Pen-Testing Web and Mobile Apps with High-Tech Bridge
- Company Background
- Who is your Typical client?
- Gartner said "Applications, not infrastructure, represent the main vector attack for data exfiltration." Can you explain?
- What are the most common things you seek, when testing apps for security?
- What are the most common security issues you encounter with web and mobile apps?
- What incentives are there for app developers to secure their apps? And what regulations bind them to do so?
- How can AI be used to tighten mobile applications security?
Launched in 2007 as an independent penetration testing firm, High-Tech Bridge has become a global provider of web and mobile application security testing services (AST). We've spoken to CEO and Founder Ilia Kolochenko to get a glimpse of his work. Here's what we found. Share
After five years of research in application security and machine learning, supported by a continuous practice of application security testing, High-Tech Bridge developed a unique Application Security Testing (AST) Platform called ImmuniWeb®.
This award-winning Platform provides companies, governments and multinational organizations, throughout more than 40 countries, with dynamic, static and interactive application security testing, continuous security monitoring and compliance. ImmuniWeb is a part of PwC TVM Framework, trusted by global companies in over 158 countries.
Ilia Kolochenko, High-Tech Bridge’s CEO, is both a cybersecurity expert and practitioner, as well as a beginner jurist pursuing his master’s degree in law in Washington University in St Louis.
Kolochenko describes the progress leading to High-Tech Bridge’s breakthrough in AST technology. During its initial establishment in 2007, the company provided independent cybersecurity consulting and auditing services, and earned great experience in pen testing services, mainly for Swiss financial institutions, international organizations and luxury companies. The results were outstanding. However, Kolochenko admits that without building its own technology a cybersecurity company will either grow very slowly or will have to resell third-party products. Reselling is a slippery slope, because frequently companies offer not the best solution for the customer, but the most profitable in terms of commissions paid.
Based on the company's unshakable motto of vendor-independent consulting, the firm denial of "reselling" led to the lofty aspiration of developing the company's own unique technology, in collaboration with technology partnerships in San Francisco, London and some presence in Singapore. The company is CREST-accredited, allowing High-Tech Bridge to conduct security assessment for UK governmental entities.
Gradually, the company developed ImmuniWeb®, an Application Security Testing Platform that leverages machine learning technology for intelligent automation of application vulnerability scanning. The Platform allows anyone in any location to configure and start application security testing in a few clicks from a computer or mobile phone. In Ilia’s own words, its advantages combine:
- A Hybrid Security Testing approach - which correlates and synchronizes manual with automated testing in real time. Using the strongest features of each, we created a hybrid technology which reduces testing time, while increasing reliability and vulnerability coverage; and it is cost-effective for customers.
- Machine learning, not to be confused by AI hype, is a tremendously big step towards AST technology evolution. Automation, as we know it, usually yields loosened quality. While intelligent automation via machine learning does not decrease the quality, does reduces human time required for advanced testing and consequentially cuts the costs..
- Of course, one can never totally replace the human mind, as some tasks are very tricky. For example, when you purchase flight tickets on a website, you may select your seat number and despite your economy class ticket, but through some simple manipulations of HTTP requests, get seated in business class. This clearly sounds like a flaw in the application logic. However, what if a first-class passenger can get seated in the business class? Such questions can usually be answered only by a human familiar with business processes of the customer. This is why ImmuniWeb does not aim to replace human testing, but rather to reduce and optimize human involvement wherever possible.
We position ourselves as a scientific company, investing in research, but critically, our platform is user-friendly for anyone, with or without technical knowledge.
Who is your Typical client?
Our customers include both large and multinational companies and SMEs, who use our platform to test and secure their e-commerce websites and mobile apps. Our technology partnerships with the largest Web Application Firewall companies provide our customers with instant and reliable virtual vulnerability patching facility.
Gartner said "Applications, not infrastructure, represent the main vector attack for data exfiltration." Can you explain?
Most vulnerabilities reside in the application side, mainly in web and mobile apps. Very few companies decide to build their own web, VPN or email server from scratch, and very few currently exist. Most of the vulnerabilities in your email server were likely found and patched years ago, while remaining ones may take years to detect due to extreme complexity. While an overwhelming majority of companies builds custom web and mobile apps riddled with risky vulnerabilities, their exploitation is often trivial and can be easily done even by beginners.
What are the most common things you seek, when testing apps for security?
There are many different vulnerabilities and their variations, so it is difficult to point out anything in particular. One can have a look on OWASP Top 10 classification for the most frequent web application vulnerabilities. Large companies often make simple mistakes. Being resistant to classic vulnerabilities such as XSS, CSRF or various injections, they forget to verify and hardenize application logic. This may lead to infinite usage of discount codes, free delivery of goods or even undue reimbursements. Some vulnerabilities are difficult to exploit, but they are also hard to detect. Surprisingly, many large (and small) companies use default or weak passwords for admin accounts, jeopardizing their overall security.
What are the most common security issues you encounter with web and mobile apps?
OWASP Top 10 flaws will definitely be the most numerous ones, however the most interesting ones lay in application logic or chained exploitation of several vulnerabilities. We should also keep in mind that OWASP Top 10 can be tricky – a simple XSS can be detected even with an open source scanner. However, a DOM-based XSS in a Single Page Application that require valid human input (e.g. existing customer ID and bank account number) can be very complicated to detect. This is where our hybrid approach and machine learning technology enter the game.
What incentives are there for app developers to secure their apps? And what regulations bind them to do so?
It's not only about applications, but about overall cybersecurity management. Today, there are four basic, critical security principles all companies should abide by:
- You need to have a complete and up-to-date inventory of your digital assets (including software, hardware, data, user accounts and licenses). If you don’t have it, no cybersecurity solutions will ever help, because attackers will find a forgotten device or application, breach it and start spreading the attack.
- You need to conduct a comprehensive risk assessment to identify and evaluate the risks you may and will likely face. Cybersecurity strategy should be risk-based and adopted to your particular risks, threats and internal processes
- Cybersecurity strategy should be clearly defined and based on well thought out processes and procedures. People should clearly know their duties and responsibilities and have sufficient power to take decisions and resources to implement them.
- Once done, implement continuous security monitoring for new risks, threats and vulnerabilities, as well as effectiveness of enacted security controls. It’s a very large topic, however make sure that you promptly detect and react to any anomalies or unusual behavior, missing patches and outdated software, and new devices and applications.
How can AI be used to tighten mobile applications security?
I think it would be more appropriate to speak about machine learning and intelligent automation, rather than AI. Strong AI, capable of replacing a human, does not exist and will unlikely appear within the next ten years.
Leverage of machine learning technologies can significantly reduce human time, cut the costs and deliver better value to the customers.