We recently met Mr. Oliver Moradov, Head of Partnerships at NeuraLegion, an Israeli headquartered company with a London office, which has recently innovated a product called ‘NexPloit’, the World’s first AI Powered Application Security Testing solution. NeuraLegion recently won the top spot in the prestigious Cybertech 2019 Start-up competition. We spoke to him in detail to understand the product’s uniqueness and benefits it provides to its customers.
Q. How does Nexploit work?
We like to think of NexPloit as being the New Generation in Application Security Testing, as confirmed by the unanimous decision by the leading panel of experts as winners of the most innovative and promising solution in Cyber Security. We differentiate ourselves from the competition in a number of ways. Our main differentiator is our AI Powered Engine that provides full automation of the application security process.
Current solutions are very adept at detecting _KNOWN VULNERABILITIES_, going through a manually updated list of vulnerabilities to effectively guess and predict which vulnerabilities the target is going to be susceptible to. This method results in large numbers of false positive results, that need to be parsed and trialed by cyber security experts. There are solutions out there that use automation and AI to attempt to reduce the number of false positives. However, there is always a requirement for human intervention to get rid of the remaining 1-2% of false positives that the automation is unable to
confirm either way. Additionally, the process of testing for unknown vulnerabilities is a manual process, relying on the limited
capabilities of a human to effectively think of all and any scenarios against the target application to effectively test. This is an
impossible task, going some way to explaining why 2018 was a record year for data breaches, as well as being costly and very time consuming, putting limitations on the development lifecycle.
NexPloit revolutionises the way AST is carried out. Using Machine Learning to understand the architecture of the dynamic runtime state of the target application itself, our AI powered engine uses Evolutionary Strategies to generate its own, malicious, ever changing and evolving scenarios against the specific target, hundreds of times per second. This means that we are able to not only detect the common known vulnerabilities, but also _UNKNOWN 0DAY VULNERABILITIES_ in any target, including logical flow issues, with no false positives, a world’s first.
We are able to achieve ZERO false positives because we are actually carrying out the malicious scenarios on the target and only reporting validated outcomes, like a human would. This coupled with being a SaaS solution, enable us to provide immediate reports, with full remediation guidelines, details of the exposure, the response from the target and the body, providing everyone from the CEO, CISO to the developer with all the information they need, whether from a business
or technical perspective.
NexPloit requires no human interaction, no need for a human to go through a set of results or to manually try to exploit an application and reporting back in 5-10 days time with the results, saving clients time and money. We integrate with all of the SDLC tools such as GitHub, Jenkins and Jira for example, allowing detected vulnerabilities to be assigned to a specific developer. Using the remediation guidelines, they can quickly debug the issue and use the feature in NexPloit that allows
them to re-run the specific vulnerability they were fixing from our user friendly interface, with no need to go through the whole process again, to see if the issue is resolved.
A major breakthrough of our solution and another key differentiator to all other solutions on the market is NexPloit’s ability to detect logical flow issues in a target application. One specific example of this is when NexPloit, during a Proof of Concept demo on the application platform of a cryptocurrency exchange, was able to detect a vulnerability that would allow a hacker to transfer bitcoin to a crypto wallet of their choice, even though there was no bitcoin in his account. If the specific hacker was able to do perform even 100 requests per second, they could theoretically empty that cryptocurrency exchange of their bitcoin.
In summary, current solutions involve lengthy manual processes. Current solutions only detect known vulnerabilities. Current solutions are unable to detect logical flow issues in a system. Current solutions require complicated configuration and in many cases lengthy integration and even on-prem solutions. With NexPloit, we have addressed all these issues, fully automating the whole process. Having performed well over 100 PoC demos and been benchmarked against the major competition in the industry, we are proud to say that so far, we have a 100% percent success rate and we hope this continues!
Q. Do you mean to say that, all applications can be tested, across the verticals and across the requirements?
Any application can be tested using Nexploit. We also support mobile application security testing. In terms of protocols, we support HTTPS, Web-socket, REST, to check the API itself, Bluetooth and also FIX, for Financial Information Exchange. In terms of verticals, NexPloit is language-agnostic. We simply require a recorded session of an interaction with the target application as a HAR file ( HTTP Archive file), which NexPloit uses as a baseline to understand the architecture of the target by itself using its Machine Learning capabilities. It then generates its own malicious attack scenarios, whereas in the current solutions, that would require the critical thinking of a human.
Let’s look at the process that a security expert must go through to test a solution manually – they have to understand the architecture of the target application itself. They have to sit down and think about specific malicious scenarios that they are going to inflict on the target application and how they are going to evolve and alter these specific scenarios to try and detect a vulnerability.
Nexploit does it all automatically, at the press of a button, and can perform many hours of work in a single short scan of the target, generating immediate reports that provide full visibility of each vulnerability with no false positives, what that vulnerability and any exposure means to the business, whether that is a breach of data, whether it allows a hacker to inject code into the application for example. In terms of sectors, our solution can help organisations in the Health, Financial Services, Pharmaceutical, Consumer, Telecommunications Sectors and everything inbetween.
Q. What are the minimum system requirements for this? Is it really going to give a burden to the enterprise or probably with its existing system it can tackle the rest?
You have to remember that this solution is an active tool and is offensive by nature. The reinforcement learning is rewarded to theoretically ‘attack’ and find vulnerabilities within a system. So, by that notion, it has to be tested on a test environment, with no access to data. We have controls in place to ensure the ethical use of our system to prevent DOS, data breaches and potential corruption of data. With most clients having their applications in the cloud, it is very simple to provide a test environment.
In terms of initiating a scan, the process is very simple and requires no more than 30mins training to even a technical novice – we intended for the solution to be easy to use by all in the business, for full visibility and understanding of their vulnerabilities. The HAR file can be easily uploaded and a scan started in a matter of minutes. There is no deployment or integration required, it is all carried out with a simple login and can be performed from anywhere, remotely.
As mentioned, there is no integration and no on-premise machine, so there is no burden to the organisation. Indeed, if anything, NexPloit relieves the burden that slow and costly testing has on organisations, let alone preventing data breaches, which can produce an unquantifiable burden on an organisation in terms of reputational losses.
Q. AI is developing at very fast pace. Recemtly, there is a concept which has come up, to bypass the AI using AI. It’s like, using malware to prevent a malware.
Let me start by saying we are not looking to defend applications. We are not, for example, a runtime application security
process that uses AI to combat hackers, monitoring their applications and networks for malicious activity and then countering a hacker in real time. The reason why a hacker is able to exploit an application is because the code hasn’t been written securely, or the interaction of the application in a runtime state (microservices and APIs) results in exploitable weaknesses. NexPloit uses AI to empower organizations to build security into their applications from the ground-up. There
are lots of products in the market that act as an insurance policy, defending against threats and some use AI to do this, which is great. However by using NexPloit, development teams can ensure any vulnerabilities in the application are detected, remediating immediately before release.