Blog

It’s an exciting day at WhiteHat with the launch of Attack Surface Management powered by Bit Discovery - an innovative suite of features that give enterprises a more streamlined way to discover, manage and secure their comprehensive attack surface.

Speed to market has been everything in the software development world. But over time we’ve discovered that speed alone cannot remain the end all be all. The majority of data breaches have to do with web application security vulnerabilities; and therefore, security must become part of the software development equation.

Cross-Site Request Forgery (CSRF) generates many questions from prospects, customers, partners, and Web application security professionals we work with.

IT security is a massive concern for many organizations of all shapes and sizes. The consequences of a security failure are often drastic, sometimes terminal. Over recent years, there has been a relentless upward trajectory in spending on IT security, and there are no signs of that trend abating.

Dust off your Old Glory Insurance policy, ROBOT attack is now a real thing that can happen to you.

2017 has been a wild ride in the security world. This year we saw several high-profile breaches and cyber-attacks, the most notable being the Equifax breach and the WannaCry malware campaign.

While it’s difficult to get permission from one’s corporate communications team or legal department on chatting with vendors, I was able to secure an interview with one of our financial services customers who use both Dynamic and Source code scanning.

WhiteHat Sentinel Dynamic is the dynamic application security testing solution that helps you understand, prioritize, and mitigate your web app vulnerabilities. Now is your chance to take advantage of this application security platform for free.

Planning to attend the JavaOne Conference October 1-5 in San Francisco? Come on by and meet the team at WhiteHat Security to learn more about secure DevOps, and pick up a gift card for a free 6-month trial of our new static analysis product for Java developers!

The WhiteHat Sentinel Application Programming Interface (API) can help you out. Whether you’re looking to bring information into your own ticketing system, a SIEM, a new set of developer tools, or even a home-grown environment, we hope you’ll find pointers to the documentation which will help make it easy.

Applications are literally at the core of our digital lives, so it’s more important than ever to ensure that enterprises of all types can provide safe digital experiences. We hope this report provides valuable insights and recommendations on how to secure the apps that drive your business.

Social skills were on my mind. Listening to women describe their problems, it struck me how many of them had to do with stereotypes and unwritten social expectations. It's the end of Autism Awareness Month as I write this and It's a coincidence that I'd been diagnosed with autism at age 34.

In the first webinar Introduction to Application Security for Developers, WhiteHat geared towards training and certifying developers to be secure coders.

With the recent emphasis on application security, organizations now strive to fix web app security vulnerabilities earlier in the SDLC, before apps are deployed in order to lower the risk of potential data breaches.

So now that I’ve established myself as a lover of FB and social media, may I ask that you all please carefully consider which additional new and (worse) seldom-used applications that you grant permission to “Log On with Facebook?” (Or Google+, or Twitter – I’m not just targeting any one federated login mechanism.)

This week, it was reported that certain versions of the Apache Struts 2 Framework are vulnerable to Remote Code Execution attacks.

WhitHat Security is pleased to kick off the WhiteHat Certified Secure Developer (WCSD) Program. It is open to all developers free of charge and gives developers that essential jumpstart into understanding app security at a deep technical level.

As we head into the new year, we thought we’d share our 5 most watched webinars of 2016. Like “must see TV”, these are well worth taking the time to watch and learn from!

After a lot of coordination, research, voting by the community and judging - learn the Top 10 Web Hacking Techniques of 2015.

It has been discovered that OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k are vulnerable to a downgrade attack. In short, an attacker could man-in-the-middle a user and web server, force the user and server to downgrade to a set of export ciphers which are weak and outdated.

I think a lot of web designers and web masters have almost no idea what are the most important things to focus on beginning on day one.

The keys to the kingdom pretty much always come down to acquiring source code for the web application you’re attacking from a blackbox perspective.

Password Cracking AES-256 DMGs and Epic Self-Pwnage

Session fixation, by most definitions, is a subclass of session hijacking.

Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that Web apps can use as an additional layer of protection against Cross-Site Scripting (XSS). This protection against XSS is the primary goal of CSP technology.

Learn about what is CSRF and developing CSRF prevention design principles. 

HTTP Strict Transport Security (HSTS) is a new(ish) technology that allows an application to force browsers to use only SSL/TLS (HTTPS, not HTTP) when they visit that application.

Session cookies (or, to Java folks, the cookie containing the JSESSIONID) are the cookies used to perform session management for Web applications.

Clickjacking prevention is a type of “Web framing” or “UI redressing” attack.

X-Frame-Options allows an application to specify whether or not specific pages of the site can be framed. This is meant to help prevent the clickjacking problem.