AI for Web and Mobile App Security Testing
People who work in Software Quality Assurance (SQA) are responsible for ensuring that a piece of software is built to specification (internal requirements) and that what was built matches what the user needs (external requirements). It’s a very unrewarding job because even if you manage to achieve zero defects, you’re just seen as doing your job. However, all SQA people are aware that you will never have zero defects because there will always be bugs in software. In other words, it’s humanly impossible to do your job if you work in SQA.
Competent SQA people will point this fact out to management and help them determine when to release a product with an “acceptable” level of defects. In order to get to zero defects, we’ll need to start working smarter, not harder. Enter artificial intelligence (AI).
AI for Web and Mobile App Security Testing
Founded in 2007, Swiss startup High-Tech Bridge has developed intelligent security testing technology for web and mobile applications that uses machine learning. The company started out as a penetration testing boutique, but then realized they needed an in-house, proprietary technology in order to globally scale the business. The approach taken was to educate customers. We sat down with the CEO of High-Tech Bridge, Ilia Kolochenko, who talked about how most cyber companies try to scare or impress their clients by making everything far too complicated when the truth is that 95% of known security vulnerabilities can be detected by just about anyone with quite basic technical skills. In order to change the conversation, High-Tech Bridge developed some free products for the community that can be used to identify various security risks in a couple of clicks.
Mobile App Testing for Free
According to Statista, there were over 178 billion mobile apps downloaded around the world in 2017. Most of High-Tech Bridge’s customers talk about how mobile apps are a risk that they don’t know how to address. This is a matter of properly educating customers, because putting a piece of software on a phone is not inherently dangerous, and usually requires some secondary condition to exploit – such as apps that talk to each other while some malicious character is watching the communication channel to intercept sensitive data. The biggest risk for any app is the back-end – databases (e.g. web services or APIs) – that the mobile app connects to receive or send data. Vulnerable back-ends are the biggest pallet of risks for any mobile app developer, but many vendors ignore this and stay just with mobile app testing.
Moreover, most mobile app test vendors like to obfuscate the relative simplicity of what they do with lots of cryptic terminology. The truth is, you don’t need any advanced technical tools to test your mobile apps. High-Tech Bridge offers ImmuniWeb® Mobile App Scanner, a free product that you can use to test any one of the 2.1 million apps that’s been uploaded to the Google Apps store as of Q3 2018, or any iOS/Android app that’s been uploaded. Just search for the app you want to test and 80% of security problems will be reliably detected using this tool. In the below example, we searched for Uber:
Ilia Kolochenko said there are mainly two segments of users for this tool.
The first segment is the developers who create these apps. If you understand how software development works, you know that a software development team will typically have highly-paid security experts on the dev team who are responsible for making sure things are secure. Developers don’t want to do security testing because they’re not getting paid to do that function. “We’re developers, not security people” you’ll hear them often say. In the case of this free app, it’s a way for developers to quickly and easily test their apps when there aren’t any security experts on the team. For developers to take on this function, the tool needs to be simple and easy to use. When it’s simple, they will do it. It is, and the second segment of users proves that point.
The second segment is senior management types – VPs or C-Level types – who want to see for themselves that an app is secure. It may not even be an app that their firms have developed, but an app they’re thinking about using that someone else developed. Again, the tool makes it easy to see how secure anyone’s app is. While there are other tools out there like this one, they’re usually 30-day free trials that don’t end up being free, don’t end up lasting 30 days, and actually aren’t trials as they require some level of commitment.
Trademark Monitoring for Free
Another free product that High-Tech Bridge offers is ImmuniWeb® Trademark Monitor which brings you the ability to monitor your trademarks over the Internet domain system. There are plenty of monitoring solutions out there, but they can be expensive. Why pay when a free tool can find most your problems? One example of a company with problems is Yahoo, where sinister individuals use special characters to make it appear that the domains you are accessing are “yahoo.com” when in fact it’s just a bunch of yahoos trying to scam you:
Look up Amazon and you’ll see a whole slew of malicious accounts created on various social networks that appear to be affiliated with Amazon. They’re not. Again, another useful tool for keeping your customers in safe hands but not something that uses artificial intelligence. Let’s talk about that next.
Artificial Intelligence for Security Testing
So far, we’ve looked at free products that don’t use AI algorithms but rather iterate through pre-defined checklists and other smart algorithms. So where does the AI come into play? Ilia Kolochenko says that on one side of the spectrum you have crowd security testing (lots of humans vying for “bug bounties“) and on the other side you have the whole “AI will replace everyone” theory which is simply hype. Machine learning has a huge potential to simplify routine tasks that are handled by people – in our case, to intelligently automate Application Security Testing (AST). The machine learning technology asks humans when it has a problem, something we refer to as “human-in-the-loop“. Here’s an example.
Let’s say a weakness in your app lets someone purchase a business-class seat from Zurich to Geneva while paying an economy ticket price. That’s a problem. Or even more complicated, what if a user could pay business class rates and then select a seat in economy? Is that a problem or not? It’s these types of use cases that the AI algorithms cannot solve today without some human expertise, but they can learn how to over time. High-Tech Bridge uses open and proprietary machine learning frameworks and continues to aggregate valuable data that continuously improves further tests. Over time, the AI algorithms recognize patterns in the database and are able to recommend additional test cases humans might not have considered.
So how do we tell that the AI is hard at work? High-Tech Bridge offers a “zero false-positive SLA” which means every single reported flaw that’s brought to your attention is an actual defect that can be exploited by cybercriminals. The company uses machine learning to make 100% certain that their findings are accurate – and leverages human expertise when the complexity of testing requires. If it’s 99% certain, it goes to humans for a detailed look.
“We’re not smarter than a team of humans, but we can do it much quicker and thus at a much better price,” says Ilia Kolochenko. And in case you haven’t guessed by now, the AI testing, embodied under the ImmuniWeb® AI Platform, High-Tech Bridge offers isn’t free. That’s the company’s cash cow which helps pay for all those free products they offer to educate and help the community.
The Lifecycle of App Security Testing
If you’re a firm that is starting from ground zero when it comes to security testing, don’t worry so much about the tools. Even if you use external open-source stuff, that’s fine. Just make sure you look at everything you have. This is all about educating people that you don’t need to be a rocket scientist to do these things. Many competitors out there have great tech/product/services, but they’ll test everything and then dump a truckload of results onto your lap leaving you with little choice but to start throwing money at the problem. Don’t do that, simply follow the below life-cycle instead:
The most important thing you need to do is put together an exhaustive list of your external attack surface that could be susceptible to a security breach. If you don’t do this, you will likely forget certain web and mobile apps, let alone micro-services or domain names. Again, there’s a freemium product you can use here called ImmuniWeb Discovery. Just enter your company name and High-Tech Bridge will try to find all external “stuff” that’s affiliated with your firm. In some cases, firms are unaware of up to 80% of their external applications.
This non-intrusive and comprehensive discovery helps maintain visibility, and it provides a well-informed starting point for those at ground zero of application security testing.
The High-Tech Bridge approach is all about transparency and educating their clients. The company recently won the “SC Award Europe” award for “Best usage of Machine Learning and AI” in which they were competing with big names like IBM’s Watson for cybersecurity. Ilia Kolochenko feels that IBM is exploring too much great stuff at once, and we hear lots of inspiring promises with almost nothing coming to palpable fruition. Yet. The award High-Tech Bridge won was all about “practical application” of machine learning. Other companies see the value in High-Tech’s technology as evident by the notable partners they’ve secured like f5 Networks, Imperva, and PwC. As more people learn about their free educative products, more happy leads are generated for sustainable growth. That goes a long way towards establishing people’s trust, and that’s key when it comes to something as important as web and mobile app security.