High-Tech Bridge launches ImmuniWeb® world-wideMay 15, 2014
ImmuniWeb® - online on-demand web penetration testing service
After a year of intensive private Beta testing, High-Tech Bridge announces the general availability of ImmuniWeb® - its innovative web application and website security testing SaaS (Software-as-a-Service) that enables anyone, regardless of company size, geographical location or technical knowledge, to hire professional ethical hackers online for just $990.
ImmuniWeb is a unique hybrid of accurate manual web application penetration test and cutting-edge vulnerability scanning that are performed in parallel. Manual testing by professional High-Tech Bridge web penetration testers guarantees zero false-positives and significantly minimizes the number of false-negatives in the report. The automated side of the assessment is performed by ImmuniWeb Security Scanner, developed by High-Tech Bridge from scratch. Project configuration and management, secure online payment and report delivery is done online via ImmuniWeb Portal.
ImmuniWeb’s hybrid approach to web application security testing outshines the quality of the automated tools, scanners and services that currently dominate the market.
Every ImmuniWeb report is manually written by a professional penetration tester who provides customised solutions for each weakness and vulnerability detected, ensuring that the customer can easily understand the issues and implement fixes.
Tested on thousands of small and several hundreds of large live websites, ImmuniWeb’s efficiency has been proven on websites that use different web frameworks, platforms and web programming languages. Vast majority of security assessments already performed by ImmuniWeb demonstrated the best vulnerability detection rate compared to traditional vulnerability scanners and automated SaaS solutions.
Graham Cluley, independent computer security analyst, said of ImmuniWeb: "What’s cool is that the ImmuniWeb service isn’t just a web vulnerability scanner, hunting for flaws on customers’ websites. At the same time as that is running, High-Tech Bridge also has a team of ethical hackers, with years of professional web security experience, manually attempting to penetrate websites, and searching for flaws and weaknesses".
UN agency, the International Telecommunication Union (ITU), uses ImmuniWeb as part of the toolset to ensure that the governmental websites of ITU’s Member States are secure. "This partnership with High-Tech Bridge, within the framework of the ITU-IMPACT initiative, will assist Member States, in particular developing and least developed countries, to use these tools to improve the security of their websites and counter cyber threats and related vulnerabilities" commented ITU Secretary-General Dr. Hamadoun I. Toure.
Alexander Michael, Director of ICT Consulting at Frost & Sullivan, described ImmuniWeb hybrid approach in his market research article: "It certainly appears that the hybrid approach [of web application security testing], introduced to the global market by ImmuniWeb, represents a highly efficient, new generation solution, offering speed, simplicity, cost-effectiveness and additional quality, afforded by the parallel manual penetration testing."
Introduced by High-Tech Bridge to the market in 2013 the hybrid approach to testing web application security benefits from an on-demand SaaS delivery model, simple set up, an assessment with zero false positives, comprehensive report and competitive pricing. ImmuniWeb SaaS successfully received CWE and CVE compatibility certification from MITRE in 2013. Since that time ImmuniWeb was reviewed by many well-known journals and magazines, including Financial Times and PC Mag.
Ilia Kolochenko, High-Tech Bridge’s CEO, comments: "We are very happy to offer ImmuniWeb on-demand web penetration testing to everybody today, it’s a very important milestone for our company and a very positive change for the web security market. This is the outcome of four years of development and one year of very intensive work under the Beta version of ImmuniWeb. Beta testing was very useful as we were able to talk to many different companies, organisations, governments and independent experts who all brought great ideas on how to make our service better and easier. We considered every opinion to improve and perfect ImmuniWeb, and we are grateful to all our customers, partners, testers and security analysts who helped us make it better".
Marsel Nizamutdinov, High-Tech Bridge’s Chief Research Officer, adds: "The entire ImmuniWeb technology was greatly improved thanks to user feedback while we were in Beta. Our penetration testing team was better organised and interlinked with our internal research team and their knowledge base. The ImmuniWeb Security Scanner was enhanced with many small but effective features and improvements that ameliorated vulnerability detection algorithms. Revision of some core scanning algorithms permitted us to significantly increase the scanner’s crawler speed and scope of analysis. As for ImmuniWeb Portal – it was adopted to make project management even more simple, fast and comprehensive."
Questions and Answers with High-Tech Bridge’s CEO
What are the benefits of ImmuniWeb?
