High-Tech Bridge

High-Tech Bridge
Private
Industry Web Security
Founded 2007 (2007)
Founder Ilia Kolochenko
Headquarters Geneva, Switzerland
Area served
Europe
North America
Asia
Key people
Ilia Kolochenko (CEO)[1]
Marsel Nizamutdinov (Chief Research Officer)[2]
Frederic Bourla (Chief Security Specialist)[3]
Stéphane Koch (Vice President)[3]
Products ImmuniWeb On-Demand
ImmuniWeb Continuous
Services Web Application Security, Continuous monitoring, Penetration Testing, Application security
Number of employees
30+
Website www.htbridge.com

High-Tech Bridge SA is a web security company based in Geneva, Switzerland with a branch office in San Francisco (CA). Founded in December 2007, as a network security and penetration testing company, High-Tech Bridge was named by Frost & Sullivan's research as an industry leader and best service provider among ethical hacking and penetration testing companies in Europe.[4]

At InfoSecurity Europe 2014, High-Tech Bridge officially launched its online ImmuniWeb web security platform,[5] based on the concept of hybrid web security assessment, which combines manual penetration testing and managed vulnerability scanning in real-time.[6] Prior to the official launch, ImmuniWeb Demo platform was tested by Graham Cluley[7] and other security experts.[8]

High-Tech Bridge Security Research Team has released over 500 security advisories[9] affecting various software, with issues identified in products from many well-known vendors, such as Sony,[10] McAfee[11] Novell,[12] in addition to many web vulnerabilities affecting popular open source and commercial web applications, such as osCommerce,[13] Zen Cart,[14] Microsoft SharePoint, SugarCRM and others.

The company is listed among 81 organizations, as at August 2013, that include CVE identifiers in their security advisories.[15]

History

High-Tech Bridge was founded by Ilia Kolochenko, Swiss web application security expert, contributing editor to SC Magazine UK, Dark Reading and CSO Online. Ilia also lectures on cyber crime at the University of Applied Sciences and Arts in Western Switzerland.[16]

In August 2012, High-Tech Bridge's Security Research Lab was registered as CVE and CWE compatible by MITRE.[17] This registration was followed in June 2013 with ImmuniWeb achieving CVE and CWE compatible status,[18][19] making High-Tech Bridge one of only 24 organizations, globally, and the first in Switzerland, that have been able to achieve CWE certification.

In November 2013, International Telecommunication Union and High-Tech Bridge agreed to use ImmuniWeb as a part of ITU's toolset for ensuring that the websites of ITU Member States are secure.[20]

In July 2015 High-Tech Bridge and PricewaterhouseCoopers announced a strategic partnership [21] based around ImmuniWeb's web penetration testing, continuous monitoring and vulnerability assessment capabilities.

Services

Network Security Services

High-Tech Bridge's also offers vendor-independent penetration testing,[22] information security auditing, computer security consulting, source code review, and incident response.

ImmuniWeb® Web Security Platform

High-Tech Bridge introduced the concept of real-time hybrid web application security testing with the announcement of ImmuniWeb web security platform[23] in August 2013.[24]

ImmuniWeb's hybrid approach combines managed vulnerability assessment in parallel with manual web application penetration test. By including a manual element into security assessment process, the hybrid approach seeks to eliminate false-positives, increase testing accuracy, and detect complicated web vulnerabilities that are missed by automated vulnerability scanning vendors.[25]

Each ImmuniWeb assessment uses real penetration testers in conjunction with the managed vulnerability scanning.[26]

Free SSL/TLS Server Configuration Checker

High-Tech Bridge launched an SSL/TLS configuration testing tool in October 2015.[27] The tool can validates email, web or any other TLS or SSL server configuration against NIST guidelines and checks PCI DSS compliance, it was cited in articles covering the TalkTalk data breach.[28][29]

Security Research

In September 2013, High-Tech Bridge reported an XSS vulnerability on www.nasdaq.com, which remained unpatched during two weeks, despite several notifications and alerts sent to Nasdaq administrators.[30]

The discovery of vulnerabilities in Yahoo! sites by High-Tech Bridge was widely reported,[31][32] leading to the t-shirt gate affair and changes in Yahoo's bug bounty program. High-Tech Bridge identified and reported four XSS vulnerabilities on Yahoo! domains, for which the company was awarded two gift vouchers to the value of $25.[33][34][35][36] The sparse reward offered to security researchers for identifying vulnerabilities on Yahoo! was criticized, sparking what came to be called t-shirt-gate,[37] a campaign against Yahoo! sending out T-shirts as thanks for discovering vulnerabilities. High-Tech Bridge's discovery of these vulnerabilities and the subsequent criticism of Yahoo!'s reward program led to Yahoo! rolling out a new vulnerability reporting policy which offers between $150 and $15,000 for reported issues, based on pre-established criteria.[32][38]

In December 2013, High-Tech Bridge research[39] on privacy in popular social networks and email services was cited[40][41] in a class action lawsuit for allegedly violating its members' privacy by scanning private messages sent on the social network.

