Yesterday I attended WhiteHat Security’s lunch event at the Le Meridien hotel in San Francisco. There were two talks given, one from Stephanie Fohn on the five stages of website security grief, and one from Jeremiah Grossman on website security vulnerability landscape.



Stephanie’s talk was interesting and fun. In case you were wondering, the five stages of website security grief are:

  • Denial – “We have firewalls, IDS, and SSL. We are Secure.”
  • Anger – “How the heck did this get so bad?!?!?”
  • Bargaining – “We can solve this with frameworks, developer education and some scanners.”
  • Depression – “We have so many websites and the code is changing all the time. Maybe if I leave now no one will notice.”
  • Acceptance – “I guess my job just got a lot more interesting.”

Jeremiah’s talk was also informative as well. He presented statistics that WhiteHatSec identified from January 2006 to March 2007. All of the data was from live real world sites, many from the Fortune 500s. The statistics were somewhat scary, as eight out of every ten sites had at least one security hole. He also identified the top attack vectors, and the criticality of the security hole.

The event was well put together, and I met lots of interesting people while there. I hope Jeremiah does this again, but with more data and more trends.