Interview with Jeremiah Grossman, CTO of WhiteHat Security
by Mirko Zorz - Monday, 24 September 2007.
Are websites that you assess more insecure today in comparison to 3 years ago?

Iíd say todayís websites probably have less vulnerabilities, but theyíve also never been more at risk. While SQL Injection seems to be on the decline and Cross-Site Scripting filters are far more common, the number of attackers and attack techniques has increased dramatically. The bad guys go where the money is and right now thatís the Web. To monetize, all they have to do is capitalize on one single vulnerability. So, if an organization is only going after the low hanging fruit, that isnít going to help much, since Web attacks are targeted. Websites that do better are the ones whose security posture makes is hard enough on the bad guy where itís in their best interest to try some place else.

A significant part in the process of developing a complex enterprise website is ensuring that the customer data being used on that website is secure. What do you see as the biggest threats to that security? What are the most common mistakes you see your customers make?

With 125+ million websites, and most of them riddled with vulnerabilities, I think itís safe to say the mistakes have already been made. At this point, weíre trying to stop the new holes in the dam and plug the existing ones. Hereís the advice I give to everyone:

1) Asset Tracking Ė Find your websites, assign a responsible party, and rate their importance to the business. Because you canít secure what you donít know you own.

2) Measure Security Ė Perform rigorous and on-going vulnerability assessments, preferably every week. Because you canít secure what you canít measure.

3) Development Frameworks Ė Provide programmers with software development tools enabling them to write code rapidly that also happens to be secure. Because, you canít mandate secure code, only help it.

4) Defense-in-Depth Ė Throw up as many roadblocks to attackers as possible. This includes custom error messages, Web application firewalls, security with obscurity, and so on. Because 8 in 10 websites are already insecure, no need to make it any easier.

You are one of the authors of the recently released "Cross Site Scripting Attacks: XSS Exploits and Defense". How long did the writing process take? What was it like to cooperate with other authors?

The writing process took about six months. Generating hundreds of pages coherent and compelling content is challenging to say the least, even with five of the best subject matter experts working in parallel. It was great getting to review the work of the authors on the fly and see the project come together. And, people really seem to be excited about the book and enjoying the read. For me, the feedback and reviews weíve been receiving from the industry is what really made it all worthwhile. Knowing that your work is useful to so many is a great feeling.

Web security has been getting a lot of attention in the past 2 years and an increasing number of people is starting to pay attention. What resources/books would you recommend to those who want to learn more about Web security?

There are a lot of resources out there and the blogosphere has been one area that has exploded.


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th