Tuesday, October 24, 2006

WhiteHat Sentinel 3.0

Warning: Shameless vendor self-promotion

WhiteHat has been working really hard on Sentinel 3.0 for over a year. Sentinel is the technology platform behind our managed service that continuously assesses the security of websites. We've released a number of cool new features, but for me the one that stands out is something we call "Inspector". Inspector is a way for us to capture the knowledge and experience of every assessment we perform. Think a wisdom of the crowds concept, but in our case, a crowd of web application security experts.

Much of a web application vulnerability assessment process is experience driven. And after performing even a few dozen assessments a person will develop a gut feel about how/where to locate vulnerabilities based upon previous experiences. Experts who perform do this work for a living will know what I'm talking about. You see a certain situation and a sixth sense kicks in saying “there is something wrong here”. If anyone else looked at that exact same thing, they might not think anything of it because they lack YOUR experience. Capturing this innate knowledge and sharing it between experts and technology has been a major hurdle. This is where Inspector comes in.

Inspector enables our security engineers to describe something interesting they’ve discovered to the Sentinel scanner that warrants further analysis (citing the reason). I’m not talking new “checks”. Inject some weird characters then pattern match, that’s soooo 2000. I’m talking abstract. Simple examples are anytime the scanner finds a ROT13/Base64/MD5/SHA1 version of your username/password in the HTML source or cookies, there’s probably something work looking at. If its sees a “SQL Where” in a URL it’s likely passing literal SQL statements. Long text strings with spaces inside form parameters named error/err/mesg/msg often point to XSS or Content-Spoofing. There are thousands of these undocumented things that over time when cataloged will make the system smarter.

Now multiply this by 1000’s upon 1000’s of assessments and you begin to understand how powerful a knowledge base this becomes. Can you tell I’m excited?

No comments: