REVIEW: ImmuniWeb

If you’re a small business the cost of a full investigation into potential vulnerabilities and other security issues likely to affect your website can be prohibitive, plus you may well need a degree in computer science to understand the results. ImmuniWeb is a fixed-price website security assessment service designed to address both of these cost and complexity issues without compromising on the rigour of the assessment or the advice provided.

10 THINGS YOU NEED TO KNOW ABOUT IMMUNIWEB

  1. From a company called High-Tech Bridge, ImmuniWeb is an online service that uses a mix of automated vulnerability scanning tools and manual penetration testing to assess the security of websites. No knowledge of website programming, security or hacking techniques is required to use ImmuniWeb, just a valid e-mail address, the URL of the website to be examined and a credit card or PayPal account.
  2. ImmuniWeb costs a fixed $990 (around £578). Paid up front, this gives you 12 hours of manual penetration testing on a single site (looking mostly for known vulnerabilities) together with a further 12 hours of automated scanning for security issues, such as open ports, fraudulent domains and the validity of SSL certificates. The end result is a comprehensive report rating the potential vulnerability of your site, highlighting any security issues discovered with suggestions on how to address them.
  3. Like other cloud-based vulnerability scanners, much of the ImmuniWeb investigation process is automated. In addition, however, the entire process is overseen by human “auditors”. Experts in their field these auditors will undertake additional manual penetration tests as well as validating the results of the automated scanning processes to eliminate false positives. ImmuniWeb auditors can also step in and provide assistance when firewalls and other defences block the scanning tools employed.
  4. The testing performed by ImmuniWeb is non-invasive and requires nothing more than standard browser access to the site to be examined. No passwords have to be divulged and even where vulnerabilities are found, ImmuniWeb will not attempt to access databases or files containing sensitive information. If really concerned you can instruct the service to ignore specific directories containing this or any other kind of data.
  5. The scans take a while to perform and the report is manually written so don’t expect fast turnaround, especially over weekends and holidays. Performed over a weekend ours took five days from filling in the online application form to receiving the final report.
  6. A secure online portal allows you to follow the progress of your assessment throughout the entire process. In addition you will be sent e-mails to tell you when the scanning starts and finishes and when the report is available to download as a PDF. Customers can also raise support tickets and see messages from their assigned auditors through the ImmuniWeb Portal. This support service is free and available before, during and after purchase of a security assessment.
  7. You don’t have to be a security expert to understand the ImmuniWeb report, but it does help. There was quite a lot of jargon in our report which could be baffling for the non-expert. Fortunately there is a glossary available plus a knowledgebase on the High-Tech Bridge website which helped us to interpret the results.
  8. As well as vulnerability testing, ImmuniWeb will check for common misspellings of your domain which might, for example, be of use to hackers in phishing attacks aimed at your customers.
  9. There are one or two restrictions on the use of ImmuniWeb. You need to be either the owner of the website to be assessed or have authority to perform an assessment and, as such, will not be allowed to perform an assessment on a Facebook page like those commonly used by small businesses.
  10. Priced to appeal to small business owners, ImmuniWeb can deliver the peace of mind that comes from knowing just how vulnerable your website really is and for little more than a security expert would charge for just one day of their time. An attractive proposition for companies with a single website, the cost benefits are harder to realise for larger organisation with multiple sites.
SUMMARY
  • Fixed price
  • Manual & automated testing
  • Overseen by human auditors
  • Checks SSL certificates
  • Helps ensure site confidence
  • Report littered with jargon
  • Can take several days
  • No brute-force tests
  • No guarantee of issues
  • Costly for large/multiple sites