VIDEO: WhiteHat Security founder Jeremiah Grossman discusses his company's security guarantee and explains why automated scanning alone is never enough.
With most items that any individual or company buys, there is often a guarantee of some kind and the promise of a refund if the item doesn't work. Jeremiah Grossman, founder of WhiteHat Security, is taking the same basic premise and bringing it to the world of Web security. For the past year, Grossman's company has been offering some form of security guarantee, providing the promise of a financial payout if the customer is ever hacked.
In a video interview with eWEEK, Grossman explains how the guarantee works and why he's confident it's just good business. Grossman also discusses the impact of common Web application vulnerabilities including Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) and why they are so difficult to detect.
"WhiteHat's business is to find the vulnerabilities in our customers' Websites before the bad guys exploit them, and the whole idea of what we do is if you fix the vulnerabilities, you shouldn't get hacked," he said.
Grossman said that WhiteHat has been in business for 15 years and has the confidence that it has solid pratices. As such, he felt that having a guarantee was well-warranted. The initial guarantee, which was initially announced at the Black Hat USA 2014 event, was that if a WhiteHat customer were hacked, WhiteHat would refund the customer's money for the services they paid for and the first $250,000 of any breach-related costs. At the RSA 2015 conference, WhiteHat upped the guarantee and now will pay for the first $500,000 of breach-related costs for any customer that is hacked. To date, Grossman said that WhiteHat has never had a claim made by a customer.
From a Web application vulnerability perspective, among the most common flaws are XSS and CSRF. While both type of flaws can sometimes be detected by automated scanning technologies, Grossman emphasized that human intelligence is still needed.
"One of the challenges of application security is you simply can't find all the vulnerabilities of all types in a purely automated sense," he said. "You have to know what your technology is capable of doing and all the other vulnerabilities you have to find by hand, so you have to be able to play both sides."
Watch the full video interview with Jeremiah Grossman below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.