High-Tech Bridge

Last updated
ImmuniWeb
Private
IndustryApplication Security
Founded2007 (2007)
FounderIlia Kolochenko
Headquarters
Geneva
,
Switzerland
Area served
Europe
North America
APAC
Key people
Ilia Kolochenko (CEO) [1]
William Weber (CFO)
Stéphane Koch (Vice President)
Marsel Nizamutdinov (CTO)
ProductsImmuniWeb AI Platform
ServicesApplication Security Testing,
Attack Surface Management,
Dark Web Monitoring
Number of employees
50+
Website www.immuniweb.com

ImmuniWeb is a consolidated global brand of High-Tech Bridge SA, a web security company based in Geneva, Switzerland that develops Machine Learning and Artificial Intelligence technologies for Application Security Testing and Attack Surface Management. Started in December 2007 as a vendor-neutral penetration testing boutique, High-Tech Bridge was named an Industry Leader and Best Service Provider among ethical hacking and penetration testing companies by Frost & Sullivan's market research in 2012. [2] Today all the services are provided under the consolidated ImmuniWeb brand.

Frost & Sullivan is a business consulting firm involved in market research and analysis, growth strategy consulting, and corporate training across multiple industries. It is headquartered in Mountain View, California, and has 40 offices on six continents.

Contents

History

High-Tech Bridge was founded by Ilia Kolochenko, Swiss application security expert, SC Media "Thought Leader", [3] Forbes Technology Council member, [4] contributing editor to SC Magazine UK, Dark Reading and IDG's CSO Online. [5]

In November 2013, International Telecommunication Union and High-Tech Bridge agreed to use ImmuniWeb as a part of ITU's toolset for ensuring that the websites of ITU Member States are secure. [6]

International Telecommunication Union Specialized agency of the United Nations

The International Telecommunication Union, originally the International Telegraph Union, is a specialized agency of the United Nations that is responsible for issues that concern information and communication technologies. It is the oldest global international organization.

In July 2015 High-Tech Bridge and PricewaterhouseCoopers Switzerland announced a strategic partnership [7] based around ImmuniWeb's web penetration testing, continuous monitoring and vulnerability assessment capabilities. The partnership was afterward expanded to other PwC global offices, including PwC Singapore. [8]

PricewaterhouseCoopers professional services networks

PricewaterhouseCoopers is a multinational professional services network with headquarters in London, United Kingdom. PwC ranks as the second largest professional services firm in the world and is one of the Big Four auditors, along with Deloitte, EY and KPMG.

Security Research

Security Advisories

High-Tech Bridge Security Research Team has released over 500 security advisories [9] affecting various software, with issues identified in products from many well-known vendors, such as Sony, [10] McAfee [11] Novell, [12] in addition to many web vulnerabilities affecting popular open source and commercial web applications, such as osCommerce, [13] Zen Cart, [14] Microsoft SharePoint, SugarCRM and others.

High-Tech Bridge's Security Research Lab was registered as CVE and CWE compatible by MITRE. [15] High-Tech Bridge is one of only 24 organizations, globally, and the first in Switzerland, that have been able to achieve CWE certification.

Mitre Corporation company

The Mitre Corporation is an American not-for-profit organization based in Bedford, Massachusetts, and McLean, Virginia. It manages federally funded research and development centers (FFRDCs) supporting several U.S. government agencies.

The company is listed among 81 organizations, as at August 2013, that include CVE identifiers in their security advisories. [16]

High-Tech Bridge launched an SSL/TLS configuration testing tool in October 2015. [17] The tool can validates email, web or any other TLS or SSL server configuration against NIST guidelines and checks PCI DSS compliance, it was cited in articles covering the TalkTalk data breach. [18] [19]

