Application security testing is no longer optional, but it has become an absolute necessity for modern businesses and development teams. With a growing number of organizations falling victim to cyber attacks, resulting in hefty financial losses and data breaches, it has become crucial for companies to implement an effective security strategy to assure customers that their information is safe and protected at all costs.
To address these challenges and bring peace of mind to organizations and their customers, WhiteHat Security, the leader in application security testing, provides the right approach to help enterprises secure their digital businesses and allow for more enriching digital experiences.
SourceForge had the chance to speak with Craig Hinkley, the chief executive officer at WhiteHat Security, to discuss the value of application testing in today’s digital-connected world. Hinkley also shares his expert advice on how to implement a proactive app security testing strategy and offers his insights on the trends and technologies that impact the mobile app industry.
Q: Can you share with us a brief overview of your company (year founded, size, industries you serve, etc.)?
A: WhiteHat Security is in the business of securing applications, with over 300 employees. Founded in 2001, the award-winning WhiteHat Application Security Platform is a cloud service that allows organizations to bridge the gap between security and development to deliver secure applications at the speed of business for our 800 customers in all types of industries.
Combining static application security testing (SAST) and dynamic application security testing (DAST) solutions and resources such as our eLearning and Threat Research Center, WhiteHat ensures developers are equipped with the tools they need from the beginning of the development process to deployment and beyond.
Q: What expertise do you provide and who are your current customers?
Craig Hinkley, the Chief Executive Officer at WhiteHat Security
A: Our mission is to secure the applications that run our customers’ business. WhiteHat’s Application Security platform allows developers to incorporate security into the DevOps process to enable true DevSecOps. We provide a variety of application security testing technologies to help our customers such as N11.com, Mediafly, Linedata, Wiredrive, SANS, BlueLava, and more. We go beyond just our products, which include WhiteHat Sentinel Dynamic, designed to scan websites for vulnerabilities continuously. Our dynamic testing products include peer benchmarking, the WhiteHat Security index, and interactive application security testing. On the static application testing side, we offer microservices, directed remediation, and software composition analysis and integration.
As mentioned, our main goal is to make sure developers and organizations as a whole are educated on application security. Our WhiteHat Learning Labs is a curated library full of informative resources on DevSecOps training. In this library, developers and business owners can find a glossary of terms, links to technical blogs, webinars, and more. In addition, we also offer a WhiteHat Certified Secure Developer (WCSD) program for developers to empower them to use a DevSecOps approach. In 2017 alone, the program enrolled over 3,300 people and certified more than 500 developers.
Q: What exactly is application security testing and what does the process involve?
A: By definition, application security testing is the use of software, hardware, and procedural methods to protect applications from any external threats. To put it simply, it is the testing of software to make sure it accurately meets all the design specifications, one of them being that the software is secure and cannot be hacked. The process can look different depending on the business or organization conducting the application testing.
For WhiteHat, we use three different approaches, static application security testing (SAST), software composition analysis (SCA) and dynamic application security testing (DAST), all in our WhiteHat Application Security Platform. SAST is used for scanning the source code of the most commonly-used programming languages, identifying vulnerabilities, and providing actionable vulnerability reports. In addition, our process also includes a Software Composition Analysis to identify security and licensing issues in open source and third-party library, and ready-to-implement code fixes for certain vulnerabilities. Scanning code is important throughout the entire DevOps process, but especially crucial when the code is initially being written.
The next part of the application security testing process is DAST. The dynamic process of application security involves trying different inputs into a running application to see what the outputs will be. For example, if you put in a regular user’s ID and password, they should not be able to access any administrative privileges. If they can, then there may be a problem in the code. Essentially, dynamic testing allows security professionals to act as white hat “hackers” or “adversaries” to expose any flaw in the application, before individuals who are seeking to exploit these vulnerabilities can. Together, the three products ensure complete security from the beginning when the application is just a simple concept, to the end when it is in users’ hands.
Q: What makes application security testing important in today’s digitally connected world?
A: In today’s digital world, almost everything is done by using an application. In 2018, app-related breaches ran rampant all year long. In the last half of the year alone, there were several mega breaches, incidents that affected more than 1 million customers, which exposed personal data such as names, emails, passport details, financial information and more. The challenge becomes securing this data and these applications for the benefit of the business and the consumer.
As website application development within Agile environments increases, the need to bring security into the DevOps equation also grows. Mobile and website applications provide more entryways that are vulnerable to attack. By incorporating application security testing throughout the entire DevOps process, making it DevSecOps, organizations can find security threats and vulnerabilities earlier, mitigating any risks the application might bring. Without application security testing through the entire app development process, businesses and consumers put themselves at high risk. Application security provides peace of mind for the organization and the customers and makes living in today’s connected world safe and enjoyable for all. We want to help ensure we all live a safe digital life.
Q: Please share with us the advantages of using application security testing.
A: Creating a DevSecOps process has several advantages for both enterprises and consumers. Globally, according to Forbes, data breaches at an organization cost on average $3.86 million. Not only do organizations lose money from having to fix the issues that led to the breach, but they also lose time and the trust their customers had in them. After suffering a breach, most customers lose trust in a business, especially if explaining the breach to consumers and offering solutions were not handled properly. Through websites and mobile applications, hackers can also gain access to intellectual property and sell it to competitors. Consumers are at risk of having their identities stolen, money lost and personal information exposed.
