SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

Review: ImmuniWeb On-Demand Application Security Testing

ImmuniWeb

We review the on-demand application security testing service from ImmuniWeb.

What do a start-up, small business and enterprise have in common?

They all have one or more websites.

That’s not a very humorous punchline, but the security implications of managing business websites aren’t funny either.

In an age when extremely large organisations are being hacked, as well as specialist security companies, website security could not be a more serious business. Throw into the mix regulations such as the data protection act and the incoming GDPR legislation and being the person responsible for the company website just became positively horrible.

A website is a business’ public face, whether it be a local taxi company or a global pharmaceutical giant. It is virtually impossible to do business these days without a website and maintain credibility, but a website hack instantly harms any company’s standing.

How do websites get hacked? Sometimes the attackers will focus on compromising the site’s administrator, but more often than not (in our experience) the site itself is attacked directly by means of an exploit.

Such an exploit could be a aimed at a vulnerability in the platform, such as WordPress, or the server’s operating system. Sometimes the hosting company itself is targeted: a good value-for-money proposition for an attacker who wants to run one attack and gain access to thousands of websites.

Sign up to our monthly business and personal security newsletters.

Will AI save our sites?

Artificial intelligence is great but people are often necessary for some tasks. ImmuniWeb understands that. Assessing the security of a website is non-trivial and, while automated tools exist to test for the presence of various vulnerabilities, often it takes a human brain to really get to the bottom of a problem. Much in the same way that SE Labs uses people to enhance security testing, ImmuniWeb adds the personal touch to checking the quality of a website’s security. The service provides testing for vulnerabilities listed in the OWASP Top Ten Vulnerabilities list, PCI DSS vulnerabilities and a range of other sensible criteria, including predictable CAPTCHA protections and open directory listings.

ImmuniWeb Wizard setup

wizard-4625603

Setting up the initial test was a very simple task. Enter a few relevant details into ImmuniWeb’s Wizard-driven website, pay the fee and the work starts. A couple of days later the service delivers a report and you have around three months to download it before it deletes the file automatically. You will receive warnings about the impending deletion. The report contains a lot of detail. The first pages give an overview of the risk level based on how many vulnerabilities the service finds. Certain administration configuration issues might exist and it could even show an indication of other websites that might be impersonating yours.

Who is hosting?

report-4813405

The data in the reports is interesting and some of the issues brought to light could be easily solved. It does depend on how you have your web hosting organised, though. For example, if you run your own servers you can follow advice on upgrading certain services, such as Apache or SSH. However, if your site runs on a hosting platform provided by a third-party, such as GoDaddy, 1&1, 123Reg or a thousand others then you have a choice: You could contact the company and request that they upgrade; or move to another host and hope that they do a better job with updates.

In this review we discovered that the hosting company we use for the SE Labs website was a little behind with some updates. We used the ImmuniWeb report as evidence that there was a potential problem and, to our surprise, the company responded fast and claimed to fix the issues. While we could verify the changes ourselves (after all, we test security systems ourselves) but we understand that most businesses would want a second test. We ran a second test for this review and noted that our hosting company had indeed fixed the previous issues.

How much?

This is where things could get expensive, though. An on-demand small business (SMB) test costs $1,499. If you are a start-up and want to have your site assessed then this is a reasonable business expense. Multiple verification tests add up, though. A faster ‘Express’ test is less expensive, coming in at $499. If you expect your site to change frequently then continuous assessments are available, with prices starting at $999 per month.

Total Cost of Reassurance

But while your site might not change, knowledge about security vulnerabilities does. Researchers discover new vulnerabilities at a frightening rate and updates for popular web server components, such as MySQL, appear often. When testing our own website ImmuniWeb noted out of date software, which our hosting provider updated accordingly. By the time we ran the second test the same, updated software was again out of date. If the same issues happen to you, it might be worth learning how to test the versions of the services running at your web hosting company and give them a prod to update as and when necessary. Paying over $1,000 to assess something they should be taking care of seems unnecessary.

Monitoring the weak link

Losing control of your website is a situation no business wants to contemplate, whether it’s a start-up looking for funding or a massively profitable public company. Web application vulnerabilities are a significant weak point that you should assess regularly. ImmuniWeb provides just such a service. But at a significant cost, because the service involves people as well as machine learning-equipped systems. These also bring advantages over free website scanning sites and tools.

While, on the face of it, using ImmuniWeb’s service might appear expensive, compared to training your own team of penetration testers, or sub-contracting a company to do the work for you, it is good value for money.

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

info@selabs.uk

Press