Cenzic checks for Web-app weaknesses
Hailstorm 2.5's exceptional reporting complements its array of impressive auditing tools
As Web applications evolve and new features are added, security managers must be able to reassess the application's overall security.
Cenzic Hailstorm 2.5 is a powerful tool for doing just that. It performs not just one-time, but ongoing vulnerability reviews to ensure that the enterprise is not compromised through a programming miscue. During these tests, Hailstorm takes the "attacker" point of view to probe applications, just like a bad guy would.
Hailstorm provides the necessary tools for managers to analyze Web applications for security issues as well as regulatory compliance and overall functionality. The reports generated after a Hailstorm scan are rich with data such as types of tests run, raw HTTP requests and responses, and the scan results.
For tests that fail -- if a problem or exception is found in the application -- remediation information is available in the test results to help explain the failure and provide information for correcting the problem.
I tested Hailstorm against some custom and commercial Web applications, including Microsoft Exchange 2003 on a lab server, and was impressed with how easy the tool was to use and how much information it stores from each scan. I was able to quickly see whether an application had any vulnerabilities and, if so, how severe they were. (For the record, the Exchange 2003 install didn't have any critical flaws.) Although the price tag may run a bit high for smaller businesses, this is an application security tool worth your attention.
Hailstorm requires some horsepower to run its tests; my Pentium 4 3.2GHz PC with 1GB of RAM was quite busy during some of the deeper scans.
I used both the new Security and Assessment Wizard and manual tools to create my Web application and infrastructure scans. The wizard greatly reduces the time and effort required to create a scan. All you need is the starting URL, any user log-in information, and the type of scan to run.
The wizard comes with four predefined scans: TurboCheck, BaseCheck, DeepCheck, and ExtremeCheck. Each scan looks successively harder and deeper at the application -- and consequently takes much more time to complete. Advanced scan settings are available to allow security managers to tweak specific settings while still working from the wizard.
Also effective is the ability to create custom traversals -- aka step-throughs -- that allow you to define specific portions of the application you want to test. This way, instead of retesting an entire Web application, for example, you can test only the part that has changed.
For each traversal, Hailstorm maintains a list of the forms located in the application. Testers can insert specific information, such as user name and password, into the test application for each form. They can even set the value of check boxes and list boxes.
At the heart of Hailstorm are various policies available to throw against the application. The Policy Library groups policies into various categories for easier retrieval, such as Best Practices, GLBA (Gramm-Leach-Billey Act), OWASP (Open Web Application Security Project), and Phishing. As policies are added to a job and traversal, managers can edit policy values to specifically test certain aspects of the application while ignoring others. For example, I was able to use a custom SQL injection file to test an application's SQL database instead of the included default file.