In October 2014 High-Tech Bridge discovered a Remote Code Execution vulnerabilities in PHP.[42]

In December 2014, High-Tech Bridge identified the RansomWeb attack,[43] a development of Ransomware attacks, where hackers have started taking over webs servers, encrypting the data on them and demanding payment to unlock the files.

In April 2014, the discovery[44] of a sophisticated Drive-by download attacks, revealed how drive-by download attacks are used to target specific website visitors after their authentication on a compromised web resource.

In December 2015, High-Tech Bridge tested the most popular free email service providers, for SSL/TLS email encryption.[45] Hushmail, previously considered as one of the most secure email providers, received a failing "F" grade. Just after, the company updated its SSL configuration and received a score of "B+".[46]

Awards and Recognition

High-Tech Bridge made the Online Trust Alliance (OTA) Members - Honor Roll four years in a row: 2012-2105.[47] The OTA Honor Roll, first awarded in 2010, analyses sites based on their domain, brand and consumer protection; site, server and infrastructure security; and data protection and privacy; and acknowledges those organizations with the best security and privacy policies.[48] ImmuniWeb, was employed in determining the nominees for OTA's 2014 list.[49]

In February 2015, High-Tech Bridge's ImmuniWeb was a finalist in the Info Security Products Guide Global Excellence Awards alongside Nessus, Tripwire's IP360 and BeyondTrust's Retina CS Enterprise Vulnerability Management. ImmuniWeb was nominated for Best Security Service (New or Updated version).[50]

In March 2015, ImmuniWeb was recognized in Frost & Sullivan's 2015 Market Insight as being 'the most complete hybrid offering available'.[51]

In May 2015, ImmuniWeb received 9/10 score from ITProPortal[52] product test and review.

In November 2015, High-Tech Bridge was recognized in the CyberSecurity 500 at position 37[53] for ImmuniWeb.

In November 2015, ImmuniWeb was also listed alongside Qualys VM, Trustwave Vulnerability Management and BeyondSaaS as being among the top cloud-based vulnerability management products available.[54]

In December 2015, High-Tech Bridge was included into the visiongain's "Top 100 Cybersecurity Companies to Watch in 2016”[55] report.

Organizational Memberships

High-Tech Bridge is a member of a number of security-related organizations, including:

