We review the on-demand application security testing service from ImmuniWeb.
What do a start-up, small business and enterprise have in common?
They all have one or more websites.
That’s not a very humorous punchline, but the security implications of managing business websites aren’t funny either.
In an age when extremely large organisations are being hacked, as well as specialist security companies, website security could not be a more serious business. Throw into the mix regulations such as the data protection act and the incoming GDPR legislation and being the person responsible for the company website just became positively horrible.
A website is a business’ public face, whether it be a local taxi company or a global pharmaceutical giant. It is virtually impossible to do business these days without a website and maintain credibility, but a website hack instantly harms any company’s standing.
How do websites get hacked? Sometimes the attackers will focus on compromising the site’s administrator, but more often than not (in our experience) the site itself is attacked directly by means of an exploit.
Such an exploit could be a aimed at a vulnerability in the platform, such as WordPress, or the server’s operating system. Sometimes the hosting company itself is targeted: a good value-for-money proposition for an attacker who wants to run one attack and gain access to thousands of websites.
Will AI save our sites?
Artificial intelligence is great but people are often necessary for some tasks. ImmuniWeb understands that. Assessing the security of a website is non-trivial and, while automated tools exist to test for the presence of various vulnerabilities, often it takes a human brain to really get to the bottom of a problem. Much in the same way that SE Labs uses people to enhance security testing, ImmuniWeb adds the personal touch to checking the quality of a website’s security.
The service provides testing for vulnerabilities listed in the OWASP Top Ten Vulnerabilities list, PCI DSS vulnerabilities and a range of other sensible criteria, including predictable CAPTCHA protections and open directory listings.
ImmuniWeb Wizard setup
Setting up the initial test was a very simple task. Enter a few relevant details into ImmuniWeb’s Wizard-driven website, pay the fee and the work starts. A couple of days later the service delivers a report and you have around three months to download it before it deletes the file automatically. You will receive warnings about the impending deletion. The report contains a lot of detail. The first pages give an overview of the risk level based on how many vulnerabilities the service finds. Certain administration configuration issues might exist and it could even show an indication of other websites that might be impersonating yours.
Who is hosting?
The data in the reports is interesting and some of the issues brought to light could be easily solved. It does depend on how you have your web hosting organised, though. For example, if you run your own servers you can follow advice on upgrading certain services, such as Apache or SSH. However, if your site runs on a hosting platform provided by a third-party, such as GoDaddy, 1&1, 123Reg or a thousand others then you have a choice: You could contact the company and request that they upgrade; or move to another host and hope that they do a better job with updates.
In this review we discovered that the hosting company we use for the SE Labs website was a little behind with some updates. We used the ImmuniWeb report as evidence that there was a potential problem and, to our surprise, the company responded fast and claimed to fix the issues. While we could verify the changes ourselves (after all, we test security systems ourselves) but we understand that most businesses would want a second test. We ran a second test for this review and noted that our hosting company had indeed fixed the previous issues.
This is where things could get expensive, though. An on-demand small business (SMB) test costs $1,499. If you are a start-up and want to have your site assessed then this is a reasonable business expense. Multiple verification tests add up, though. A faster ‘Express’ test is less expensive, coming in at $499. If you expect your site to change frequently then continuous assessments are available, with prices starting at $999 per month.
Total Cost of Reassurance
But while your site might not change, knowledge about security vulnerabilities does. Researchers discover new vulnerabilities at a frightening rate and updates for popular web server components, such as MySQL, appear often. When testing our own website ImmuniWeb noted out of date software, which our hosting provider updated accordingly. By the time we ran the second test the same, updated software was again out of date. If the same issues happen to you, it might be worth learning how to test the versions of the services running at your web hosting company and give them a prod to update as and when necessary. Paying over $1,000 to assess something they should be taking care of seems unnecessary.
Monitoring the weak link
Losing control of your website is a situation no business wants to contemplate, whether it’s a start-up looking for funding or a massively profitable public company. Web application vulnerabilities are a significant weak point that you should assess regularly. ImmuniWeb provides just such a service. But at a significant cost, because the service involves people as well as machine learning-equipped systems. These also bring advantages over free website scanning sites and tools.
While, on the face of it, using ImmuniWeb’s service might appear expensive, compared to training your own team of penetration testers, or sub-contracting a company to do the work for you, it is good value for money.