Total Tests:

ImmuniWeb Launches Free Website Security and GDPR Compliance Test

May 29, 2019

The non-intrusive online test quickly verifies relevant GDPR and PCI DSS requirements, checks CMS security and runs a privacy check.


ImmuniWeb, a global provider of web, mobile and API security testing and risk ratings, has now added a GDPR compliance check to its website security test, one of the most popular free tests provided within ImmuniWeb’s community offering.

ImmuniWeb Launches Free Website Security and GDPR Compliance Test

The test is initially designed for SMEs and organizations with nascent application security testing programs. Large organizations with mature DevSecOps programs can also benefit from the service to quickly run hundreds of daily GDPR scans ensuring essential security and compliance of their external web applications.

The free security test will:

  • Verify PCI DSS requirements 6.2, 6.5 and 6.6.
  • Verify GDPR requirements mentioned in Articles 5, 6, 7, 25, 32 and 35 applicable to websites and web applications.
  • Fingerprint versions of over 100 most popular CMS, web frameworks and over 167,000 of their plugins.
  • Run a comprehensive but non-intrusive vulnerability scan for all known vulnerabilities in the fingerprinted software.
  • Check over 20 HTTP headers related to security, encryption or privacy for strong configurations in line with industry best practices, including ones from OWASP.
  • Assess Content Security Policy (CSP) to prevent some XSS and CSRF exploitation vectors, as well as variations of ransomware and Cryptojacking attacks.

One year ago, the EU GDPR was officially enforced as a law and imposed a considerable set of data protection and privacy requirements on all organizations handling PII (personally identifiable information) of European residents.

So far, 144,376 complaints were filed for various violations of GDPR, while companies have reported 89,271 data breaches, which they're obligated to report within 72 hours of discovery. A Brussels report finds that €56 million of fines have been handed out since GDPR was enacted.

To test how largest European websites adhere to GDPR requirements related to web applications, we selected the 100 most visited websites (excluding local versions of global brands e.g. Google or Facebook) of the 28 European member states and ran the following non-intrusive checks:

  • Missing or hard-to-get (not easily visible and accessible from the main page) privacy policy (51.50%)
  • Nonconsensual (no cookie notice/disclaimer) or insecure usage of cookies (e.g. missing secure flag) handling sensitive or tracking data (78.25%)
  • Outdated and vulnerable CMS or CMS components (not counting just outdated software) (6.75%)
  • No HTTPS encryption by default or serious security SSL/TLS flaws (e.g. usage of SSLv3) (5.96%)

Below are the results per county:

Widespread GDPR Issues on Websites
TotalIssues Found from Total
Member CountryGDPR Issue(s) Found (%)Privacy Policy Issues (%)Cookie Protection or Usage Issues (%)Website Security Issues (%)HTTPS Encryption Issues (%)
Germany504010000
Italy501486014
Austria67010000
Spain7567561111
Greece815469380
Poland8267671111
Belgium837070010
Bulgaria83407377
Cyprus83608000
France835080010
Netherlands85189100
Portugal85738200
Luxembourg8633100017
UK861710000
Denmark87548588
Slovenia9170902010
Estonia92676708
Latvia93647900
Finland94885006
Lithuania94676707
Romania9460872013
Sweden94608700
Hungary958344110
Croatia100608000
Czechia1008344116
Ireland100088250
Malta100141001429
Slovakia1006969130
Average:86,1851,5078,256,755,96

Ilia Kolochenko, CEO and Founder of ImmuniWeb, comments: “We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies. However, there is a long road before the majority of organizations start valuing actual security above paper-based compliance thereby providing users with the privacy and security they truly deserve.

To help companies comply with the intricate requirements of GDPR, most of which are quite far from being crystal-clear today, we are happy to enhance our community offering with the new free test. More cool features are coming soon, please stay tuned.

The GDPR test is now also integrated with ImmuniWeb® Discovery to quickly build a comprehensive inventory of your organization’s web, mobile and cloud assets, providing an ultimate asset visibility.

Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential