A typical third-party test could take between three and five days; and could cost $2000+ per day. At a cost of up to $10,000, even those companies that can afford such an audit are unlikely to do so more than once in any year. That effectively means that there are 360 days with potentially undetected vulnerabilities in the system even with a pentest.
It is in an attempt to close this gap by introducing inexpensive on-demand cloud-based penetration testing that High-Tech Bridge (HTB) has developed ImmuniWeb – a service that moves into open beta today. ImmuniWeb is not the first product to offer automated online testing – but one perceived weakness of such services is the lack of detailed reporting from a human interface.
HTB has sought to solve this issue by developing a hybrid testing regime: it combines automated remote vulnerability scanning with manual human testing. "Today, in the era of AJAX and JSON web technologies, application logic errors and DOM-Based XSS vulnerabilities," says HTB's announcement, "many web security scanners are unable to detect complex web 2.0 vulnerabilities. The presence of an auditor ensures that such vulnerabilities won’t be missed and will be included in the assessment report."
The result is a hybrid testing service that combines vulnerability scanning with human reporting at a much lower cost than traditional third-party testing. Typical service and costs, an HTB spokesperson told Infosecurity, would comprise 12 hours of automated assessment, up to 12 hours of manual penetration testing (depending on the complexity), and up to 12 hours of manual report revision and preparation (also depending on the complexity). "All for $639," said the spokesperson; "so ImmuniWeb represents a massive saving on both traditional pentesting company and freelancer costs."
The question for the security pentest industry is whether the development of such services is likely to upset their own particular applecart. Infosecurity asked freelance pentester Robin Wood for his views. "For a mostly automated, quick scan of a basic site it might be quite good but it can't compete against a competent tester doing a five day test against a large site with complex business logic. Some companies also like having the tester there either in person or on the end of a phone to talk through issues at anything from business to technical level – this service doesn't seem to offer that."
Part of his concerns are based on one of ImmuniWeb's selling points: its low cost. "$639 doesn't buy you much time with a good tester, even less when you have to take off that the time to edit the report and cover the general business costs behind running the system. I'd guess you get about half a day at most of human testing."
Nevertheless, the low cost will undoubtedly introduce smaller companies to the advantages – for both security and compliance – to the penetration test style of security audit. Such companies could never consider an additional annual cost of $10,000; but might well be tempted by $639. Larger companies might similarly be tempted to supplement major manual audits with occasional ImmuniWeb automated audits.