WhiteHat Security Complete Website Vulnerability Management

WhiteHat Sentinel runs assessments for the 24 Web Application Security Consortium (WASC) vulnerability classes such as Cross-Site Scripting, Directory Traversal, and SQL Injection. You can find explanations about these vulnerability classes in the Sentinel Glossary, located under the Resources tab.

The methods used by attackers to exploit vulnerabilities are constantly evolving; thus, part of the WhiteHat Sentinel Service includes ongoing refinement of testing patterns to ensure that Web applications are tested against the latest attack variations.

What is the difference between Threat and Severity?

Threat and Severity levels are standard ranking systems developed by the Payment Card Industry (PCI) Security Standards Council. Specifically, the severity level for a vulnerability measures the potential business impact if exploited,
and threat level indicates how easily it can be exploited.

How do I use the Web API?

The Sentinel Web API allows you to retrieve your own vulnerability, site, and and schedule information in XML format from WhiteHat. This data may then be integrated into your developer defect tracking systems or security information
management systems (SIMS). You can access the Web API instructions by logging on to Sentinel, clicking on the Resources tab, and selecting the API Reference link.

What are the hours of operation for Customer Support & Response Times?

Service Request Response Time: (Cases submitted/logged via the customer support portal during business hours: M-F, 6:00 AM – 7:00 PM PT

Standard Support – Next business day

Silver Support – 8 business hours

Gold Support – 1 hour – Critical (24×7), 4 hours – Serious

What is the difference between the executive summary and the full report?

The difference between the two reports is most apparent when comparing reports that include all sites. Both reports contain a graphical overview and vulnerability overview of vulnerabilities across all sites at once, as well as the WASC

vulnerability classifications and a Web security glossary.

The full report also includes per-site chapters with statistical graphs and vulnerability details for each site. This information is useful for developers to understand and fix the vulnerabilities in their custom code.

I ran a scan last night, but I have no vulnerabilities in my Findings page. Does that mean there are no vulnerabilities in my website?

Almost all Web applications have at least low-level vulnerabilities, so the complete lack of any findings on your interface after a scan has been completed usually means the vulnerabilities are being verified by human eyes. To prevent false positives, vulnerabilities only appear in your Findings page after they have been verified. The WhiteHat Operations team verifies vulnerabilities during normal business hours in Pacific Standard Time.

How can I make the scans go faster or slower?

Scan speeds can be increased by clicking on a site on the Sentinel interface, clicking the Settings submenu, and increasing the number of HTTP requests sent by the Sentinel scanner per second. By default, all scans are set at a medium speed, which is no more than four requests per second single threaded. The

Sentinel scanner requests will match the response times of the target website, so if your site contains pages that load slowly, this will effect the frequency of requests the scanner can make, which lengthens the overall scan time.

I just scheduled a scan to run until completion. How long is this scan going to take?

WhiteHat Sentinel scans run “low and slow”, meaning that scans are specifically designed to have no discernible effect on your website’s performance. The length of time it takes for a scheduled vulnerability assessment to complete depends on various factors, such as the number of pages to assess, the load time of each individual page, and the speed (number of requests per second) indicated in the site’s settings in Sentinel. Keep in mind that your first findings will not appear in your interface until after they have each been verified by a member of the Operations team.

Top Internet Security Software

How To Choose The Best

How does a web site go about choosing the top Internet security software? Well, there are oodles of magazines, rating sites, vendors, and testing shops that have their opinions. Plus, there are several operating systems, business versus home users, and various categories of testing that come into play.

Furthermore, the testing labs don’t test every product in every test they do. Sometimes they test the free version and sometimes the enterprise (big business) version. Sometimes vendors don’t want to be tested and ask to be left out. Other times, the lab’s rules will disqualify a product. All of this makes rating them very difficult.

In the end, there are just too many variables to look at, making it impossible to say something so general as, “Double Whammy Internet Security 2149 is the top Internet security software on the market”. So, what do we do???

Well, the target audience for this web site is the average, non-technical home user: grandmas, students, fantasy football addicts, etc. So, I’m coming from the perspective of a home user running Windows 7 (I hope you upgrade if you haven’t already but if you have XP, it’s OK) who wants to install something and then “fagetaboutit”. If that’s you then you’re in the right place.

The Big Three Testing Labs
What I do here is keep up with three of the large testing firms: AV-Test, AV-Comparatives, and Virus Bulletin. Yes, there are more of them but these three are sufficient for our purposes.

These guys do testing under various categories constantly, 24/7 under all kinds of situations that we may or may not ever see. If anyone is going to get close to what we all face every day on the Net, it’s them.

Now, they do different kinds of tests throughout the year such as, “Real-World Protection Tests”, “False Alarm Tests”, “Anti-Phishing Test” and so on. There’s no good way to boil all of these tests down into a single decision as to who is “best”. In my mind, the next best thing is to adjust a simple scoring method to the latest available tests from all three labs that most closely apply to our target audience, sprinkle some magical pixie dust on it and publish the “winners” as a constantly changing list on the home page.

Did you get all that? No? Well, don’t worry, here’s the bottom line:

I’ve applied the magic formula (full disclosure: it’s not really magic 🙂 to as many products as I could in a spreadsheet. I use the latest test available that fits our needs. So, if AV-Test comes out with a new test in July and that test would be applicable to our ratings, we just run the spreadsheet with the new ratings and see where the chips fall. So, the top Internet security software “winner” is always changing.

Even so, don’t put too much weight on any ratings, including those you find here. I would venture to say that if you chose any of the top three at any given time, you’d be as protected as you can reasonably expect to be. So, don’t get too wound up about it all. The really, really important point is to get something, install it and keep it updated (which it usually does itself).