As opposed to ethical hacking and the common model of penetration testing services, ImmuniWeb does not require long forms and NDAs to be signed, helps to avoid endless conference calls with the customer (ImmuniWeb has 24/7 online support), and probably the most interesting differentiator is the price affordable not only for SMBs but even to sole traders and consumers, such as bloggers or small e-shop owners.
Ethical hacking services used to be an exclusive privilege only of large companies who had significant budgets, but with introduction of ImmuniWeb now almost anybody can afford it. We want to make ethical hacking services fair and accessible for everyone.
Comparing to cheap or even free vulnerability scanning tools, software and services ImmuniWeb has all the benefits of pure ethical hacking: zero-false positives guaranteed, manually verified PoC (Proof-of-Concept) and/or exploit for each vulnerability and customized solution adopted for the current customer needs (e.g. we will not provide our customer with a WAF ruleset for simple XSS vulnerability in Joomla that can be remediated by applying vendor’s patch or quick source code modification).
ImmuniWeb also has some exclusive “bonuses” such as [public or semi-private] hacking resources [blogs, forums, websites, IRC channels, etc] monitoring for each customer. That means that ImmuniWeb customers will not only know which vulnerabilities his or her website has, but will also see if hackers have previously detected and/or exploited these or other vulnerabilities. This is something other companies do not perform or bill it as a completely different service. In our case it is included into the price.
Who is your target audience?
ImmuniWeb is perfectly suited both for SMBs and multinational companies/international organisations.
ImmuniWeb® technology has proved in numerous tests that 12 hours of manual testing combined with advanced vulnerability scanning is sufficient to identify all common web vulnerabilities and weaknesses on an average SME company website. Therefore for the vast majority of SMBs ImmuniWeb is a comprehensive, all-inclusive solution to detect each weakness and vulnerability in their website or web application. Obviously we do not take into consideration SMBs that may own a web-based e-banking system (or other atypical examples).
For larger companies and governments (who already figure among ImmuniWeb customers) ImmuniWeb can be a very efficient and cost-effective solution to regularly check new web applications or updated sections of their websites before making them public. Otherwise it is an efficient decision-making tool to measure current state of information security before investing in a full-scope penetration test or source code review.
What size website does one ImmuniWeb assessment cover?
It’s difficult to estimate only by the size of the website, as for example a website with several thousands of pages running on Joomla or WordPress that is up-to-date and has just a couple of simple plugins or extensions can be verified quite quickly. At the same time a smaller website but developed from scratch by in-house developers will require much more time. So it does not really depend on the website size but on the technology and platform the website uses.
Sometimes it’s enough to spend just 4-5 hours on a customer’s website to detect all the vulnerabilities and write a perfect report. If the website uses any open-source plugins or modules we will also make a manual source code review, quite often during it we discover 0day vulnerabilities and proceed to coordinated patch development with the vendor. If there are still some extra-hours that remain after conducting all possible security tests, these hours are used for another project that cannot be covered within 12 hours. Sometimes it happens that we have three auditors working on the same project on the same time.
Such an approach is efficient and fair, as none of our customers ever loses anything, but some of them receive additional hours of professional penetration testing for the standard price. This also helps to make ImmuniWeb assessment very efficient even for large web applications.
How do you achieve such a low price without losing money?
We do so by using the economy of scale approach. We have many customers with similar projects, large teams of auditors and security researchers who closely collaborate with each other making many processes quick, simple and efficient.
Who are you competing with?
Honestly, I don’t think that we have any direct competitors, as ImmuniWeb is a completely new niche of web application security testing. It’s like selling healthy chewing-gum and tooth brushes –both try to achieve the same result but by completely different means and approach.
How can customers order an ImmuniWeb assessment?
Everything can be done online within five minutes directly on the ImmuniWeb portal. A background in IT security is not required to order an ImmuniWeb assessment. Payment can be done via almost any type of credit card or via PayPal.
Non-technical users only need the URL of the website they want to test, while security professionals may also configure the assessment in detail (e.g. authentication, excluded directories, etc).
Actually this is another point that makes us different from the others by enabling top-managers and business owners to silently hire professional ethical hackers to get a real image how secure his corporate web assets are.
Who carries out the manual penetration testing?
It is performed by High-Tech Bridge employees only - we never outsource or externalise this activity.
What is the normal cost of 12 hours of penetration testing?
It really depends on the country and the company. Price may vary from 120 to 250 USD per hour.
But don’t forget about six hours of manual report writing that increases to 18 the total human hours spent on the project.
Obviously the ImmuniWeb Security Scanner should also be factored in as many important functions are performed by it, as it can perform certain tasks faster than any human being.