Everyone knows there are hackers out there intent on compromising Web sites. But it’s often hard for the people operating those sites to identify and plug security holes on their own.
After two years at Yahoo’s internal security team, Jeremiah Grossman realized that manually assessing Web sites’ vulnerabilities — the common approach — simply couldn’t scale. Even at a site a week, it would take 10 years to check all of Yahoo’s sites, he recalls. “The prior approach was to hire an Ernst & Young or a PricewaterhouseCoopers to do a one-time consult. But you couldn’t afford to keep bringing them in for each site change,” he notes. And very few companies could shell out for the internal resources for such ongoing vulnerability assessment.
In 2001, Grossman left Yahoo to found WhiteHat Security, where he is now CTO. The company mission: to automate Web site testing and expose weaknesses so that corrective action can be launched before hackers take advantage of them.
Today, WhiteHat regularly tests about 700 Web sites for 100 customers — mainly large financial, e-commerce, and health care sites — to see if their Web applications are vulnerable. “We get to see the things that no one else gets to see,” he says. They focus on applications because that’s where the risks are, notes Grossman. Applications change frequently, so new vulnerabilities can crop up at any time. “The challenge is to keep up with the code’s rapid change rate,” he says.
Grossman spends about half his time analyzing the vulnerabilities found from his clients’ sites and tracking hacker trends in general to improve the WhiteHat service. The secret to the system is the use of real sites, he says. “You need to test what matters most: production code. There’s no way to simulate that.” So WhiteHat’s clients give the company permission to try to hack their systems to uncover the actual vulnerabilities. He's also beginning to work with other companies to improve Web application firewall technology as a way to plug vulnerabilities from the outside until the code can be fixed, something he expects to be available in the near future.
The rest of Grossman’s time is spent on education, such as speaking at conferences. For example, the company publishes a quarterly report on vulnerabilities to help Web developers understand where to look for risks and how to avoid them in the first place. Although the customer Web sites WhiteHat analyzes involve lots of transactional applications, he says the lessons learned from them apply to Web sites of all scales and complexity. One example: “Using a modern compiler such as for J2EE or .Net makes a huge difference in security. They help the developers do the right thing without losing their functionality focus for things such as session management and cookies,” Grossman says.