Security army patrols companies’ front lines for website weaknesses
Analysts, researchers control perimeter, close gaps before bad guys get there
By Byron Acohido, ThirdCertainty
Ryan O’Leary likes to think of himself as a military leader in command of a platoon of soldiers responsible for wresting control of vital turf before the enemy can get there.
O’Leary’s official title is vice president for technical support at WhiteHat Security. In that capacity he serves as the director of WhiteHat’s Threat Research Center, staffed by some 200 crack security analysts and researchers.
Related article: The dangers of cross-site scripting
WhiteHat’s customers, composed largely of midsize and large enterprises, retain O’Leary’s army to scout out latent security flaws on some 50,000 websites, and close them up before hackers, data thieves and scammers can get there first and take advantage.
Here are a few takeaways from my conversation with O’Leary at the RSA Conference 2017:
Old exposures. The top website attack techniques, in terms of prevalence of use and capacity to achieve deep network access, are cross-site scripting and SQL injection. “The old exposures are still the most prevalent,” O’Leary says. “They’ve been around for as long as the internet. And attackers still use both of these ways to attack the database.”
Business logic flaws. Website front ends are complex. Software developers often make functionality a higher priority than security. Combine those two variables and the result can be business logic flaws—costly ones. “There are things like being able to buy something for zero dollars,” O’Leary told me. “On one retail website, we were able to overwrite the price of an item and make it a negative number. So we not only got the item for free, we were able to get money back on our credit card.”
Hacker’s mind-set. When O’Leary recruits new soldiers, he looks for contrarian thinkers, someone who will look at a vending machine and quickly spot a way to make it dispense multiple items. “One of our best hackers was a line cook at Applebee’s before she came to WhiteHat,” he says. “She knew very little about security, and only a little about websites and technology. But she had that certain mind-set, and we were able to teach her about the technology and about websites.”
For a deeper dive into this conversation, please listen to the accompanying podcast.
More stories about protecting company security:
New tactics needed to search for, destroy network invaders
Companies must redefine their perimeter to ensure security in the cloud
Whitelisting can strengthen cybersecurity by treating everything as a potential threat