At Nullcon security conference last week, NCC Group presented detailed research about vulnerability detection with automated vulnerability scanners. During the research, automated scanning software detected around 900,000 vulnerabilities, with a false-positive rate of 89% in some of the industries tested. Even the “best scan” results contained about 50% of false-positives. Nevertheless, the company concluded that fully-automated security testing is still cheaper than pure manual testing of the same scope. The inability of the cybersecurity industry to find a right balance between human and machine is a sad fact currently. We definitely need a game changer for web security market, and the time for that has now come.
High-Tech Bridge, a Geneva-based company with offices in San Francisco, is probably already known to you for its free SSL security service, which can be used to probe encryption of email, web or even SSL VPN servers. High-Tech Bridge made the first headlines last year, after announcing a strategic partnership with PricewaterhouseCoopers (PwC) to deliver web security testing services via its ImmuniWeb® Web Security Platform. So what is ImmuniWeb and why is it gaining the attention of some of the largest European and US companies?
The ImmuniWeb platform allows anyone, regardless of her or his technical skills, geographical location, company size or cybersecurity budget, to configure and order any type of web security testing services. Everything is done online and is available 24/7 from any device, including your smartphone. The lightest offer costs just $299 and is perfectly suitable for reliably auditing SMBs’ websites running WordPress, Joomla or Drupal, while the most expensive one is almost $7000 and is designed to assess the security of corporate ERP, CRM or complicated e-banking applications and web services. According to High-Tech Bridge, they don’t just test OWASP Top 10. They also check application logic, make holistic assessment of SANS Top 25, PCI 6.5.x scope and will even try to bypass your Web Application Firewall (WAF) if you have one – giving you a comprehensive, action-based assessment report in PDF for ImmuniWeb On-Demand, or via interactive dashboard for ImmuniWeb Continuous. Both actually support XML vulnerability data export for integration with your SIEM or WAF.
But what makes High-Tech Bridge’s ImmuniWeb offering so unique among numerous competitors, including various automated vulnerability scanners or human-augmented solutions? It’s actually the proprietary technology that High-Tech Bridge names “hybrid in real time”. As one may conclude from the name, it’s a hybrid of automated and manual testing. However, in comparison to common human-augmented solutions, where human just removes false positives or makes segregated testing, the ImmuniWeb platform combines both in real time and synchronizes the results on-the-fly. Professional penetration testers and web security experts supervise and guide the vulnerability scanning system, while the machine solves some simple but time-consuming tasks for them. Every detected vulnerability is manually validated and approved by a human, guarantying zero false-positives. The team is so positive as to this claim that High-Tech Bridge guarantees that the entire price of the assessment will be reimbursed if you get even one false-positive result. –Moreover, High-Tech Bridge’s proprietary vulnerability scanning system is based on machine learning, relying on previous human-verified data for decision-making.
As a result, there is no time gap to putting together manual and automated testing results. What a classic web application penetration test can achieve in 5 days, the ImmuniWeb assessment can do in just 3 days, assuring the same, or even superior, quality and vulnerability detection rate. Last but not least, for each vulnerability ImmuniWeb provides a working PoC (Proof of Concept) or exploit code demonstrating vulnerability exploitation, and a personalized solution.
According to High-Tech Bridge’s founder Mr. Ilia Kolochenko, who is also ImmuniWeb’s Chief Architect and a known web security expert and contributor to CSO, SC Magazine UK and Dark Reading, the company will make a number of exciting announcements this year about new functionalities and strategic partnerships. So, let’s stay tuned to see if High-Tech Bridge really is the game changer unicorn that we have been waiting for.