Feature

Application Security: Cenzic's Hailstorm v2.6

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Top forensics tools for tracking down cybercriminals."

Download it now to read this article plus other related content.

Hailstorm v2.6
Cenzic

Price: $15,000 per application per year (unlimited users, support and updates)

@exb

    Requires Free Membership to View

Hailstorm v2.6
@exe Vulnerability assessment and penetration testing technologies focused on Web applications remain very specialized areas, requiring multiple tools, techniques and expertise.

Organizations that want to integrate security into their application development lifecycle can hire security consultants to perform pen tests on a regular basis, or can deploy a tool that does an acceptable job without requiring a full-time administrator.

Cenzic's Hailstorm v2.6 presents a viable in-house option, allowing security architects to collaborate with QA and development staffs to test commercial and custom Web apps for known vulnerabilities and regulatory and corporate security policy compliance. Because its licensing is per application (for unlimited users), security architects can configure scan jobs and let QA engineers run them when required.

Our testing was conducted on a custom Web application (IIS 5.0, ASP.NET) that we successfully scanned for known vulnerabilities--mostly buffer overflows, SQL injections and cross-site scripting.

Hailstorm features highly configurable policies through an improved, albeit still less-than-intuitive, Web-based GUI. It was easy to create our own category of appropriate policies for testing the security and compliance requirements of the applications in our lab. For example, we edited the JavaScript code of the buffer overflow policy to disable functions we thought were not needed in our test environment. We were also impressed with the detailed descriptions Cenzic provided for each of its packaged policies, which are distributed under categories such as OWASP, SOX, phishing, session management, CISP and AMEX Secure-Code.

Users can run automated scans or interactive tests that step through the application; tests can be comprehensive or focused on particular vulnerabilities or policy requirements. The interactive results pane delivers real-time messages to the reporting pane as individual tests are completed. With a mouse click, users can drill down to detailed information on the potential vulnerability, the HTTP request and response received without interrupting the scan.

Exec Summary
Well-documented, editable options
Easy deployment
Accurate scans
Delta analysis reports
GUI not intuitive
Minimal report customization

Hailstorm's reporting tool offers minimal customization other than executive, manager and technical options. However, its delta analysis feature allows security managers to assess the security of an application over time. Reports can be exported to many formats including PDF, Microsoft Word and Crystal Reports.

Installation was straightforward and took less than five minutes. Users can become familiar with the product by running scans on sample Web apps that contain a number of vulnerabilities.

While Cenzic claims that Hailstorm can match the results of consultant pen tests at a fraction of the cost, large organizations will be reluctant to consider it as a complete replacement. But it's certainly a powerful tool for integrating security into the development process, and smaller organizations that cannot afford high-priced help may find it a good choice for improving application security.

--PHORAM MEHTA

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: