Practical Usage Of AI For Fun And Profit: Application Security Testing
Application security is a big deal today — Gartner, Forrester, and IDC bet on it in their DevSecOps researches. Every single startup builds its own mobile apps, websites, and micro-services to deliver, buy, or sell something, along with large enterprises lost in jungles of their applications and related infrastructure.
This probably explains an overcrowded market of application security testing vendors: one can easily find a dozen of popular web vulnerability scanners, numerous SaaS vendors with one-size-fits-all capacities, as well as various web penetration testing boutiques and firms. Their customers, disappointed either by false positives and low vulnerability detection rate of automated tools or by exorbitant pricing for manual penetration testing, go explore crowd security offerings (aka "bug bounties") trying to cut their costs by paying per valid results only. How many of them succeed remains unclear so far.
Folks from High-Tech Bridge, a web security company headquartered in Geneva, decided to take a slightly different approach to the application security testing that caught our attention. This Swiss startup first went on our radar back in June 2018 when they challenged IBM's Watson for Cyber Security and five other vendors at "SC Awards Europe 2018", leaving London with an enviable "Best usage of Machine Learning and AI" golden trophy. Initially started as a penetration testing company, High-Tech Bridge built its in-house technology embodied into ImmuniWeb® AI Platform. It leverages Machine Learning — mostly Artificial Neural Networks, including Deep Learning — for intelligent automation of application security enhanced with scalable manual testing. But let's start from the very beginning.
Our audience likely knows High-Tech Bridge for some of its free products offered for cybersecurity community. However, this is just a very small part of what they are really doing. In 2017, Gartner named High-Tech Bridge a "Cool Vendor", and in our opinion, what they do is indeed cool. It doesn't try to scare customers with usual vendor's FUD but tries to educate and show them the right approach to application security testing without annoyingly selling its products.
Its flagship product — ImmuniWeb Discovery — is a starting point for any company, whether SME or multinational looking to build a sustainable, risk-based, and result-oriented application security program. ImmuniWeb Discovery combines OSINT (open source intelligence) and Big Data technologies to enumerate external attack surface — all your websites, web applications, mobile apps, micro-services, domain names, SSL certificates, and even unprotected cloud storage such as AWS buckets. All you need to do is to enter your company name and your main website:
The entire discovery technology is non-intrusive and leverages the information available in a public domain. That is to say there is no port scanning, web fuzzing or any other heavy reconnaissance activities that may trigger some additional paperwork (e.g. authorization to conduct testing) or require IP whitelisting to prevent false alerts on your WAF. In a few hours after the start, you will get an ample picture of your external attack surface on a cozy-looking UI.
Cool thing is that all High-Tech Bridge's free products are already integrated there, so you can see your web server security grade; strength of your SSL/TLS encryption; and even cyber and typosquatting domains impersonating your trademarks or brands. And all this you get for free — a remarkably generous demarche for a vendor.
If you spend $499, ImmuniWeb Discovery AI (its paid version of discovery) will not just illuminate all your external web assets, but calculate hackability and attractiveness scores for each of them. It can be particularly useful for enterprises with over a hundred applications to understand how quickly their applications can be hacked and how attractive they are in eyes of black hats. An indispensable part of what big boys at Gartner call CARTA - Continuous Adaptive Risk and Trust Assessment.
Now let's have a look at its commercial offering. High-Tech Bridge's CEO says that strong AI, capable of entirely replacing human, does not exist and will unlikely appear within the next decade. However, the company sees a big potential in Machine Learning for intelligent automation of a great bunch of things — from website crawling and fuzzing to vulnerability validation and patch verification. When its ML technology cannot provide a 100 percent success score for completing a particular task, human will come into the game and help the machine. This is what they call a "hybrid approach", when human intelligence is only used for untrivial and sophisticated tasks and processes, making it scalable and thus cost-efficient compared to classic, or human-only, penetration testing.
High-Tech Bridge position themselves as the third generation of application security testing technologies, gently pushing automated and human-augmented SaaS out from the scene.
Among the promised benefits are zero false positives SLA and money back guarantee for every customer. No jokes, customers have a contractual clause that clearly states they will get the money back if they stumble upon one single false positive in the application security audit report.
Intelligent and scalable human testings enable detection of complicated attack vectors and exploitation techniques for OWASP Top 10 and PCI DSS 6.5.1-6.5.10 vulnerabilities, analyze application business logic to spot sophisticated flaws from improper access controls and authentication bypasses to theft of funds using negative discounts or re-routing unreturned but reimbursed goods from an e-commerce website. Something that no AI can perform today.
Another cool thing is that you can see all the prices and packages online — a philosophy of transparent and fair approach regardless of how wealthy a client is. You can precisely select what you need and pay for a well-defined scope and methodology of testing.
For our review, we got a $499 ImmuniWeb® On-Demand Express. We particularly liked simple and straightforward ImmuniWeb AI Platform web interface where you can enter your website URL, put any comments for testing or reporting in plain English (e.g. "exclude self-XSS"), and select a vulnerability data export options if you have a WAF or a bug tracker (e.g. JIRA).
You can pay online with credit card, PayPal, or bank transfer. Recurrent customers have incremental discounts — a nice-to-have feature to award loyalty. Once the assessment starts, you will get an email with clear timing and scope of testing, confirming once again the IP addresses from where the assessment will take place. During our website assessment, we did not notice any performance issues or usual garbage requests submitted to online forms by automated web vulnerability scanners.
Results were pretty exciting compared to everything we saw in the past. Indeed, no single false positive — working exploits, well-explained CVSSv3 scores, and reasonably tailored remediation guidelines.
For a 0day SQL injection found in a WordPress plugin, High-Tech Bridge's technical support answered all our questions and even helped us contacting the vendor to request an official patch. Yes, 0days they discover (if any) will belong to you, so you can decide what to do with them.
Good to see that various weakness, such as default admin panels, absence of anti-automation, missing secure flags on cookies or outdated JS libraries are unobtrusively listed at the end of the audit report — not to pollute substantial findings and dilute your attention. Web forms, where one can enter his or her Personally Identifiable Information (PII), or web documents containing PII, are all listed in a separate location to remind you about severe financial penalties of GDPR.
Once you get the report, you can run unlimited patch verification scans (included into the price!) to ascertain whether your web developers properly addressed all the vulnerabilities:
If you don't know which ImmuniWeb package will suit your applications the best, you may use free package selector. One package can group several URLs or domains.
As a conclusion, we have to say that we greatly enjoyed ImmuniWeb's simplicity and value for money. As for other things, it seems that folks at High-Tech Bridge really know what they are doing in web security and machine learning.