Set of must-have online security tools that we believe may make a real difference to your cybersecurity program and improve your 2021 budget planning.
In September, Gartner published a list of "Top 9 Security and Risk Trends for 2020" putting a bold emphasis on the growing complexity and size of the modern threat landscape.
Incomplete visibility of external Attack surfaces led to the dramatic increase in disastrous breaches and data leaks during 2020, compromising PII and other sensitive data of millions of victims. These incidents stemmed from sophisticated intrusions by malicious nation-state actors and APT hacking groups, human error, and widespread misconfigurations exposing unprotected cloud storage or databases with confidential data to the Internet.
Gartner's security analysts recommend automating laborious security tasks and processes, amid the ongoing shortage of cybersecurity skills, and promptly addressing emerging cloud and containers security risks.
Gartner also recommends paying special attention to privacy and regulatory requirements to avoid harsh fines and other sanctions and commencing implementation of a zero-trust model within your organization regardless of its size.
While the spiraling pandemic has brought a devastating impact on many organizations and enterprises around the globe, most companies chaotically attempted or moved their business processes to the unaffected digital space. Most cybersecurity budgets were, however, also battered as a collateral effect of the overall economic downturn. The shrinking budgets unsurprisingly exacerbated stressful digital transformation by gross disregard of security and privacy ingredients of the subtle process.
Cybersecurity spending is nonetheless projected to rebound and spike again in 2021, providing relief for jaded CISOs, and their exhausted IT Security teams. In the meantime, we would like to acquaint you with an awesome set of free security tools that we believe may make a palpable difference for your cybersecurity program and 2021 budget planning.
Last week, application security company ImmuniWeb announced a major update of its freely available Community Edition. It provides 4 free security tests that amply cover many security and privacy priorities mentioned by Gartner and also deliver some strong capabilities to monitor security incidents and external cyber threats targeting your company.
We have already written about ImmuniWeb among the most innovative cybersecurity vendors just after RSA 2020 Conference. Since then, the company seems to have made impressive progress in many directions and information security areas that we monitor. We decided to test ImmuniWeb Community Edition and recommend trying it now if you are unfamiliar with it:
Website Security and Compliance Test
For some specific use cases, this website security test may well replace a commercial web vulnerability scanner. Remarkably, the free test is non-intrusive and production safe – you won't accidentally crash your old web server or legacy web app while sending an RCE or buffer overflow exploitation payload.
ImmuniWeb says it Software Composition Analysis (SCA) module has an extensive database of diversified web software, spanning from open-sourced WordPress and Drupal to proprietary and commercial web products by Microsoft and Oracle. The SCA module reportedly includes over 300 CMS and web frameworks, 160,000 of their plugins and extensions, and 8,900 JavaScript libraries. While its embedded vulnerability database covers more than 12,000 CVE vulnerabilities:
On top of web application vulnerabilities and missing software updates, the free test further checks whether your website configuration conforms with the specific requirements of GDPR and PCI DSS:
In one test, you simultaneously get an inclusive picture on how to harden your website security, improve web server resilience, and enhance applicable privacy and compliance requirements.
Dark Web Exposure and Phishing Detection Test
It seems to be an invaluable free tool for Threat Analysts and Blue Teams looking to augment the visibility of the ongoing security incidents, including Dark Web discussions and sales offers of stolen data implicating their organization or your key suppliers.
For legal and privacy reasons, the free test won't disclose full details of the incidents, such as stolen plaintext passwords or full copies of the compromised databases. But a sufficiently detailed and measurable overview is readily available to support and enhance your decision-making process prior to investing into Dark Web monitoring solutions:
As well as the comprehensive Dark Web snapshot, you get a fairly good overview of Pastebin leaks, ongoing phishing campaigns, domain squatting (cyber- and typo-squatting), and even fake accounts in social networks usurping your identity:
We would certainly recommend using this handy free tool for your Third-Party Risk Management (TPRM) program in order to score your external vendors and suppliers who have privileged access to your confidential data.
Mobile App Security and Privacy Test
This free mobile security test now allows downloading of mobile apps directly from different public App Stores on top of Google Play, and even includes Cydia, so jailbroken users of iOS devices may also test their mobile apps for privacy and security concerns:
The mobile test performs both dynamic (DAST) and static (SAST) mobile app scanning, shedding light on a broad spectrum of mobile vulnerabilities and weaknesses. The scan covers the OWASP Mobile Top 10 Risks and also some specific security issues mentioned in the OWASP Mobile Security Testing Guide (MSTG) project:
Special attention is given to mobile app privacy: you will see an inclusive list of permissions requested by the tested application and external web hosts and servers where the mobile app sends your data. Its built-in Software Composition Analysis (SCA) module illuminates third-party and native libraries used in the mobile app.
Importantly, due to its non-intrusive nature, the free mobile scanner does not cover mobile endpoints testing such as APIs or web services, which should always be included in your mobile security testing program.
SSL Security and Compliance Test
Unlike many competitive services, this free SSL security test allows to testing not just the omnipresent HTTPS but any implementation of TLS encryption, including email servers and SSL VPN:
For email servers, the test also checks for properly configured SPF, DMARC, and DKIM that are de facto the most common best practices for email security today.
On top of this, the test will automatically perform a quick auto-discovery of subdomains timely, reminding everyone that not just the main "www" website requires attention.
The test meticulously goes through all currently known SSL/TLS implementation or cryptographic vulnerabilities, including Heartbleed, ROBOT, BEAST, POODLE, and a dozen other flaws that may enable interception or decryption of your data in transit.
Another significant benefit is mapping your TLS configuration to the specific requirements of PCI DSS, NIST, and HIPAA, so you can verify whether your encryption strength properly meets regulatory requirements to avoid penalties for non-compliance:
All tests can be refreshed and, if you create a free account, downloaded as a PDF document so you may share it internally or with your customers proving that you care about their data security.
Properly hardened HTTPS and a secured website are a persuasive competitive advantage for the e-commerce business, especially after spooky hacking stories about Black Friday mass-hacking campaigns emptying wallets of unwitting online shoppers.
While testing ImmuniWeb Community Edition, we particularly appreciated the responsiveness of their tech support: we had spotted a couple of minor bugs in one of the tests that were fixed as soon as the next morning.
In the email sent to us, ImmuniWeb said it listened carefully to its growing audience and is keen to continuously improve the Community Edition based on received feedback and suggestions. You can just drop them a message directly by using a web interface, becoming a part of the amazing community that now runs over 100,000 daily tests.
ImmuniWeb Community Edition free tests can be accessed by API or via the web interface.
For organizations looking to run a large number of tests per day or for cybersecurity vendors looking to leverage the ImmuniWeb Community Edition technical capacities for commercial purposes, there is also a premium API available for online purchase.
We think that the ImmuniWeb team is doing pretty cool and awesome things that we like. We look forward to seeing their growth and development in 2021: it's poised to be promising.