- 15 October 2020 22:55
ImmuniWeb Discovery to Intelligently Automate Penetration Testing Scoping and Scheduling
Mandatory application penetration testing is now imposed on a regular basis by the increasing number of data protection regulations, including the state laws of New York, the UK and Singapore, NIST guidelines, PCI DSS and GDPR. Conducted as a matter of regulatory compliance, or to prevent costly data breaches and targeted ransomware attacks after silent infiltration into internal networks, penetration testing is not without its drawbacks that keep CISOs awake at nights.
The most widespread pentesting pitfall is prioritization of the testing scope and schedule. One single forgotten API, or abandoned web server, accessible from the Internet may swiftly ruin your cybersecurity strategy. Delayed testing, subsequent to deployment of vulnerable code to production, jeopardizes confidentiality of your customers’ data and exposes trade secrets. Inversely, excessive or redundant testing of low-risk or irrelevant targets - merely wastes your cybersecurity budget and brings no value to your team.
To tackle the issue, ImmuniWeb and the rapidly growing number of its partners around the globe, offer ImmuniWeb® Discovery. Just by entering your company name, you get a helicopter view of your external attack surface, source code leaks and exposure on the Dark Web. From now, our customers and partners will also get two distinct scores on their Discovery dashboards for each of their web or mobile applications:
Estimated Number of Vulnerabilities
The projected number of security vulnerabilities that are likely present in a web or mobile application. Helps properly prioritize the targets and the scope of penetration testing in a risk-based manner.
Estimated Targeted Attacks per Week
The projected number of targeted attacks (i.e. aiming your organization specifically) per week against a web application. Helps properly organize the schedule and the sequence of penetration testing program in a threat-aware manner.
Both scores leverage ImmuniWeb’s award-winning Machine Learning and OSINT technology to make reliable, data-driven and actionable projections. The latter are regularly monitored and improved by ImmuniWeb data scientists and security analysts for anomalies and other statistical deviances on an individual basis.
For instance, when calculating the number of attacks, among multiple other inputs, we consider all data discoverable on the Dark Web and correlate it with information about previous incidents crawlable in the Surface Web. While the number of vulnerabilities is calculated from over 750 criteria of the application that can be obtained by production-safe and non-intrusive means, including web server and underlying network or cloud configuration, web software and its components, encryption hardening, and source code of the application - if accessible on public code repositories such as GitHub.
Immediate Benefits for Customers
- Prioritize application penetration testing for the most vulnerable and attackable assets; - Prevent data breaches and intrusions stemming from incomplete scope of testing; - Save budget by excluding irrelevant or low-risk targets from the scope.
Immediate Benefits for Partners
- Boost your sales of application penetration testing with actionable planning and scoping; - Upsell your consulting and integration services after holistic and timely penetration testing; - Outperform traditional vendors with excessive or insufficient penetration testing.