The End of False Positives for Web and API Security Scanning?
Wednesday, July 6, 2022
July may positively disrupt and adrenalize the old-fashioned Dynamic Application Security Scanning (DAST) market, despite the coming holiday season. The pathbreaking innovation comes from ImmuniWeb, a global application security company, well known for, among other things, its free Community Edition that processes over 100,000 daily security scans of web and mobile apps.
Today, ImmuniWeb announced that its new product – Neuron – is publicly available. This would be another boring press release by a software vendor, but the folks from ImmuniWeb managed to add a secret sauce that you will unlikely be able to resist tasting. The DAST scanning service is flexibly available as a SaaS, and unsurprisingly contains all fashionable features commonly advertised by competitors on the rapidly growing global market, spanning from native CI/CD integrations to advanced configuration of security scanning, pre-programmed or authenticated testing.
But the groundbreaking feature is Neuron's contractual zero false positives SLA, incorporated into every customer contract. You get your money back for each false positive you spot in your vulnerability scanning report – as simple as that – and binding by a legally enforceable contract. The SLA, however, does not cover trivial security warnings, such as misconfigurations of cookies or HTTP headers.
Likewise, contrasted to a casino, you cannot get rich with the SLA – the money-back provision is capped by your annual subscription price, making sense for everyone from a business perspective. The SLA is valid for web applications, cloud-native microservices, RESTful APIs and all other HTTP/HTTPS targets that you can scan in one click from the user-friendly Neuron dashboard.
Another of Neuron's game-changing features is the unlimited technical support available for all customers at no additional cost. If you have questions about detected vulnerabilities or your software engineers need some help with remediation of the findings, ImmuniWeb security analysts will be your Northern Star. Other security vendors commonly charge for this option separately as a costly consulting service, making their margins on it. This perk makes Neuron's value for money highly competitive amid the unfolding inflation and looming recession that will likely hit the cybersecurity industry too.
Talking about value, we particularly enjoyed Neuron's packaging and licensing model that brings some refreshing flexibility to the existing DAST market. Instead of being handcuffed to your target domains during your entire subscription, you may dynamically change them – without paying an extra dime – as long as your web application or API remains the same. This can be a budget-saving option for organizations that frequently move their targets between different environments prior to deploying their code into production. Of note, Neuron's integration with ImmuniWeb's Attack Surface Management (ASM) offering makes quite a lot of sense both for DevOps and compliance teams: you can first illuminate your shadow IT and forgotten web assets, and then enhance your web application security testing program with a holistic and risk-based testing schedule.
In its exclusive statement for The Hacker News, ImmuniWeb's Chief Architect said that Neuron is just one of the major announcements planned by the company for 2022. The Swiss-headquartered vendor has an ambitious roadmap to add even more products to its portfolio, which already covers over 20 uses cases spanning from cloud and mobile security testing to Dark Web Monitoring. Consolidating threat intelligence and Dark Web data with your application security testing – appears to be another smart idea by ImmuniWeb: it isn't worth to scan your website for XSS if you have hundreds of stolen credentials exposed on the Dark Web, allowing bad guys to login. We frankly like the synergizing power that ImmuniWeb Platform delivers to its customers in consumable and actionable manner.
We will keep an eye on ImmuniWeb's rising market traction. Following ImmuniWeb for several years, we believe that these folks can deliver what they promise. Anyway, Neuron is worth a try with a free demo. Read Full Article
ComputerWeekly: Cyber insurance: What does a CISO need to know?
App Developer Magazine: ImmuniWeb Neuron web security scanning