By prioritizing application security testing throughout the entire DevOps process, organizations put themselves at a significantly lower risk of having any of their vulnerabilities exposed. Testing continuously can ensure code is secure and alert developers if the code needs to be updated to fix any bugs. Dynamic testing allows for extra insurance to know that the code is working the way it is supposed to. Application security testing anticipates a disaster and fixes it before it ever becomes a true problem.
Q: DevSecOps wanting to improve the security of their software should, first and foremost, implement a proactive app security testing strategy. As experts in this field, what are some specific measures and best practices that development teams and businesses must adhere to in order to find, fix, or prevent security vulnerabilities?
A: In a world where there are continuous threats to cybersecurity, the key to keeping customers’ applications safe involves developing tests and rules that keep apps safe. Establishing a protocol and best practices allows developers to make secure apps while still meeting their strict deadlines. There are several steps to this process in order to find, fix and prevent security vulnerabilities.
Step one is research. Developers need to be aware of changes in the app ecosystem to make sure their code is updated when need be. Without updating or changing the code when necessary, organizations leave themselves exposed to vulnerabilities. Research also allows organizations to stay on top of the newest cyber threats. If you discover a vulnerability, look for responses that are different from “good responses.” By identifying a difference, developers and security teams can create tests to automate identifying those not-“good responses”. Above all, the best practice developers can take is to continuously test code and their applications. It is the best way to prevent outside threats from exploiting vulnerabilities.
Q: Applications form the lifeline of modern businesses – and they are under attack more than ever before. As a trusted provider of app security testing solution, what measures has WhiteHat Security put in place to ensure that app security testing is painless for developers and seamless for security teams?
A: At WhiteHat Security, we understand developers are under strict deadlines to get their products out. Our Threat Research Center is always staying on top of the latest cyber threats so we can learn how to better protect our customers. In addition, we are always evolving our platform to make the customer experience that much better. We understand that for developers, that means we need to provide products that integrate easily into the tools they use to develop, test and release their applications all while keeping their product as secure as possible. For the Security teams, it is key that we provide visibility into the security posture of applications, allow the security teams to do risk-based ranking and prioritization of security issues for remediation. We ensure the security teams get the information and dashboards needed to know if the company’s applications are safe and secure, as well as enabling the Security teams to help the developers secure the company’s applications.
As technology evolves, we have also been using more artificial intelligence (AI) and machine learning technology to take some of the burden away from security teams. The processes we have in place ensure an effortless and smooth experience for all parties involved in the application security process.
Q: Tell us more about WhiteHat Sentinel Mobile. What makes it stand out from other mobile security testing and assessment platforms available on the market today?
A: Every day, thousands of people rely on the dozens of applications on their cell phone to conduct personal and professional business. Due to this, hackers especially look at mobile apps to exploit data. For the entire team at WhiteHat Security, it was especially important to offer a product for mobile app security that was ahead of everything else already on the market. WhiteHat leverages the dual power of dynamic analysis and static analysis of mobile source code as well as manual assessments to make sure we are hitting all of the places for potential attack.
WhiteHat Sentinel Mobile also integrates with any ALM tools, IDEs, bug tracking systems, and more so that security teams can easily deploy it. WhiteHat then goes the extra step with our Threat Research Center. Having a dedicated team that analyzes every potential vulnerability allows security teams to focus on remediation efforts for verified defects. At the end of the day, the threat research engineers are also there to help with any questions right inside the Sentinel portal itself to help fix the problem as soon as it is discovered.
Q: What are its key features and capabilities? Can you provide us with sample use cases?
A: The key features of WhiteHat Sentinel Mobile are the static and dynamic analysis. Static analysis looks at the mobile source code before and after the application has been put in place. Dynamic analysis looks at the production mobile websites. Finally, there is the manual assessment from our verified security experts which yields near zero false positives and supports both iOS and Android apps. This program protects some of the largest companies in the world.
There are several use case examples for the WhiteHat Sentinel platform as a whole. In the case of N11.com, who was a WhiteHat Sentinel Dynamic (DAST) customer for quite some time, its team decided they needed something earlier in the software development process to better comply with PCI DSS guidelines. Because of this, the company added our SAST solution and reduced its time to remediate vulnerabilities by over 75 percent. Another use case is Wiredrive. Wiredrive was using another SAST vendor and ended up switching to WhiteHat. The 24/7 access to the Threat Research Center extended their DevSecOps team, and they reduced their time to remediate vulnerabilities between 10 and 24 percent.
Q: Looking ahead, what trends and technologies do you think will impact the mobile app industry in 2019 and beyond? How is WhiteHat Security addressing these?
A: Perhaps one of the biggest trends we have seen in 2018 that will continue in 2019 and beyond is AI and machine learning. WhiteHat has already begun to incorporate AI capabilities into our products to help identify threats and vulnerabilities as fast as possible. In addition to machine learning, the IoT industry will also continue to grow in the years to come. This area is still considered a bit tricky for cybersecurity at the moment. I believe the cybersecurity industry as a whole will continue to evolve to protect IoT devices, as they are especially vulnerable to attack.
About WhiteHat Security
WhiteHat Security is the leader in application security testing that is headquartered in Santa Clara, California. Combining human intelligence and technology, WhiteHat Security delivers the world’s most powerful solution for application security to provide safe digital experiences to their employees, customers, partners, and the entire ecosystem. Established in 2001, WhiteHat Security specializes in DevSecOps, software composition analysis, web application security, and more.