The End of False Positives for Web and API Security Scanning?

July may positively disrupt and adrenalize the old-fashioned
Dynamic Application Security Scanning (DAST) market, despite the
coming holiday season. The pathbreaking innovation comes from
ImmuniWeb, a global application security company, well known for,
among other things, its free Community
Edition^[1] that processes over
100,000 daily security scans of web and mobile apps.

Today, ImmuniWeb announced that its new product – Neuron^[2]
– is publicly available. This would be another boring press release
by a software vendor, but the folks from ImmuniWeb managed to add a
secret sauce that you will unlikely be able to resist tasting. The
DAST scanning service is flexibly available as a SaaS, and
unsurprisingly contains all fashionable features commonly
advertised by competitors on the rapidly growing global market,
spanning from native CI/CD integrations to advanced configuration
of security scanning, pre-programmed or authenticated testing.

But the groundbreaking feature is Neuron’s contractual zero
false positives SLA, incorporated into every customer contract. You
get your money back for each false positive you spot in your
vulnerability scanning report – as simple as that – and binding by
a legally enforceable contract. The SLA, however, does not cover
trivial security warnings, such as misconfigurations of cookies or
HTTP headers.

Likewise, contrasted to a casino, you cannot get rich with the
SLA – the money-back provision is capped by your annual
subscription price, making sense for everyone from a business
perspective. The SLA is valid for web applications, cloud-native
microservices, RESTful APIs and all other HTTP/HTTPS targets that
you can scan in one click from the user-friendly Neuron
dashboard:

Another of Neuron’s game-changing features is the unlimited
technical support available for all customers at no additional
cost. If you have questions about detected vulnerabilities or your
software engineers need some help with remediation of the findings,
ImmuniWeb security analysts will be your Northern Star. Other
security vendors commonly charge for this option separately as a
costly consulting service, making their margins on it. This perk
makes Neuron’s value for money highly competitive amid the
unfolding inflation and looming recession that will likely hit the
cybersecurity industry too.

Talking about value, we particularly enjoyed Neuron’s packaging
and licensing model that brings some refreshing flexibility to the
existing DAST market. Instead of being handcuffed to your target
domains during your entire subscription, you may dynamically change
them – without paying an extra dime – as long as your web
application or API remains the same. This can be a budget-saving
option for organizations that frequently move their targets between
different environments prior to deploying their code into
production. Of note, Neuron’s integration with ImmuniWeb’s Attack Surface Management^[3] (ASM) offering makes
quite a lot of sense both for DevOps and compliance teams: you can
first illuminate your shadow IT and forgotten web assets, and then
enhance your web application security testing program with a
holistic and risk-based testing schedule.

In its exclusive statement for The Hacker News, ImmuniWeb’s
Chief Architect said that Neuron is just one of the major
announcements planned by the company for 2022. The
Swiss-headquartered vendor has an ambitious roadmap to add even
more products to its portfolio, which already covers over 20 uses
cases^[4] spanning from cloud and
mobile security testing to Dark Web Monitoring. Consolidating
threat intelligence and Dark Web data with your application
security testing – appears to be another smart idea by ImmuniWeb:
it isn’t worth to scan your website for XSS if you have hundreds of
stolen credentials exposed on the Dark Web, allowing bad guys to
login. We frankly like the synergizing power that ImmuniWeb
Platform delivers to its customers in consumable and actionable
manner.

We will keep an eye on ImmuniWeb’s rising market traction.
Following ImmuniWeb for several years, we believe that these folks
can deliver what they promise. Anyway, Neuron is worth a try with a
free demo^[5].