Web Vulnerability and Privacy Research

The discovery of vulnerabilities in Yahoo! sites by High-Tech Bridge was widely reported, [20] [21] leading to the t-shirt gate affair and changes in Yahoo's bug bounty program. High-Tech Bridge identified and reported four XSS vulnerabilities on Yahoo! domains, for which the company was awarded two gift vouchers to the value of $25. [22] [23] [24] [25] The sparse reward offered to security researchers for identifying vulnerabilities on Yahoo! was criticized, sparking what came to be called t-shirt-gate, [26] a campaign against Yahoo! sending out T-shirts as thanks for discovering vulnerabilities. High-Tech Bridge's discovery of these vulnerabilities and the subsequent criticism of Yahoo!'s reward program led to Yahoo! rolling out a new vulnerability reporting policy which offers between $150 and $15,000 for reported issues, based on pre-established criteria. [21] [27]

In December 2013, High-Tech Bridge research [28] on privacy in popular social networks and email services was cited [29] [30] in a class action lawsuit for allegedly violating its members' privacy by scanning private messages sent on the social network.

In October 2014 High-Tech Bridge discovered a Remote Code Execution vulnerabilities in PHP. [31]

In December 2014, High-Tech Bridge identified the RansomWeb attack, [32] a development of Ransomware attacks, where hackers have started taking over webs servers, encrypting the data on them and demanding payment to unlock the files.

In April 2014, the discovery [33] of a sophisticated Drive-by download attacks, revealed how drive-by download attacks are used to target specific website visitors after their authentication on a compromised web resource.

In December 2015, High-Tech Bridge tested the most popular free email service providers, for SSL/TLS email encryption. [34] Hushmail, previously considered as one of the most secure email providers, received a failing "F" grade. Just after, the company updated its SSL configuration and received a score of "B+". [35]

Awards and Recognition

In March 2015, ImmuniWeb was recognized in Frost & Sullivan's 2015 Market Insight as being 'the most complete hybrid offering available'. [36]

In April 2016, High-Tech Bridge was selected as a Red Herring Europe 2016 Winner. [37]

SC Media Reboot 2016 named ImmuniWeb an Industry Innovator in the Analysis and Testing category. [38]

In April 2017, Frost & Sullivan's research on machine learning in Application Security Testing (AST) recognized High-Tech Bridge as the most innovative player on AST marketplace, outperforming HPE and IBM Security. [39]

In May 2017, Gartner named High-Tech Bridge a Garter Cool Vendor in "Cool Vendors in Security for Midsize Enterprises, 2017" by Adam Hils. [40]

In June 2017, High-Tech Bridge was selected as the SC Awards Europe 2017 winner in "Best Emerging Technology" category. [41]

In June 2018, ImmuniWeb was named the Winner in “Best Usage of Machine Learning / AI” category at SC Awards Europe 2018 outperforming six other finalists including IBM Watson for cybersecurity. [42]

In December 2018, IDC included High-Tech Bridge into "IDC Innovators: Mobile App Security Testing, 2018" for ImmuniWeb. [43]

Organizational Memberships

ImmuniWeb is a member of a number of security-related organizations, including:

Related Research Articles

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

Adobe Acrobat set of application software to view, edit and manage files in Portable Document Format (PDF)

Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print and manage files in Portable Document Format (PDF).

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

Internet security is a branch of computer security specifically related to not only Internet, often involving browser security and the World Wide Web, but also network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information, which leads to a high risk of intrusion or fraud, such as phishing, online viruses, trojans, worms and more.

Comodo is a cybersecurity company headquartered in Clifton, New Jersey in the United States.

The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Application security encompasses measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.

In computing, Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. Previously tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License, NSS upgraded to GPL-compatible MPL 2.0 with release 3.14.

Qualys, Inc. provides cloud security, compliance and related services and is based in Foster City, California. Founded in 1999, Qualys was the first company to deliver vulnerability management solutions as applications through the web using a "software as a service" (SaaS) model, and as of 2013 Gartner Group for the fifth time gave Qualys a "Strong Positive" rating for these services. It has added cloud-based compliance and web application security offerings.

UC Browser Browser developed by the mobile Internet company UCWeb Inc.

