WhiteHat Security is the pioneer of Application Security-as-a-Service providing developers, builders and testers, and operations specialists with the capabilities they need to develop, deploy and operate the most secure software at the speed of business. Below is our recent interview with Craig Hinkley, CEO at WhiteHat Security:
Q: Could you provide our readers with a brief introduction to WhiteHat Security?
A: Our award-winning AI powered WhiteHat Application Security Platform, which has been featured in the Gartner Magic Quadrant for Application Security Testing for the past five years, is empowering true DevSecOps by continuously assessing the risk for software assets in an enterprise and help to embed security throughout the software life cycle (SLC). The company is based in San Jose, California, with offices across the United States and Europe.
Q: You’ve recently unveiled deeper Artificial Intelligence capabilities for Sentinel Dynamic DAST Solution; could you tell us something more?
A: WhiteHat Security is regarded as the most accurate application security platform in the market because we deliver only fully verified and actionable vulnerabilities to our clients. We have thousands of automatically scanned websites under our service, and every day, our scanners discover thousands of potentially new vulnerabilities across a wide variety of applications. To protect our clients from a constant barrage of false positives, each one of these potential vulnerabilities is carefully assessed and verified by WhiteHat Security using a combination of automation, artificial and human intelligence.
This vulnerability verification sub-system is highly optimized and streamlined, allowing WhiteHat Security to deliver results at massive scale. But we are always looking to make the system better, more scalable, speedier and ever more accurate, so we can decrease time to value for clients and deliver the results faster, without sacrificing accuracy.
In the beginning of 2017, we embarked upon a journey to artificial intelligence (AI) and machine learning (ML) with the 150+ TB application security data lake we have for automated vulnerability verification. In recent years, the scientific community has made substantial breakthroughs using ML for image classification, automated translation, speech recognition and more. At the core of the recent revolution of ML lie four things – large amounts of clean training data, relevant ML models, data-scientists with domain expertise and improved computing capacity. This allows the machines to make sense of the data.
WhiteHat Security is uniquely positioned in the industry to harness the full power and benefit of ML because we are the only company that has the data, a 150 terabyte and growing verified vulnerability data lake, and the data-scientists with application security domain expertise who can train and verify the ML algorithms.
The potential for ML at WhiteHat Security is unlimited. We have only scratched the surface, and our goal is to have a range of fully automated, client self-service scanning products powered by AI and ML that delivers human-verified accuracy at ML-scale to enable application security, across the entire DevOps process. We are working on those products now – designing, training and integrating more AI and ML models into our Application Security Platform. WhiteHat Security is bringing together people, process, technology and data with human curation at our core, in a way that customers trust us to secure their applications.
Q: Can you give us insights into your products?
A: WhiteHat Sentinel Dynamic, an important component of the WhiteHat Application Security Platform, is our dynamic application security testing (DAST) product. Sentinel Dynamic offers unmatched accuracy needed for secure DevOps implementations, providing continuous AppSec testing for both production-safe testing as well as aggressive testing. The addition of AI-based digital security technology to WhiteHat Sentinel Dynamic means that new applications can be brought to market at the pace demanded by business while thoroughly assessing potential security risks – thereby addressing the biggest current challenge for DevSecOps.
WhiteHat Sentinel Source, another important component of the WhiteHat Application Security Platform, is our static application security testing (SAST) product. Sentinel Source provides the most accurate and only continuous testing capability to the development side of the house. It is used for scanning source code popular programming languages, identifying vulnerabilities and providing actionable vulnerability reports.
In addition, the WhiteHat Application Security Platform provides Software Composition Analysis to analyze open source and COTS components that make up any modern application.
The WhiteHat Application Security Testing Platform is completely cloud-based, which hybrid deployment options and brings together all the foundational technologies needed for DevSecOps – DAST, SAST and SCA through a single pane of glass. The platform is powered by proprietary scanners and a combination of automation, artificial and human intelligence to provide best in class coverage and accuracy.
No matter how many websites or applications WhiteHat Security customers need to secure and regardless of how often they are updated, the WhiteHat Application Security Platform can scale to meet any demand.
Q: Tell us more about your Threat Research Center. What is it and how does it work?
A: The biggest challenge in the application security industry and the security industry at large is the widening skill and resource gap. There are not enough security experts to meet the application security needs that we have today. Against this backdrop, WhiteHat Security has built one of the largest and skilled teams of security experts on the planet, with 100+ application security experts. These experts make up our Threat Research Center (TRC), and they are an integral component of the WhiteHat Sentinel product family. We have also built out what we call the WhiteHat University that prepares non-experts to become effective AppSec SMEs in 6 months.
The Threat Research Center has two main functions – Threat Research and Service Delivery. Broadly the Threat Research team performs primary research as well as customer application specific research in addition to training and configuring the AI pipeline. In addition to the research component, the team also enables our differentiated service delivery process that assists customers with optimizing their applications for scan coverage and delivering the industry’s most accurate results.
Combining technology and the talents in our TRC, WhiteHat Security delivers the world’s most accurate solutions for DevSecOps.
Q: What can we expect from WhiteHat Security in the future?
A: You can expect continued innovation in the areas of DevSecOps, artificial intelligence for security and cloud security.
DevSecOps: Bringing foundational technologies of DAST, SAST and software composition analysis (SCA) to software developers, builders and testers as well as operations specialists. At WhiteHat Security, we believe that every stakeholder has varying application security needs, and we are addressing those needs by bringing to market capabilities squarely directed at the stakeholders, which at the same time is integrated with the overall application security platform.
AI: Accuracy at scale is the key to successful DevSecOps. With our recently announced technology around AI for security, we have the basis for future innovations. Bringing DAST to developers requires a degree of speed and accuracy that only AI-based solutions can provide. We will be launching new capabilities that address use cases for DAST in development and actionable compliance needs – all centered on our AI technology.
Cloud security: We have seen customers employ a “lift and shift” strategy to move to the cloud in the past, but now we see our customers taking a “cloud-native” approach. We continue to create foundational technology capabilities to address the needs of developing, deploying and operating in the cloud. In addition, capabilities like single-page application support further help us increase the coverage for cloud-based applications that are focused on user experience and performance.