An Introduction to the Murky Science of Web Application Security

Jeremiah Grossman wants you to know that firewalls and SSL encryption won’t prevent a hacker from breaking into your e-commerce website, compromising your customers’ data and possibly stealing your money. That’s because most website attacks these days exploit bugs in the Web application itself, rather than in the operating system on which the application is running.

Grossman is the founder and chief technology officer of WhiteHat Security, a Silicon Valley firm that offers an outsourced website vulnerability management service. Using a combination of proprietary scanning and so-called ethical hacking, WhiteHat assesses the security of its clients’ websites, looking for exploitable vulnerabilities.

WhiteHat does its scanning without access to the client’s source code and from outside the client’s firewall using the standard HTTP Web protocol. This approach is sometimes called “black box testing” because the website’s contents are opaque to the security assessors. The problem with black box testing, of course, is that it is sure to miss many vulnerabilities and back doors that are hidden in the source code—black box testing can only find vulnerabilities that are visible to someone using your website. But the advantage of this approach is that it precisely mimics how a hacker would most likely conduct his reconnaissance and break-in.