If your customer is looking for a tool that will perform regular in-house pen tests without the need for dedicated staff, Cenzic's Hailstorm v2.6 might be the tool to recommend. Learn the basics in this review, courtesy of Information Security magazine.
Hailstorm v2.6
Cenzic
Price: $15,000 per application per year (unlimited users, support and updates)
Vulnerability assessment and penetration testing technologies focused on Web applications remain very specialized areas, requiring multiple tools, techniques and expertise.
Organizations that want to integrate security into their application development lifecycle can hire security consultants to perform pen tests on a regular basis, or can deploy a tool that does an acceptable job without requiring a full-time administrator.
Cenzic's Hailstorm v2.6 presents a viable in-house option, allowing security architects to collaborate with QA and development staffs to test commercial and custom Web apps for known vulnerabilities and regulatory and corporate security policy compliance. Because its licensing is per application (for unlimited users), security architects can configure scan jobs and let QA engineers run them when required.
Our testing was conducted on a custom Web application (IIS 5.0, ASP.NET) that we successfully scanned for known vulnerabilities -- mostly buffer overflows, SQL injections and cross-site scripting.
lstorm features highly configurable policies through an improved, albeit still less-than-intuitive, Web-based GUI. It was easy to create our own category of appropriate policies for testing the security and compliance requirements of the applications in our lab. For example, we edited the JavaScript code of the buffer overflow policy to disable functions we thought were not needed in our test environment. We were also impressed with the detailed descriptions Cenzic provided for each of its packaged policies, which are distributed under categories such as OWASP, SOX, phishing, session management, CISP and AMEX Secure-Code.
Users can run automated scans or interactive tests that step through the application; tests can be comprehensive or focused on particular vulnerabilities or policy requirements. The interactive results pane delivers real-time messages to the reporting pane as individual tests are completed. With a mouse click, users can drill down to detailed information on the potential vulnerability, the HTTP request and response received without interrupting the scan.
lstorm's reporting tool offers minimal customization other than executive, manager and technical options. However, its delta analysis feature allows security managers to assess the security of an application over time. Reports can be exported to many formats including PDF, Microsoft Word and Crystal Reports.
Installation was straightforward and took less than five minutes. Users can become familiar with the product by running scans on sample Web apps that contain a number of vulnerabilities.
While Cenzic claims that Hailstorm can match the results of consultant pen tests at a fraction of the cost, large organizations will be reluctant to consider it as a complete replacement. But it's certainly a powerful tool for integrating security into the development process, and smaller organizations that cannot afford high-priced help may find it a good choice for improving application security.
This review originally appeared in Information Security magazine.
