Jeremiah Grossman Reveals His Process for Security Research
In our ongoing series of interviews, this week Jeremiah Grossman answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.
Jeremiah Grossman is a world-renowned expert in Web security. In 2001, he founded WhiteHat Security. He is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld’s Top 25 CTOs for 2007.
He is also a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense.
He was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information.
Prior to WhiteHat, he was an information security officer at Yahoo! responsible for performing security reviews on the company’s hundreds of websites.
What motivates you to find security vulnerabilities?
To help organizations and everyday people to use the Web safely and securely. One of the best strategies to do that is by hacking yourself first, before the bad guys. Know what they know, or eventually will, so we can adapt and be prepared to react.
What the primary tools you use, and how do you use them?
WhiteHat Sentinel, multiple Web browsers, and a Burp Proxy. A Burp Proxy is a solid and inexpensive HTTP proxy tool that makes it easier for the engineers in our Threat Research Center to perform our more manual form of vulnerability testing.
Why did you create WhiteHat Sentinel?
Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports. Seeking assistance I spoke with every expert and demoed every product. None of what I saw scaled. Yahoo was certainly not the only one grappling the web security problem. I felt I could do better, which ultimately led to my founding of WhiteHat Security and WhiteHat Sentinel — A technology platform capable of efficiently assessing the entire world’s websites. Nine years later, over 3,000 websites are now being assessed on a weekly basis.
How do you choose your target of investigation?
The targets are WhiteHat customer chosen assets that are of most value to them. Or, mainstream Web browsers and new underlying technologies.
Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?
The former. WhiteHat Security works with customers to proactively find vulnerabilities and provide ongoing monitoring of their web applications. For a company, it doesn’t matter if they’re vulnerable to XSS or a SQL injection; they want to ensure their data is safe.
How do you handle disclosure?
If the target is not a customer, then vulnerability discovery and disclosure activities are only carried on those specifically saying outsiders are allowed to do so. Normally, it’s done via their public website. In that notice, proper procedures are also documented for how they should be notified in the event a vulnerability is found.
What are you working on currently?
Imagine being able to experiment with new attack techniques on over 3,000 websites across 400 organizations. We get to see what things actually work, what really doesn’t, and everything in between. All the time we’re finding new and interesting way to bypass application input filters and Web application firewalls. Through our metrics we’re also learning a great deal about what activities make a real improvement on security posture.
When comparing runtime vs. static analysis tools, which finds more bugs, more often?
SAST and DAST methodologies are used for different purpose because they are adept at identifying different classes of vulnerabilities and at different stages of the software development life-cycle (SDLC). SAST is ideal for helping reduce the number of security defects in an application introduced during the code writing and QA phases of SDLC. DAST is typically deployed in late-stage QA or production, when the application is functional, and perfect for testing how secure a system really is relative to an attacker with a given amount of skill, time and access. It all comes down to what needs to be measured and improved. WhiteHat uses DAST for web applications and SAST for rich client-side applications like Flash and Java Applets.