UC Browser is a web browser developed by the Singapore/China-based mobile Internet company UCWeb, which is in turn owned by the Alibaba Group.

Operation Aurora was a series of cyber attacks conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People's Liberation Army. First publicly disclosed by Google on January 12, 2010, in a blog post, the attacks began in mid-2009 and continued through December 2009.

Trustwave Holdings is an information security company. The company's international headquarters is located in downtown Chicago, and regional offices are located in London, São Paulo, and Sydney. The company also operates Security Operations Centers in Chicago, Denver, Manila, Minneapolis, Singapore, Sydney, Tokyo, Warsaw, and Waterloo, Ontario. Trustwave is currently the only company that is an authorized PCI Forensic Investigator in all geographic regions. Trustwave is a standalone business unit and cyber security brand of Singaporean telecommunications company Singtel Group Enterprise.

Lumension Security, Inc. is a part of IT software company, Ivanti. Lumension products include endpoint management and security software providing endpoint protection, vulnerability management, data protection, application whitelisting, encryption, USB security and risk management. Lumension is largely focused on providing IT security to organizations and businesses.

Cyberoam computer security company

Cyberoam Technologies, a Sophos Company, is a global Network Security appliances provider, with presence in more than 125 countries. The company offers User Identity-based network security in its Firewalls/ Unified Threat Management appliances, allowing visibility and granular control into users' activities in business networks. For SOHO, SMB and large enterprise networks, this ensures security built around the network user for protection against APTs, insider threats, malware, hacker, and other sophisticated network attacks.

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organizations, including Mozilla, Facebook, Yahoo!, Google, Reddit, Square, and Microsoft. Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs. The Pentagon’s use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.

Heartbleed Security bug in OpenSSL

Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed.

The Core Infrastructure Initiative (CII) is a project of the Linux Foundation to fund and support free and open-source software projects that are critical to the functioning of the Internet and other major information systems. The project was announced on 24 April 2014 in the wake of Heartbleed, a critical security bug in OpenSSL that is used on millions of websites.

The POODLE attack is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.

The following outline is provided as an overview of and topical guide to computer security:

Cloudbric is a cloud-based web security provider based in Seoul, South Korea. It offers a WAF, DDoS protection, and SSL solution and protects websites from SQL injection, cross-site scripting, identity theft, website defacement, and application layer DDoS attacks.

