ImmuniWeb® Security Assessment: Technical Details
Manual and Automated Detection of the Most Complex Vulnerabilities
ImmuniWeb® Asessment is certified by CVE, CWE and CVSS compatible:
Manual security testing by the auditor in parallel with an automated security assessment by ImmuniWeb® Security Scanner is what differentiates ImmuniWeb® from other SaaS-based web vulnerability assessment solutions. Such hybrid approach successfully detects the most complex web vulnerabilities that cannot be found by automated vulnerability scanning:
ImmuniWeb® security assessment identifies the most popular web application vulnerabilities mentioned in OWASP Top Ten:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
The permanent involvement of a security auditor during the entire process of ImmuniWeb® security assessment ensures the highest quality and accuracy of both the security assessment and subsequent report; a level of quality which cannot be achieved by any automated tools or single-source solutions alone. Today, in the era of AJAX and JSON web technologies, application logic errors and DOM-Based XSS vulnerabilities, many web security scanners are unable to detect complex web 2.0 vulnerabilities. The presence of an auditor ensures that such vulnerabilities won’t be missed and will be included in the assessment report.
The auditor also monitors the assessment performed by the security scanner and interacts with it as needed. This factor assures the absolute accuracy of assessment results and totally eliminates false positives: such as the non-existent vulnerabilities that are wrongly ‘detected’ by automated security software. Moreover, if the auditor detects a vulnerability that is missed by the scanner, the vulnerability’s details are immediately sent to the scanner developers, who will investigate the issue, find a solution, and update existing vulnerability detection algorithms.
ImmuniWeb® Security Scanner
ImmuniWeb® Security Scanner is a proprietary web vulnerabilities and weaknesses scanner developed and supported by High-Tech Bridge. Vanguard concept of 360Security™ on which ImmuniWeb® Security Scanner is based, represents a set of five different modules that cover all aspects of web application security:
Advanced Detection of Web Application Vulnerabilities
This is the core module performing the most significant portion of the assessment. It detects multiple types of the most popular web vulnerabilities. It was successfully tested on the most common web technologies and platforms, including PHP, ASP, ASP.NET, JSP, and ColdFusion.
Vulnerability Databases Monitor
This module will search numerous Vulnerability Databases (VDB) for known security vulnerabilities and issues if your website runs on a commercial or open source Content Management System (CMS) or Framework. Each VDB entry is manually verified by the auditor, to eliminate false positives in the report.
SSL Certificate Monitor
The SSL Certificate Monitor module analyses potential misconfigurations of the SSL certificate chain and other weaknesses in the SSL/TLS implementation. As a member of the Online Trust Alliance Advisory Council, High-Tech Bridge strongly recommends using SSL certificates signed by a trusted Certificate Authority (CA) on every website.
Hacking Resources Monitor
Based on unique High-Tech Bridge technology, the Hacking Resources Monitor module crawls hacking websites, forums, and mail archives to detect malicious activities targeting your website in the past 12 months or since your last ImmuniWeb® Security Assessment. The information obtained will include publicly exposed vulnerabilities and weaknesses, hacking attempts, phishing campaigns, and previous website security breaches.
This module leverages innovative High-Tech Bridge technology to search for registered domains that could potentially be used to spoof a domain identity for phishing and scams.
The scanner supports testing of password-protected websites and directories; it can also be configured to exclude any directory from being tested. All these options can be easily configured directly on the ImmuniWeb® Portal during your security assessment project configuration.