Virtualization Technology News and Information
Q&A: IMMUNIO CEO Zaid Al Hamami Talks Security and DevOps


IMMUNIO, a pioneer in real-time web application security, recently announced the general availability of its complete security solution making web applications immune to exploitation.  To find out more, I spoke with the company's co-founder and CEO, Zaid Al Hamami.

VMblog:  Yesterday, you announced GA of IMMUNIO.  Can you provide us with a brief overview of the company and product?

Zaid Al Hamami:  Of course. My co-founder, Mike Milner, and I started IMMUNIO in 2013 and are based out of Montreal. Since founding the company, our focus has been to significantly advance application security by providing real-time detection and protection against web application layer attacks. However, we've taken a different approach than the norm in the industry: instead of building products for AppSec pros, we've focused our efforts on helping those firstly responsible for an application's security, the developers. We've made application security so simple that developers and DevOps teams can protect applications right from the start, without necessarily having access to AppSec experts. Whereas most products in the market today are geared at security experts, IMMUNIO really is a service any development team can make use of.

VMblog:  Can you tell us more about IMMUNIO's decision to focus on the DevOps and Developer crowd?

Zaid Al Hamami:  It's been widely publicized that web applications are the leading cause of data breaches, yet the current norms within application security aren't sufficient to curb the breaches that make headlines each week.

Today's products assume a ‘find-vulnerability-and-fix-it-quickly' security model. The assumption is that there are security (AppSec) pros that are good at finding these vulnerabilities, and once found, the dev team can address them quickly. This model also assumes that there are lots of controls in place to make sure vulnerabilities do not make it to production.

All these assumptions break down for most organizations these days: the paradigm has shifted. Agile development, DevOps, and open source software means that we're releasing software continuously, at a rate that's too fast for finding vulnerabilities and addressing them quickly enough. Furthermore, handling every security risk at the code level is a task that most organizations cannot afford to do; most organizations need months to upgrade an application to a new version of the web framework they're using. Finally, there simply aren't that many AppSec pros to go around...

So, in short, we're releasing software faster than we can control/audit it for security. If we wanted to be able to secure web applications - IMMUNIO reasoned that we had to focus on those releasing the software and running it, the developers and the DevOps crowd.

In order to truly secure or build a secure web application, developers need better insight into current risks, and DevOps pros need the ability to understand the threats they are under and react immediately to attacks already in process. We built IMMUNIO with this in mind. Developers now have a solution that will allow them to build security into their applications with no lock-in and no code integration necessary, essentially eliminating the need for application security experts on staff at each company.

VMblog:  So IMMUNIO is a security product for everyday app developers and DevOps staff?

Zaid Al Hamami:  Correct. Any team can decide to add security features to their application just by including IMMUNIO in their project. Today, if you wanted to add telecom services to your app, you'd probably use twilio, for payments stripe, for APM, perhaps NewRelic. Well, this is how you would use IMMUNIO - for security. By adding IMMUNIO, you are giving your application security instrumentation and protection features.

Having said that, AppSec pros will actually find that IMMUNIO serves their needs well: one of the biggest challenges that AppSec professionals face is aligning the organization behind them. They know what needs to happen, but frequently they don't have the influence to make it happen. Well, IMMUNIO is a common platform that the entire organization can use to understand not only the vulnerability in the code, but also the real time attack and attacker information. For example, if an application is being targeted heavily, the app dev team can see that - and they may want to address the security concerns there first - but now they understand the threat is real.

VMblog:  What benefits will IMMUNIO provide an organization?

Zaid Al Hamami:  There are two main use cases of IMMUNIO that I'd highlight upfront. The first is active protection, which enables the product to automatically hook into an application at key points where exploit attempts can be detected and automatically protected from at run-time. From then on, IMMUNIO will foil the attackers' attempts at exploiting the application, even if it were vulnerable. This protects the application provider against data theft. The second is real-time security intelligence, where IMMUNIO collects and reports information about an attacker, an exploit attempt and any potential code vulnerabilities. By enabling this security intelligence capability to your application - you'll be able to understand if you're under attack, by whom, and how. You'll also be able to conduct triages and investigations quickly.

What we're most proud of is how easy we made it: IMMUNIO's simple and fast installation process, allowing users to install the agent simply and in less than two minutes.

VMblog:  Can you talk about some of the key features of IMMUNIO?

Zaid Al Hamami:  We'll detect the usual web application attack attempts: SQL injection, XSS, RCE, etc., but we go way above that as well. For example, IMMUNIO is able to stop a botnet used to perform various forms of user-login attacks, we'll give captcha capabilities to the applications, detect stolen sessions and user accounts, and more.

VMblog:  And how is IMMUNIO different than other application security products on the market today?

Zaid Al Hamami:  IMMUNIO deploys literally in a couple of minutes, does most of the processing inside the application at runtime, hence adding very little overhead to the end user experience, yet detects and protects against the widest range of web attacks. IMMUNIO also has the widest range of remediation mechanisms in dealing with attacks and attackers.

VMblog:  What platforms do you support?

Zaid Al Hamami:  IMMUNIO supports the following platforms out of the box today: Ruby (any rack-based application, as well as extensive support for Rails), Python (any WSGI-based application, as well as extensive support for Django and Pyramid). Java is also supported albeit still in beta.

VMblog:  Is there anything else you'd like to mention to VMblog readers?

Zaid Al Hamami:  As of today, developers and DevOps professionals can deploy IMMUNIO and benefit from a concrete and truly innovative application security solution. We look forward to building off this initial momentum, adding additional features and support. IMMUNIO is now generally available and accessible through a free trial version at


Once again, a special thank you to Zaid Al Hamami, co-founder and CEO of IMMUNIO, for speaking with VMblog.

Published Thursday, October 01, 2015 6:25 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2015>