This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
Hailstorm offers three methods to add applications: Users can run an auto-discovery scan on Web application ports, add applications manually, or import a CSV file. You can assign a risk factor, and group applications for better management. Running and scheduling assessments is as simple as it gets.
The desktop application allows custom assessments that are a combination of checks from best practices (OWASP), regulatory standards, and custom attacks created in-house.We selected the OWASP and best practices assessments against a classic ASP/MS SQL and a Joomla (LAMP) Web application, respectively.
Hailstorm offers by far the best attack customization and new attack creation capability in the industry. To offer flexibility, Cenzic has added features such as interactive assessments, where the user navigates through the website manually.
The two areas enterprises spend the most time on when using a vulnerability scanner are the
| home page/central
display and the results/reports. Cenzic has remarkable
interactive dashboard that shows trends and activities.
During the review assessments, we were able to watch
the findings and graphs updated as vulnerabilities were
discovered. The details on each finding were available
instantly, along with the HTTP request/response, complete
explanation of how the attack was executed and
One feature that sets Hailstorm apart is the Hailstorm Application Risk Metric score, which incorporates the risk factor assigned to each application and the severity of the vulnerabilities discovered. This helps you focus remediation efforts and determine which vulnerabilities present the most risk. It also measures if risk is decreasing and if remediation is effective over time.
Reporting is by far the most improved module. The reporting engine is a powerful tool to monitor progress, manage compliance and distribute relevant information in a timely manner. The Crystal Reports viewer can export reports in many formats.
Enterprise ARC 5.7 is a true enterprise-class solution for managing Web application vulnerabilities.
Testing methodology: We installed the server, database and desktop client on a Windows 2003 Server and used a Windows XP machine as an execution engine and tested against several Web applications.
This was first published in January 2009