References

  1. "Articles by Ilia Kolochenko". CSO Online. Retrieved 22 July 2015.
  2. "Company Overview of High-Tech Bridge SA". Bloomberg Businessweek. Retrieved 1 September 2013.
  3. 1 2 "High-Tech Bridge CrunchBase profile". CrunchBase.
  4. "The Importance of Ethical Hacking: Emerging Threats Emphasise the Need for Holistic Assessments". Frost & Sullivan. Retrieved 31 August 2013.
  5. "InfoSec 2014: High-Tech Bridge Democratises Access To Ethical Hacking". TechWeek Europe. Retrieved 1 May 2014.
  6. "Cloud-Based Vulnerability Management Solutions". Tom's IT Pro. Retrieved 21 January 2015.
  7. "How ethical hackers found a (small) vulnerability on my website". Graham Cluley. Retrieved 19 November 2013.
  8. "ImmuniWeb Review". PC Mag. Retrieved 25 February 2014.
  9. "Packet Storm - Files from High-Tech Bridge SA". PacketStorm.org. Retrieved 20 February 2016.
  10. "Security Update Program for VAIO® Personal Computers". esupport.sony.com. Sony. Retrieved 20 January 2015.
  11. "McAfee Security Bulletin - McAfee MVT & ePO-MVT update fixes an "Escalation of Privileges" vulnerability". kc.mcafee.com. McAfee. Retrieved 20 January 2015.
  12. "Security Vulnerability: GroupWise Client for Windows Remote Untrusted Pointer Dereference Vulnerability". www.novell.com. Novell. Retrieved 20 January 2015.
  13. "Researchers at Swiss-based security firm High-Tech Bridge have identified serious vulnerabilities in several popular web applications". SecurityWeek. Retrieved 20 February 2016.
  14. "Critical Zen Cart vulnerability could spell Black Friday disaster for online shoppers". BetaNews. Retrieved 20 February 2016.
  15. "Organizations with CVE Identifiers in Advisories". 26 June 2013. Retrieved 1 September 2013.
  16. "Industry Support of OTA Online Trust Honor Roll". 8 June 2012. Retrieved 31 August 2013.
  17. "Product from High-Tech Bridge Now Registered as Officially "CWE-Compatible"". MITRE. Retrieved 7 August 2014.
  18. "1 Product from High Tech Bridge Now Registered as Officially "CWE-Compatible"". 26 June 2013. Retrieved 30 August 2013.
  19. "Web application scanner and vulnerability assessment service launched in beta". SC Magazine. 1 August 2013. Retrieved 31 August 2013.
  20. "ITU Telecom World 2013 sets agenda for far-reaching changes in ICT sector". Itu.int.
  21. "PwC and High-Tech Bridge launch innovative web security solution". PricewaterhouseCoopers. Retrieved 15 July 2015.
  22. Palmer, Maija (25 September 2014). "IT Bigs and glitches are the new frontier for bounty-hunters". The Financial Times. ft.com. Retrieved 27 October 2014.
  23. Dawson, Freddie. "Hacking: Why Any Business Can Be At Risk And How To Prevent It". Forbes.com. Forbes. Retrieved 2 March 2015.
  24. Michael, Alexander. "You may think you have never been hacked... you just have not realized it yet". www.frost.com. Frost & Sullivan. Retrieved 4 August 2014.
  25. Kihn, Martin. "Your Vendor Has "90% Accuracy"? Think Again". Gartner. Retrieved 16 February 2016.
  26. Cluley, Graham. "How ethical hackers found a (small) vulnerability on my website". Graham Cluley's Security Blog. Retrieved 3 March 2014.
  27. "Free PCI and NIST compliant SSL test". Help Net Security. Retrieved 23 October 2015.
  28. "TalkTalk boss receives ransom demand as massive customer data breach deepens". The Inquirer. Retrieved 23 October 2015.
  29. "TalkTalk CEO admits security fail, says hacker emailed ransom demand". The Register. Retrieved 23 October 2015.
  30. "Security company says Nasdaq waited two weeks to fix XSS flaw". PC World. 16 September 2013.
  31. "Yahoo to pay up to $15,000 for bug finds after 't-shirt gate' scandal". 3 October 2013.
  32. 1 2 Kirk, Jeremy (3 October 2013). "Yahoo security bounty program ditches T-shirts for cash". Retrieved 19 October 2013.
  33. Rubenking, Neil J. (1 October 2013). "Yahoo Offers Sad Bug Bounty: $12.50 in Company Swag". PC Magazine. Retrieved 19 October 2013.
  34. Bilton, Ricardo (1 October 2013). "'I reported a major Yahoo security vulnerability and all I got was this lousy T-shirt'". Retrieved 19 October 2013.
  35. Frank, Blair Hanley (1 October 2013). "Researchers find critical vulnerabilities in Yahoo's site, offered $12.50 per bug". Retrieved 19 October 2013.
  36. Hackney, Steve (7 October 2013). "Yahoo! Inc. (NASDAQ:YHOO) Removes Bugs Identified By High Tech Bridge". Retrieved 19 October 2013.
  37. Osborne, Charlie (3 October 2013). "Yahoo changes bug bounty policy following 't-shirt gate'". Retrieved 19 October 2013.
  38. Martinez, Ramses (2 October 2013). "So I'm the guy who sent the t-shirt out as a thank you". Retrieved 19 October 2013.
  39. "Social networks: can robots violate user privacy?".
  40. "Facebook sued for allegedly intercepting private messages".
  41. "Is Facebook spying on you?". CNBC.
  42. Brook, Chris. "PHP patches buffer overflow vulnerabilities". threatpost. Retrieved 27 October 2014.
  43. Fox-Brewster, Thomas. "RansomWeb: Crooks Start Encrypting Websites And Demanding Thousands Of Dollars From Businesses". Forbes.com. Retrieved 1 February 2015.
  44. Gallagher, Sean (13 April 2015). "Universal backdoor for e-commerce platform lets hackers shop for victims". arstechnica. Retrieved 14 April 2015.
  45. "Testing Your SSL Encryption Can Provide Important Security Insights". IBM Security Intelligence. 15 December 2015. Retrieved 15 December 2015.
  46. "High-Tech Bridge Grades Email Services on Security, Gives Fastmail Top Score". Talkin Cloud. 3 December 2015. Retrieved 3 December 2015.
  47. "2015 Honor Roll - OTA Members". Retrieved June 2015. Check date values in: |access-date= (help)
  48. "2014 Honor Roll - Methodology".
  49. "Exclusive First Look: ImmuniWeb by High-Tech Bridge". 19 July 2013. Retrieved 31 August 2013.
  50. "Finalists for the 11th Annual 2015 Info Security's Global Excellence Awards". Info Security Products Guide. Retrieved 15 March 2015.
  51. Martin Hoff ter Heide. "The Rise of Hybrid Web Application Security Testing". www.frost.com. Retrieved 31 March 2015.(subscription required)
  52. "Keeping your site tight with ImmuniWeb". ITProPortal.com. Retrieved 18 May 2015.
  53. "Cybersecurity 500 List". CyberSecurity Ventures. Retrieved 9 November 2015.
  54. "Cloud-based vulnerability management: Top vendors in the field". Help Net Security. Retrieved 2 November 2015.
  55. "Top 100 Cyber Security Companies: Ones to Watch in 2016". visiongain. Retrieved 16 December 2015.
  56. "CVSS Adopters". FIRST. Retrieved 9 April 2014.
  57. "Global Partnerships". International Telecommunications Union. Retrieved 10 April 2014.

See also

This article is issued from Wikipedia - version of the 11/8/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.