Review: ImmuniWeb On-Demand Application Security Testing

Will AI save our sites?
Artificial intelligence is great but people are often necessary for some tasks. ImmuniWeb understands that. Assessing the security of a website is non-trivial and, while automated tools exist to test for the presence of various vulnerabilities, often it takes a human brain to really get to the bottom of a problem. Much in the same way that SE Labs uses people to enhance security testing, ImmuniWeb adds the personal touch to checking the quality of a website’s security.
The service provides testing for vulnerabilities listed in the OWASP Top Ten Vulnerabilities list, PCI DSS vulnerabilities and a range of other sensible criteria, including predictable CAPTCHA protections and open directory listings.
Wizard setup
Setting up the initial test was a very simple task. Enter a few relevant details into  ImmuniWeb’s Wizard-driven website, pay the fee and the work starts. A couple of days later a report is made available and you have around three months to download it before it is deleted automatically. You will receive warnings about the impending deletion.
The report is detailed. The first pages give an overview of the risk level based on how many vulnerabilities have been found, certain administration configuration issues that might exist and even an indication of other websites that might be impersonating yours.
Who is hosting?
The data in the reports is interesting and some of the issues brought to light could be easily solved. It does depend on how you have your web hosting organised, though. For example, if you run your own servers you can follow advice on upgrading certain services, such as Apache or SSH.
However, if your site runs on a hosting platform provided by a third-party, such as GoDaddy, 1&1, 123Reg or a thousand others then you have a choice: You could contact the company and request that they upgrade; or move to another host and hope that they do a better job with updates.
In this review we discovered that the hosting company we use for the SE Labs website was a little behind with some updates. We used the ImmuniWeb report as evidence that there was a potential problem and, to our surprise, the company responded fast and claimed to fix the issues.
While we could verify the changes ourselves (after all, we test security systems ourselves) we understand that for most businesses a second test would be warranted. We ran a second test for this review and were pleased to see that the previous issues had indeed been fixed.
How much?
This is where things could get expensive, though. An
on-demand small business (SMB) test costs $1,499. If you are a start-up and
want to have your site assessed then this is a reasonable business expense. Multiple
verification tests add up, though. A faster ‘Express’ test is less expensive,
coming in at $499. If you expect your site to change frequently then continuous
assessments are available, with prices starting at $999 per month.

Total Cost of Reassurance
But while your site might not change, knowledge about security vulnerabilities does. New vulnerabilities are being discovered at a frightening rate and updates for popular web server components, such as MySQL, appear often. When testing our own website ImmuniWeb noted out of date software, which was updated accordingly.
By the time we ran the second test the same, updated software was again out of date. If the same issues happen to you, it might be worth learning how to test the versions of the services running at your web hosting company and give them a prod to update as and when necessary. Paying over $1,000 to assess something they should be taking care of seems unnecessary.
Monitoring the weak link
Losing control of your website is a situation no business wants to contemplate, whether it’s a start-up looking for funding or a massively profitable public company. Web application vulnerabilities are a significant weak point that can and should be assessed regularly. ImmuniWeb provides just such a service but because people are involved, as well as machine learning-equipped systems, there is a significant cost to the system, as well as an advantage over free website scanning sites and tools.
While, on the face of it, using ImmuniWeb’s service might appear expensive, compared to training your own team of penetration testers, or sub-contracting a company to do the work for you, it is good value for money.

*** This is a Security Bloggers Network syndicated blog from SPECIAL EDITION authored by Simon PG Edwards. Read the original post at: http://blog.selabs.uk/2017/09/review-immuniweb-on-demand.html