats,
WhiteHat Security is introducing the website Security Risk Report, published
quarterly beginning in January 2007. read more...
Cross-site
scripting Worms and Viruses
On October 4, 2005, the "Samy Worm1" became the first major worm to use Cross-Site Scripting2 (“XSS”) for infection propagation. Overnight, the worm altered over one million personal user profiles on MySpace.com, the most popular social networking site in the world. The worm infected the site with JavaScript viral code and made Samy, the hacker, everyone's pseudo "friend" and "hero."3 MySpace, at the time home to over 32 million users and a top-10 trafficked website in the U.S. (Based on Alexa rating), was forced to shutdown in order to stop the onslaught.
Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal--browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. read more...
10
Things You Should Know About Website
Security
Phishing schemes. Stolen credit card numbers. Identity theft. Web applications have emerged as the target of choice for money hungry hackers. Attacks have moved from the network to the everyday web applications that people use to manage their lives—online shopping and banking, healthcare information management, insurance payments, travel booking and college applications.
The ramifications for companies are clear--loss of data, loss of consumer confidence and loss of brand integrity. No company can afford the black mark of a website hack. With many states mandating full disclosure, and the federal government close behind with its own efforts, the luxury of keeping these incidents behind closed doors has passed. Organizations must develop a strategy for web application security. read more...
Website Security 101
Over 700 million people worldwide bank, shop, buy airline tickets, and perform research using the World Wide Web. With each transaction, private information, including names, addresses, phone numbers, credit card numbers, and passwords, are routinely transferred and stored in a variety of locations. Billions of dollars and millions of personal identities are at stake every day. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough to protect websites from hackers . Today, with prominent Web attacks taking place seemingly every week, the industry knows better. read more...
Digital thieves are hacking e-commerce websites at an alarming rate. Seemingly every day, millions of credit card numbers and other forms of cardholder information are stolen, contributing to financial fraud, identity theft, and loss of consumer confidence. Typically, many of these break-ins could have been prevented if organizations implemented and enforced Web security best practices. In response to preventable security incidents relating to cardholder data, VISA and MasterCard joined forces to create the Payment Card Industry (PCI) Data Security Standard. A thorough program, PCI establishes security guidelines and audit procedures to ensure merchants and service providers maintain the highest information security posture. read more...