Price: $15,000 per application per year (unlimited users, support and updates)
Vulnerability assessment and penetration testing technologies focused on Web applications remain very specialized areas, requiring multiple tools, techniques and expertise.
Organizations that want to integrate security into their application development lifecycle can hire security consultants to perform pen tests on a regular basis, or can deploy a tool that does an acceptable job without requiring a full-time administrator.
Cenzic's Hailstorm v2.6 presents a viable in-house option, allowing security architects to collaborate with QA and development staffs to test commercial and custom Web apps for known vulnerabilities and regulatory and corporate security policy compliance. Because its licensing is per application (for unlimited users), security architects can configure scan jobs and let QA engineers run them when required.
Our testing was conducted on a custom Web application (IIS 5.0, ASP.NET) that we successfully scanned for known vulnerabilities--mostly buffer overflows, SQL injections and cross-site scripting.
Users can run automated scans or interactive tests that step through the application; tests can be comprehensive or focused on particular vulnerabilities or policy requirements. The interactive results pane delivers real-time messages to the reporting pane as individual tests are completed. With a mouse click, users can drill down to detailed information on the potential vulnerability, the HTTP request and response received without interrupting the scan.
Hailstorm's reporting tool offers minimal customization other than executive, manager and technical options. However, its delta analysis feature allows security managers to assess the security of an application over time. Reports can be exported to many formats including PDF, Microsoft Word and Crystal Reports.
Installation was straightforward and took less than five minutes. Users can become familiar with the product by running scans on sample Web apps that contain a number of vulnerabilities.
While Cenzic claims that Hailstorm can match the results of consultant pen tests at a fraction of the cost, large organizations will be reluctant to consider it as a complete replacement. But it's certainly a powerful tool for integrating security into the development process, and smaller organizations that cannot afford high-priced help may find it a good choice for improving application security.
This product review originally appeared in the December 2005 issue of Information Security magazine.