References

  1. "Articles by Ilia Kolochenko". CSO Online. Retrieved 22 July 2015.
  2. "The Importance of Ethical Hacking: Emerging Threats Emphasise the Need for Holistic Assessments". Frost & Sullivan. Retrieved 19 April 2012.
  3. "Thought Leaders – Ilia Kolochenko". 23 August 2017.
  4. "Forbes Technology Council Member Spotlight: Ilia Kolochenko". 11 July 2016.
  5. "Ilia Kolochenko". 11 July 2015.
  6. "ITU Telecom World 2013 sets agenda for far-reaching changes in ICT sector". Itu.int.
  7. "PwC and High-Tech Bridge launch innovative web security solution" (PDF). PricewaterhouseCoopers. Retrieved 15 July 2015.
  8. "High-Tech Bridge and PwC Singapore announce a strategic partnership in cybersecurity". PricewaterhouseCoopers. Retrieved 16 January 2016.
  9. "Packet Storm - Files from High-Tech Bridge SA". PacketStorm.org. Retrieved 20 February 2016.
  10. "Security Update Program for VAIO® Personal Computers". esupport.sony.com. Sony. Retrieved 20 January 2015.
  11. "McAfee Security Bulletin - McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability". kc.mcafee.com. McAfee. Retrieved 20 January 2015.
  12. "Security Vulnerability: GroupWise Client for Windows Remote Untrusted Pointer Dereference Vulnerability". www.novell.com. Novell. Retrieved 20 January 2015.
  13. "Researchers at Swiss-based security firm High-Tech Bridge have identified serious vulnerabilities in several popular web applications". SecurityWeek. Retrieved 20 February 2016.
  14. "Critical Zen Cart vulnerability could spell Black Friday disaster for online shoppers". BetaNews. Retrieved 20 February 2016.
  15. "Product from High-Tech Bridge Now Registered as Officially "CWE-Compatible"". MITRE. Retrieved 7 August 2014.
  16. "Organizations with CVE Identifiers in Advisories". 26 June 2013. Retrieved 1 September 2013.
  17. "Free PCI and NIST compliant SSL test". Help Net Security. Retrieved 23 October 2015.
  18. "TalkTalk boss receives ransom demand as massive customer data breach deepens". The Inquirer. Retrieved 23 October 2015.
  19. "TalkTalk CEO admits security fail, says hacker emailed ransom demand". The Register. Retrieved 23 October 2015.
  20. "Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal". 3 October 2013.
  21. 1 2 Kirk, Jeremy (3 October 2013). "Yahoo security bounty program ditches T-shirts for cash" . Retrieved 19 October 2013.
  22. Rubenking, Neil J. (1 October 2013). "Yahoo Offers Sad Bug Bounty: $12.50 in Company Swag". PC Magazine. Retrieved 19 October 2013.
  23. Bilton, Ricardo (1 October 2013). "'I reported a major Yahoo security vulnerability and all I got was this lousy T-shirt'" . Retrieved 19 October 2013.
  24. Frank, Blair Hanley (1 October 2013). "Researchers find critical vulnerabilities in Yahoo's site, offered $12.50 per bug" . Retrieved 19 October 2013.
  25. Hackney, Steve (7 October 2013). "Yahoo! Inc. (NASDAQ:YHOO) Removes Bugs Identified By High Tech Bridge" . Retrieved 19 October 2013.
  26. Osborne, Charlie (3 October 2013). "Yahoo changes bug bounty policy following 't-shirt gate'" . Retrieved 19 October 2013.
  27. Martinez, Ramses (2 October 2013). "So I'm the guy who sent the t-shirt out as a thank you" . Retrieved 19 October 2013.
  28. "Social networks: can robots violate user privacy?". Archived from the original on 2014-01-03.
  29. "Facebook sued for allegedly intercepting private messages".
  30. "Is Facebook spying on you?". CNBC.
  31. Brook, Chris. "PHP patches buffer overflow vulnerabilities". threatpost. Retrieved 27 October 2014.
  32. Fox-Brewster, Thomas. "RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses". Forbes.com. Retrieved 1 February 2015.
  33. Gallagher, Sean (13 April 2015). "Universal backdoor for e-commerce platform lets hackers shop for victims". arstechnica. Retrieved 14 April 2015.
  34. "Testing Your SSL Encryption Can Provide Important Security Insights". IBM Security Intelligence. 15 December 2015. Retrieved 15 December 2015.
  35. "High-Tech Bridge Grades Email Services on Security, Gives Fastmail Top Score". Talkin Cloud. 3 December 2015. Retrieved 3 December 2015.
  36. Martin Hoff ter Heide. "The Rise of Hybrid Web Application Security Testing". www.frost.com. Retrieved 31 March 2015.(subscription required)
  37. "2016 Top 100 Europe Winners". Red Herring. Retrieved 14 April 2016.
  38. "Reboot 2016". SC Magazine. Retrieved 14 December 2016.
  39. "How Machine Learning will Strengthen the Web Application Security Testing Market". Frost & Sullivan. Retrieved 19 April 2017.
  40. "Gartner Cool Vendors in Security for Midsize Enterprises". Gartner Inc. Retrieved 24 June 2017.
  41. "SC Awards Europe 2017". SC Media. Retrieved 24 June 2017.
  42. "SC Awards Europe 2018". SC Media. Retrieved 6 June 2018.
  43. "IDC Innovators: Mobile App Security Testing, 2018". IDC. Retrieved 6 November 2019.
  44. "CVSS Adopters". FIRST. Retrieved 9 April 2014.
  45. "Global Partnerships". International Telecommunications Union. Retrieved 10 April 2014.

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.