Web and mobile development have been maturing for a very long and, during that tenure, developers have learned a great deal about what security treats applications face. This has meant the growth of best practices and defensive design. However, developers are rarely in control of all the code, often third party libraries are needed to get the job done and DevOps teams cannot always stay ahead of updates or the most recent exploits.

This is where Immunio (Immun.io, Inc.), a real time web application Security-as-a-Service startup that came out of stealth in April 2015, seeks to resolve for developers so they can have peace of mind about their application security and get back to doing what they do best: producing amazing apps for their clients.

The Montreal-based startup does this by supplying a SaaS solution that hooks directly into the code of the application and deploys sensors that watch network operations between the application and its various resources. Once deployed, the Immunio sensors watch how the application interacts with other elements such as web pages, forms, third party APIs, and databases.

Providing an active “immune system” to applications

For example, after the service is activated it begins to learn what natural use of a particular SQL exchange looks like and uses that as a baseline for comparison. The system does this on the fly and uses machine learning to identify divergent behavior by users that could be a suspicious attempt to break into or exploit the application.

In the case of a SQL statement being passed to a database, SQL injection (SQLi) is one of the most common vulnerabilities found in modern applications. Because a SQLi attempt looks very different from natural traffic, Immunio’s detection system has a good chance of seeing it before it hits the database and does damage. Instead of receiving a reward (in the case of SQLi it’s often sensitive information) the Immunio system throws up an error. The service also records all the information pertaining to the attacker and the attack for the DevOps team.

Immunio believes this “detect-and-stop” learning system is superior to attempting to match incoming data against attack fingerprints because it can stop yet unknown attacks from hitting the system. This method is one touted by other DevOps security outlets such as Splunk who use Big Data analysis to “profile” normal patterns in order to identify hostile patterns.

As a result of this system, Immunio boasts being able to detect and stop a large variety of potential exploits including SQL Injection, Cross Site Scripting, Remote Command Execution attacks and many others.

Real time protection and information about ongoing attacks

Aside from keeping a team’s application from as-of-yet-unknown attacks, Immunio provides customers a comprehensive idea of what’s going on in their system via the security sensors. When an attacker attempts to exploit a system a lot of information can be gathered from the attempt: network address, username, metadata attached to the connection, type of attack, etc.

All of this information is correlated in Immunio’s system with other detection events and can bring to light a great deal of other information. For example, an IP address that has hit multiple Immunio protected applications will quickly had a profile that shows what type of attacks it attempted from that address, how often, and potentially even guess at what kind of tools are being used.

All of this information is fed to a back-end dashboard that the DevOps team can look over and use as operational intelligence about their own application.

If a particular attacker has become extremely interested in one part of the application (say a particular SQL call) the DevOps team can then choose to spend some time trying to figure out if there’s a known exploit in a library they use that connects through that part. The heads up from Immunio blocking and reporting the attacks would give the team time to either upgrade the library (or code segment) or fix the potential exploit before it can even become a problem.

Ease of installation and availability

Installing Immunio is just as easy as an application library that works automatically with Ruby on Rails, and Python under most of the common frameworks. After the installation all that’s needed is the license key and viola, the Security-as-a-Service functionality does the rest.

For new users interested in seeing how the system would work, Immunio offers a free plan called “Detect Free.” Under this plan DevOps teams get real-time protection, deep diagnostic info about attacks, unlimited users, but it only archives information for seven days.

To get the bigger-badder service there’s two more comprehensive packages called “Detect Pro” and “Protect.” Under Detect Pro a business will pay $79/mo. for five million requests that provides all of Immunio’s services (as above) as well as unlimited data retention. Under Protect a business pays $159/mo. for five million requests and this activates the automatic protection feature (that blocks attempted attacks outright) as well as the ability to configure the type and level of protection provided in order to fine tune the service. At the upper Protect tier volume pricing is also available for websites that see a great deal more than five million queries a month.

The use of the word “detect” in the package name is important, as described above Immunio can both detect attacks and block them, at the lower pricing tiers DevOps teams receive real-time operational intelligence about attacks but only the highest pricing level receives the real-time protection.

Featured image credit: Courtesy of Immun.io, Inc.