Keeping your site tight with ImmuniWeb

If your business relies to any extent on a commercial Internet site, you need to consider how well it would stand up to a concerted, malicious attack. There are many reasons an individual or group might want to insert code or text within its pages.

It might be a hacker attempting to put malware on it, so your legitimate customers would inadvertently download and distribute it when they view your site’s pages. It might be somebody wanting to deface your site as a personal attack. It might be bots trying to extract unique content for other uses.

Whatever the reasons, knowing the vulnerabilities in your site can help you patch them and improve the security for your valued visitors.

That’s where ImmuniWeb can help. This is a penetration test and scanning services which combines automated scanning with manual vulnerability tests, to provide a report showing where any problems lie and, more importantly, how to fix them.

Running ImmuniWeb

It’s a very straightforward procedure to set up an ImmuniWeb survey of your site’s security. The site asks only for details of the site name, statements that you are the owner of the site (or authorised employee) and that you give permission for the survey to be carried out. You pay your fee and that’s it.

ImmuniWeb

High-Tech Bridge sends you a number of emails during the evaluation, confirming your order, detailing when it will start, when it has started, when it has finished and when the report is ready. The site is security-protected, so only the account holder can gain access to the report, which can be downloaded as a PDF document.

The Report

The report we commissioned on the ITProPortal site – which is run on the WordPress platform – ran to 18 pages and detailed everything from critical down to low risks. There’s an executive summary, highlighting the overall results, as well as a breakdown of the various tests and assessments made.

As you mine down through the report, there are necessarily technical descriptions and proposed remedies, intended for the site’s development personnel. What’s good to see all the way through is that the report doesn’t resort to jargon for its own sake and only uses what’s necessary to get the information across.

ImmuniWeb

The report doesn’t confine itself to identifying possible vulnerabilities, but also offers steps to remediation. For example, in the ITProPortal report, there were no critical or high risks found, but one of the two medium risks (both now fixed) stated there was a possibility of cross-site scripting:

"An attacker might be able to steal user's cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the victim follows a specially crafted link with XSS exploit."

As a remedy, it offered the following:

"To eliminate the vulnerability, edit the web application source code (or ask your software developer to do so) in order to implement proper filtration of the "itpp-contribute-form[title]" parameter against Cross-Site Scripting attacks using standard PHP input-sanitization functions.

There is also a section detailing proof of concept with sample, non-damaging, code exploiting it, in case you require an example of the vulnerability.

ImmuniWeb

Separately, the report lists security warnings: things that aren’t in themselves risks, but which lower the overall security of the site. The ITProPortal report pointed out an exposed administrative interface (again fixed) which it said was open to brute force attacks. As remediation, it offered the following:

"It is recommended to restrict access to administrative interface for a specified range of trusted IP addresses, or to implement additional level of authorization. Another solution is just to change the default URL to something custom and difficult to guess."

The second solution is impressively practical.

Competitors

High-Tech Bridge isn’t the only company offering web application security auditing, of course. There are many on offer, with names like Qualys, Acunetix and IBM being prominent.

The key difference between ImmuniWeb and these other services is its hybrid approach to vulnerability scanning. Rather than relying on an automated suite of security probes, it uses security technicians to perform manual web application penetration test and to monitor and manage the automated scanning in parallel.

Most of the competitor products are also trying to encourage you to keep them on contract. For a Small or Medium Business (SMB), this may prove uneconomic. While ImmuniWeb is a spot-check, it can, of course, be repeated whenever is felt necessary and on a schedule compiled by the customer.

[full_width_ad]

Product Range

Geneva-based High-Tech Bridge has a number of products in the ImmuniWeb range, from an Express survey costing $299, through SME to Corporate and Corporate Pro products, which top out at $6,990. The main difference is the length of time taken to conduct the evaluation and the proportion of that work that is manually based.

These different levels of survey also address different sizes of site. An individual’s site, which might be a simple blog, might still have a lot of traffic. I doesn’t need the length of evaluation of the higher priced ImmuniWeb scans, because of its simple structure and comparatively small number of pages.

At the other end, a large corporation which relies on its web site for trade and online sales may have a very complex site with numerous pages needing checking. The SMB product reviewed here consists of 8 hours of manual web application penetration tests and 12 hours of managed automated vulnerability scanning performed in parallel.

Conclusion

ImmuniWeb offers a range of useful web site security audits, with a hybrid approach combining automated scanning with manual penetration tests. The SMB product is a very easy to use, turnkey offering. ImmuniWeb offers a Security Seal, which can be displayed on your site, to show when the last assessment was completed.

You order, pay and within a couple of days receive a detailed report which offers practical and detailed solutions for any security problems identified. You’re not tied into any ongoing contract and can reorder scans on any schedule which suits your business.

For anybody in an SMB wanting to check the security of his/her site, without having to fathom a load of arcane technospeak, ImmuniWeb SMB is quick, thorough and run by humans. 9/10.

Follow this link to find out more.