InfoSec 2014: High-Tech Bridge Democratises Access To Ethical Hacking

The information security market is not fair towards SMBs, says CEO Ilia Kolochenko

The cyber security market is too focused on selling products and services instead of helping its customers remain safe, says Ilia Kolochenko, founder and CEO of High-Tech Bridge (HTB), a Swiss company which offers affordable ethical hacking services to SMBs.

HTB recently made the news after its researchers discovered and disclosed a slew of cross-site scripting flaws in Yahoo’s services, and got a t-shirt as a reward. This incident, popularly known as the “T-shirt-gate”, drew the ire of the security community and forced Yahoo to speed up the introduction of a new ‘bug bounty’ programme.

The ImmuniWeb service offered by HTB subjects websites to 12 hours of automated scanning and 12 hours of live penetration testing, with the results presented in a summary written by a security expert which includes recommendations tailored to individual customers.

Kolochenko, who visited London for the InfoSec 2014 conference, told TechWeekEurope the service is unique because it offers real penetration testing starting from just $639 (£380).

Greed

HTB was founded in 2010 to develop an automated vulnerability scanner which would make information security more efficient. The company also pioneered an innovative business model – Kolochenko told us he was disappointed by many of the sales techniques employed by large security vendors, and wanted to make something “reasonable and fair”.

ilia_kolochenko“When a reseller is coming, he doesn’t really care what he’s selling, quite often he doesn’t even know what he’s selling,” said the CEO, who’s also a former ethical hacker. He added that most companies in the ethical hacking business are too focused on making money, and even the basic services are out of the price range of smaller customers.

In contrast, ImmuniWeb offers a comprehensive one-time service that costs just £380. Customers can simply submit the address of  their website along with their payment details, and expect a report in a few days. The whole sign-up process takes about ten minutes. It was designed to be as straightforward as possible, so even non-technical people are able to use the service – after all, smaller businesses often have a website, but don’t always have an IT department.

“Automated tools are cheap and fast, but their vulnerability detection rate is quite low, and you need an IT guy to filter the results to make sure there are no false positives,” explained Kolochenko. Meanwhile, traditional penetration testing services usually require preparation, a lot of paperwork – non-disclosure agreements, insurance, and the like – and come with a heavy pricetag.

“So one of the solutions is very reliable but it’s long, complicated and expensive, and the other is affordable, but not very efficient. My idea was to not just create one more security scanner, but combine manual testing with automated scanning.”

Here’s how ImmuniWeb works: a proprietary scanner automatically detects vulnerabilities in databases and web applications, as well as checking if a website’s SSL certificates are in order. An ‘ethical hacker’ then investigates code highlighted by the scanner, while paying attention to the areas that it might have missed.

HTB’s security professionals also look at phishing websites that could imitate the customer’s brand, and checks hacker resources for any mention of the vulnerabilities on the target website.

The resulting report is very unlike the hefty documents generated by some of HTB’s competitors – the company guarantees that its employees will spend at least six hours writing the concise summary, with recommendations on how to fix the problems discovered during testing.

Kolochenko says that ImmuniWeb is not a replacement for a full penetration test or a complete security audit, but it gives a clear indication of the state of the IT infrastructure, and can help fix serious issues.

What do you know network security? Find out with our quiz!