Web Application Security

WhiteHat Acquires Static Code Analysis (SCA) from Infrared Security

WhiteHat Security today announced the acquisition of static code analysis technology (SCA) from Infrared Security, a firm of leading software security experts who also developed a key piece of technology. You may better recognize their names as Jerry Hoff, Jim Manico and Eric Sheridan. As the press release says, “With the acquisition, WhiteHat Security gains new, complementary technology for static code analysis, to build on their market-proven dynamic vulnerability testing solution, WhiteHat Sentinel.” That’s right! WhiteHat is getting into the SCA analysis business!

As we see things, software security is about solving two extremely important, interrelated, and world-wide problems.

1) Dealing with the immense number of vulnerabilities hiding all over in the many trillions of lines of deployed code.

2) Making sure the next decade of applications being developed by some 17 million programmers is written more securely than the previous.

Finding effective solutions to both these problems is vital to breaking the cycle of software security pain. Solving the first problem, particularly for websites, has been WhiteHat’s focus since our founding. Our approach to website vulnerability assessment has proved itself uniquely fast, accurate, and scalable. Sentinel is driven by a massive infrastructure, a dynamic analysis methodology designed to hunt down the most egregious exploitable vulnerabilities, deployed SaaS-style to make it easy to achieve enterprise scale, all so our customers can prioritize those vulnerabilities and get them resolved — and they have been. Indeed over half a million verified vulnerabilities have been wiped out so far.

Moving forward, more and more of our customers, strategically minded organizations that don’t want to be the next breach victim, are concerning themselves with the second problem. As they develop their software, they want something that’s effective at uncovering vulnerabilities earlier in the software development life-cycle, BEFORE code is pushed to production where it will eventually become a real business risk. An ounce of prevention is worth a pound of cure and static code analysis (SCA) is the ideal approach.

Several security vendors have built SCA products to address this need, but nothing has really worked. Nothing has been even remotely accurate or managed to meet the need of enterprise scale. We know this because Sentinel measures these outcomes after our customer have purchased these products and they’ve shared their experiences with us.

We listened, closely, and it’s what ultimately led to today’s announcement. Now imagine a modern SCA technology combined with the scalability of the Sentinel platform. Just as WhiteHat grew to perform more website vulnerability assessments than anyone, if we do our job right, it’s only a matter of time before we’re doing the same in the source code market. It will also mean a few hundreds thousand website vulnerabilities WhiteHat Sentinel won’t find.

Going after the software security problem at the root is no small undertaking. It is ambitious, audacious, and essential. We’ll do for SCA what we did for DAST… make it fast, accurate, and scalable.

  • Joshbw

    You picked up a group of smart guys there

  • http://white-hat.seosearcher.co.uk john

    This accomplishment is very exciting and also very scary. opening themselves up to a new market in which they are not safe and need to build on their knowledge base.

  • AppSec

    Jeremiah:

    First, I am glad WhiteHat is finally taking this approach. I’ve always thought securing the source was one of the biggest keys as it allows building relationships with the development community.

    I am genuinely interested in how you are going to implement some of the portions of your service.

    1) Require source/binaries be uploaded?

    2) Require network connectivity/source repository access?

    3) What kind of reporting and to whom?

    As someone who manages a secure code infrastructure and is trying to figure out a viable means to work with third parties (not to mention internal folks) for handling these questions it’ll be interesting. The legal ramifications which are present are only the beginning of the hurdle.

    I’ve worked with a vendor in that space for the last 4 years and done evaluations of a few others. I have not looked at Infrared Security, so I am not sure how their implementation would compare, but there are a significant number of issues which we are trying to deal both from an internal and third party contribution perspective.

    • http://www.whitehatsec.com/ Jeremiah Grossman

      Hi AppSec, thank you. We first had to figure out the right blend of tech, people and process to make DAST extremely efficient. Efficient enough to make it fast, accurate, and scalable. Once Sentinel started to stabilize (& take off), and our customers began asking us for SAST, it became clear it was time to expand ourselves as a company.

      With respect to your questions, and they are important, unfortunately I’m unable to answer any of them directly at this time. Our SAST specific offering and service level details have yet to be formally announced. What I can tell you is that we’re working directly with several of our customers to design a SAST offering that make sense to them. In a sense, they are designing it, we’re just implementing. I’ll post more details when I’m able.