Security army patrols companies’ front lines for website weaknesses

Analysts, researchers control perimeter, close gaps before bad guys get there

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Ryan O’Leary likes to think of him­self as a mil­i­tary leader in com­mand of a pla­toon of sol­diers respon­si­ble for wrest­ing con­trol of vital turf before the ene­my can get there.

Ryan O’Leary, direc­tor of White­Hat Security’s Threat Research Center

O’Leary’s offi­cial title is vice pres­i­dent for tech­ni­cal sup­port at White­Hat Secu­ri­ty. In that capac­i­ty he serves as the direc­tor of WhiteHat’s Threat Research Cen­ter, staffed by some 200 crack secu­ri­ty ana­lysts and researchers.

Relat­ed arti­cle: The dan­gers of cross-site scripting

WhiteHat’s cus­tomers, com­posed large­ly of mid­size and large enter­pris­es, retain O’Leary’s army to scout out latent secu­ri­ty flaws on some 50,000 web­sites, and close them up before hack­ers, data thieves and scam­mers can get there first and take advantage.

Here are a few take­aways from my con­ver­sa­tion with O’Leary at the RSA Con­fer­ence 2017:

Old expo­sures. The top web­site attack tech­niques, in terms of preva­lence of use and capac­i­ty to achieve deep net­work access, are cross-site script­ing and SQL injec­tion. “The old expo­sures are still the most preva­lent,” O’Leary says. “They’ve been around for as long as the inter­net. And attack­ers still use both of these ways to attack the database.”

Busi­ness log­ic flaws. Web­site front ends are com­plex. Soft­ware devel­op­ers often make func­tion­al­i­ty a high­er pri­or­i­ty than secu­ri­ty. Com­bine those two vari­ables and the result can be busi­ness log­ic flaws—costly ones. “There are things like being able to buy some­thing for zero dol­lars,” O’Leary told me. “On one retail web­site, we were able to over­write the price of an item and make it a neg­a­tive num­ber. So we not only got the item for free, we were able to get mon­ey back on our cred­it card.”

Hacker’s mind-set. When O’Leary recruits new sol­diers, he looks for con­trar­i­an thinkers, some­one who will look at a vend­ing machine and quick­ly spot a way to make it dis­pense mul­ti­ple items. “One of our best hack­ers was a line cook at Applebee’s before she came to White­Hat,” he says. “She knew very lit­tle about secu­ri­ty, and only a lit­tle about web­sites and tech­nol­o­gy. But she had that cer­tain mind-set, and we were able to teach her about the tech­nol­o­gy and about websites.”

For a deep­er dive into this con­ver­sa­tion, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries about pro­tect­ing com­pa­ny security:
New tac­tics need­ed to search for, destroy net­work invaders
Com­pa­nies must rede­fine their perime­ter to ensure secu­ri­ty in the cloud
Whitelist­ing can strength­en cyber­se­cu­ri­ty by treat­ing every­thing as a poten­tial threat