Published on October 15, 2020 | By ImmuniWeb

The data-driven and risk-based approach prevent insufficient or incomplete testing and precludes excessive or redundant testing by leveraging award-winning Machine Learning technology.

Mandatory application penetration testing is now imposed on a regular basis by the increasing number of data protection regulations, including the state laws of New York, the UK and Singapore, NIST guidelines, PCI DSS and GDPR. Conducted as a matter of regulatory compliance, or to prevent costly data breaches and targeted ransomware attacks after silent infiltration into internal networks, penetration testing is not without its drawbacks that keep CISOs awake at nights.

The most widespread pen-testing pitfall is prioritization of the testing scope and schedule. One single forgotten API, or abandoned web server, accessible from the Internet may swiftly ruin your cybersecurity strategy. Delayed testing, subsequent to the deployment of vulnerable code to production, jeopardizes the confidentiality of your customers’ data and exposes trade secrets. Inversely, excessive or redundant testing of low-risk or irrelevant targets – merely wastes your cybersecurity budget and brings no value to your team.

To tackle the issue, ImmuniWeb and the rapidly growing number of its partners around the globe, offer ImmuniWeb® Discovery. Just by entering your company name, you get a helicopter view of your external attack surface, source code leaks and exposure on the Dark Web. From now, our customers and partners will also get two distinct scores on their Discovery dashboards for each of their web or mobile applications:

  • Estimated Number of Vulnerabilities
    The projected number of exploitable security vulnerabilities that are likely present in a web or mobile application. Helps properly prioritize the penetration testing targets in a risk-based manner.
  • Estimated Targeted Attacks per Week
    The projected number of targeted attacks (i.e. aiming your organization specifically) per month against a web application. Helps properly schedule the penetration testing in a threat-aware manner.

Both scores leverage ImmuniWeb’s award-winning Machine Learning and OSINT technology to make reliable, data-driven and actionable projections. The latter are regularly monitored and improved by ImmuniWeb data scientists and security analysts for anomalies and other statistical deviances on an individual basis.

For instance, when calculating the number of attacks, among multiple other inputs, we consider all data discoverable on the Dark Web and correlate it with information about previous incidents crawlable in the Surface Web. While the number of vulnerabilities is calculated from over 750 criteria of the application that can be obtained by production-safe and non-intrusive means, including web server and underlying network or cloud configuration, web software and its components, encryption hardening, and source code of the application – if accessible on public code repositories such as GitHub.