ImmuniWeb® Security Assessment: Technical Details
The security assessment begins on the date you selected. It may take up to 12 hours depending on the size and complexity of the website being assessed. The assessment process does not require your presence or any actions from you - our back-office will take care about everything.
ImmuniWeb® security assessment duration is intentionally limited to 12 hours; ImmuniWeb® technology has proved in numerous tests that this period is sufficient to identify all common web vulnerabilities and weaknesses on an average SMB company website. Companies and organizations with websites containing hundreds of thousands of pages should use ImmuniWeb® as an efficient decision-making tool before investing in a penetration test or source code review. If ImmuniWeb® reveals in just 12 hours serious vulnerabilities on such a website, the organization should not delay in implementing a comprehensive web application penetration test and infrastructure hardening.
Manual and Automated Detection of the Most Complex Vulnerabilities
ImmuniWeb® SaaS is certified by MITRE as CVE and CWE compatible:
Manual security testing by the auditor in parallel with an automated security assessment by ImmuniWeb® Security Scanner is what differentiates ImmuniWeb® from other SaaS-based web vulnerability assessment solutions. Such hybrid approach successfully detects the most complex web vulnerabilities that cannot be found by automated vulnerability scanning:
ImmuniWeb® security assessment identifies the most popular web application vulnerabilities mentioned in OWASP Top Ten:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
The permanent involvement of a security auditor during the entire process of ImmuniWeb® security assessment ensures the highest quality and accuracy of both the security assessment and subsequent report; a level of quality which cannot be achieved by any automated tools or single-source solutions alone. Today, in the era of AJAX and JSON web technologies, application logic errors and DOM-Based XSS vulnerabilities, many web security scanners are unable to detect complex web 2.0 vulnerabilities. The presence of an auditor ensures that such vulnerabilities won’t be missed and will be included in the assessment report.
The auditor also monitors the assessment performed by the security scanner and interacts with it as needed. This factor assures the absolute accuracy of assessment results and totally eliminates false positives: such as the non-existent vulnerabilities that are wrongly ‘detected’ by automated security software. Moreover, if the auditor detects a vulnerability that is missed by the scanner, the vulnerability’s details are immediately sent to the scanner developers, who will investigate the issue, find a solution, and update existing vulnerability detection algorithms.
ImmuniWeb® Security Scanner
ImmuniWeb® Security Scanner is a proprietary web vulnerabilities and weaknesses scanner developed and supported by High-Tech Bridge. Vanguard concept of 360Security™ on which ImmuniWeb® Security Scanner is based, represents a set of five different modules that cover all aspects of web application security:
Advanced Detection of Web Application Vulnerabilities
This is the core module performing the most significant portion of the assessment. It detects multiple types of the most popular web vulnerabilities. It was successfully tested on the most common web technologies and platforms, including PHP, ASP, ASP.NET, JSP, and ColdFusion.
Vulnerability Databases Monitor
This module will search numerous Vulnerability Databases (VDB) for known security vulnerabilities and issues if your website runs on a commercial or open source Content Management System (CMS) or Framework. Each VDB entry is manually verified by the auditor, to eliminate false positives in the report.
SSL Certificate Monitor
The SSL Certificate Monitor module analyses potential misconfigurations of the SSL certificate chain and other weaknesses in the SSL/TLS implementation. As a member of the Online Trust Alliance Advisory Council, High-Tech Bridge strongly recommends using SSL certificates signed by a trusted Certificate Authority (CA) on every website.
Hacking Resources Monitor
Based on unique High-Tech Bridge technology, the Hacking Resources Monitor module crawls hacking websites, forums, and mail archives to detect malicious activities targeting your website in the past 12 months or since your last ImmuniWeb® Security Assessment. The information obtained will include publicly exposed vulnerabilities and weaknesses, hacking attempts, phishing campaigns, and previous website security breaches.
The scanner supports testing of password-protected websites and directories; it can also be configured to exclude any directory from being tested. All these options can be easily configured directly on the ImmuniWeb® Portal during your security assessment project configuration.
This module leverages innovative High-Tech Bridge technology to search for registered domains that could potentially be used to spoof a domain identity for phishing and scams.
ImmuniWeb® Security Assessment Report
The assessment report is delivered within eight working hours after the completion of the security assessment. The report lists vulnerabilities and weaknesses detected during the assessment by ImmuniWeb® security scanner and those manually revealed by the security auditor. Every report is reviewed by our Quality Assurance team before delivery.
Upon completion of an ImmuniWeb® security assessment you will be able to download an easily understandable and user-friendly report from the ImmuniWeb® Portal. The report may be securely stored on the Portal for up to 60 days or deleted immediately upon download, based on your preference.
The ImmuniWeb® assessment report provides you with a comprehensive overview of the current state of your website security. Each security vulnerability in the assessment report is provided with:
- CVSSv2 Base Score [Common Vulnerability Scoring System]
- CWE-ID [Common Weakness Enumeration Identification]
- CVE-ID [Common Vulnerabilities and Exposures] - where applicable
For each vulnerability discovered, we provide at least three customized remediation techniques. The security auditor carefully examines every vulnerability to suggest the most appropriate and personalized application of the following patching techniques:
- Web application code source modification
- Web application firewall rule-set
- Vendor's security update/fix installation
Guidelines are written in a straightforward and user-friendly manner. Each type of security vulnerability detectable by ImmuniWeb® is also described with numerous examples in our CWE Vulnerability Glossary.
At the end of the report there is list of all the detected security weaknesses and configuration errors, as well as detailed recommendations on their remediation.
The report is delivered in PDF format directly on the ImmuniWeb® Portal in a secure manner. The report may be securely stored on the Portal during 60 days period or immediately deleted by the user.
Protect Your Web Assets with ImmuniWeb®
Vulnerable web applications are major attack vectors exploited by cyber criminals for targeted and wide-scale attacks. This is why today, website security is essential for all types of organizations. Your corporate web presence is your organization's digital identity. Its protection is essential to maintain the confidence and trust of your customers, ensure compliance with standards and regulatory requirements and the effective protection of confidentiality, integrity and availability of your organization's vital information as well as the protection of its image. Inadequately protected websites are easy targets for opportunistic cybercriminals, even if they are not specifically interested in targeting your company's data. Their motivation is to gain control of as many Internet resources as possible or to exploit weak targets that could let them get to other targets within the same networks and data centers.
Web application vulnerabilities are exploited by hackers more frequently than server or network vulnerabilities; at High-Tech Bridge, our long-standing penetration testing and computer forensics experience proves this. Thus, the scope of ImmuniWeb® security assessment is limited to web application boundaries and helps to ensure that ImmuniWeb® security assessments do not impact system availability or third-party resources. This makes ImmuniWeb® the ideal solution to test web applications hosted on shared servers or in the cloud.
ImmuniWeb® is primarily intended for Small and Medium Businesses (SMBs) who cannot afford extensive security assessments of their websites due to process complexity, lack of time and internal technical skills or budget constraints. For large and multinational enterprises, ImmuniWeb® is a cost effective and time-saving decision-making tool, to be used before executing an expensive penetration test or source code review.