WhiteHat Security

1. WhiteHat Security Jim Manico VP of Security Architecture 808.652.3805 Jim.Manico@WhiteHatSec.com Dave Goetz Senior Sales Director Manager, North Central Region 847.840.0836 Dave.Goetz@WhiteHatSec.com April 19, 2012

2. Website Security Strategies are Evolving… • TO THIS • Security throughout the SDLC • Continuous Monitoring • Strategic program to secure all Web assets • Adopt “Hack Yourself First” methodology in all stages of the SDLC • FROM • Checkbox Compliance • Point in time assessments • Tactical efforts to secure specific websites • Taking precautions and accepting a certain level of risk

3. Top 3 Drivers for CIO’s Enterprise Security Initiatives Reduce Risk • Identify and prioritize web assets • Reduce Exploitability Reduce Costs • Identification • Remediation Improve Visibility • Real time awareness of security posture • Real time metrics

4. WhiteHat Security’s Sentinel – Industry’s #1 Platform 8100+ Websitescontinuously monitoring and verifying 10,000’s of Assessmentsconcurrently run at any moment Over 7,000,000vulnerabilities processed per week All Results Manually Verified

5. Overall Top Vulnerability Classes % of Likelihood of a Web Site having a Vulnerability(Includes OWASP and WASC Vulnerability Classes) Source: WhiteHat Website Security Statistic Report, 10th Edition

6. Benchmark Time-to-Fix (Days)There is no longer an acceptable level of risk… Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality

7. Intelligence Reduces Windows of Exposure Number of days a website is exposed to at least one serious* reported vulnerability. Most websites were exposed to at least one serious* vulnerability every day of 2010, or nearly (9-12 months of the year).16% of websites were vulnerable less than 30 days.

8. WhiteHat Security Throughout the Application Lifecycle Reduces Overall Risk Across the Enterprise Development Pre Production Production Development Preproduction Production SentinelSource Sentinel PL SentinelBE/SE/PE WhiteHat Sentinel Security Platform Accessibility – Anytime, Anywhere Expertise – Recognized Security Experts Intelligence – Benchmarking Metrics

9. WhiteHat Sentinel – Assessment Platform • SaaS (Annual Subscription) • Unlimited Assessments / Users • Fixed Flat Rate per Website • Assessment Methodology • Proprietary scanning technology • Direct access to Security Experts • Continuous Monitoring • 100% Vulnerability Verification – eliminating false positives, prioritizing enterprise risk • XML API leverages other security investments • Easy to get started – • Need URL and Credentials • No Management of Hardware or Software • No Additional Training

10. WhiteHat Sentinel – Maps to Almost any WebsiteContinuous Monitoring | All Vulnerabilities Manually Verified • Sentinel Baseline Edition – Enterprise • Compare with Generic Scanner PLUS • Asset Discovery / Prioritization of Websites • Broad based – Continuous Monitoring • Unauthenticated – Technical Vulnerabilities • Sentinel Standard Edition Upgrade (SE) • Compare with Professional running Generic Scanner PLUS • Authenticated - Technical Vulnerabilities • Continuous Monitoring – Automated Testing • Fully customized and configured • Sentinel Premium Edition Upgrade (PE) • Compare with Traditional Consultant PLUS • Authenticated Technical and Business Logic Vulnerabilities • Continuous Monitoring – Automated & Manual Testing • Fully customized and configured Assigned TAM will help determine the appropriate level of service NEW Sentinel PL Edition • Sentinel PreLaunch Edition (PL) • Fast & Flexible Assessments in a QA Environment

11. How WhiteHat Sentinel Works

12. Attain a Secure State with WhiteHat Security • Cost Effective Enterprise Solution • Combines Automation with Human Intelligence • Provides Speed and Scalability throughout the entire SDLC • Offers Consistent Methodology and Processes • Awareness and Prioritization of all of your websites • Continuous Monitoring with 100% Human Verification • Anchors your website security program

13. WhiteHat Sentinel Source – How it Works

14. SAST Solutions by Generation

15. WhiteHatSecurity – the “Measuring Stick”

16. Technical: Identify with Automation Command Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection Information Disclosure Directory Indexing Information Leakage Path Traversal Predictable Resource Location Client-Side Content Spoofing Cross-site Scripting HTTP Response Splitting Insecure Content Business Logic: Human Analysis Authentication Brute Force Insufficient Authentication Weak Password Recovery Validation CSRF Authorization Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation Logical Attacks Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation WhiteHat Sentinel Vulnerability Coverage Premium Edition Standard & PL Edition Baseline Edition

17. Protection - WAF Integration

18. WhiteHat Security (WASC) – Coverage vs. OWASP Top 10

19. WhiteHat Security Jim Manico VP of Security Architecture 808.652.3805 Jim.Manico@WhiteHatSec.com Dave Goetz Senior Sales Director Manager, North Central Region 847.840.0836 Dave.Goetz@WhiteHatSec.com April 19, 2012