By Andrew Garcia  |  Posted 2005-09-19 Print this article Print

Cenzic Inc.s Hailstorm 2.6 provides exceptional Web application penetration-testing capabilities in a highly automated, easy-to-use product that masks a lot of complexity under the hood, earning the product an eWEEK Labs Analysts Choice award.

With Version 2.6 of Hailstorm, which was released in July, companies can more effectively secure mission-critical Web applications for regulatory compliance and test the mettle of existing defenses, such as Web application firewalls.

Hailstorm includes a wide variety of penetration tests for Web application vulnerabilities, including buffer overflows, SQL injections and cross-site scripting attacks, as well as infrastructure checks for out-of-date Web server platforms. Individual policies are nicely grouped into packages that can be easily run to ensure compliance with government regulations or industry best-practices guidelines.

To identify possible vulnerabilities in Web applications, Hailstorm leverages the Mozilla platform to throw real browser-based traffic at an application. This closely emulates the way hackers attack and helps to avoid the false positives that often plague application scanners.

Hailstorm pricing is based on the number of applications that need to be secured. Prices start at $15,000 per year per application to be tested; the per-application price decreases as more applications are tested. The price includes one year of support, product upgrades and policy updates, as well as access to the Hailstorm server module that supports multiple users. (eWEEK Labs did not test this module.) Hailstorm pricing is in line with that of competing application scanners, such as AppScan Audit from Watchfire Corp.

Organizations that prefer to hire a third party to perform application security audits should consider Cenzics ClickToSecure penetration-testing service.

Click here to read about the IRIS Groups use of ClickToSecure. eWEEK Labs installed Hailstorm 2.6 on a Dell Inc. Latitude D600 laptop with a 1.6GHz Pentium M processor and 512MB of RAM. Cenzic recommends a machine with a 2GHz Pentium 4 or faster processor and 1GB of RAM, but Hailstorm performed admirably on our test system.

We evaluated Hailstorm 2.6 against a pair of test applications in our lab. The first, an e-commerce application, runs on Microsoft Corp.s IIS (Internet Information Services) Web server with a SQL Server 2000 back-end database and contains a wide variety of known vulnerabilities. The second application, an offline version of a hardened Web application eWEEK Labs uses regularly, runs on the The Apache Software Foundations Tomcat Java servlet container with IBMs DB2 database.

During tests, Hailstorms ease-of-use improvements were immediately noticeable. As soon as we fired up Hailstorm 2.6, a Security Assessment Wizard guided us through the process of inputting the starting URL and log-in credentials (if necessary) for the Web application we wished to test. Advanced settings are easily configurable for controlling the depth and breadth of testing on a site, and Hailstorm provides preconfigured settings as well.

Hailstorms reporting capabilities are excellent. After the appropriate job and test iteration are selected, Hailstorm presents an executive-level view of policy compliance and vulnerabilities by severity and type. From there, we could drill down to get more specific information about compliance failures or vulnerabilities that were found. We also could export our findings to a variety of formats, including PDF, Microsoft Word and Excel documents, rich text, and Business Objects S.A.s Crystal Reports.

Initial scans confirmed our faith in our Tomcat-based application; the only critical finding was a possible directory traversal that we forgot to disable. After changing a few settings on the Tomcat server, we ran the scan a second time to verify that the changes resolved the issue. We particularly appreciated the delta-analysis capabilities built into Hailstorms reporting engine that allowed us to identify changes between successive scans.

Meanwhile, a scan of our IIS-based e-commerce site confirmed that the application was riddled with problems, including cross-site scripting vulnerabilities, buffer overflows, SQL disclosures and SQL parser vulnerabilities.

Experienced penetration testers will quickly move beyond Hailstorms wizard-based testing, lifting the covers to find the products powerful, in-depth functionality that allowed us to tightly control test scope and parameters.

Application penetration testing first requires a traversal that catalogs the structure of a Web site and inventories all pages that will be defined for the test. Hailstorm offers both manual and automated traversal routines. We configured a spider to crawl through our entire test site to a predefined link depth.

For those wishing to limit testing to a specific part of an application (such as a shopping cart or log-in screen), testers can instead record an interactive traversal. The interactive traversal tracks the manual movement of a user through a Web site and records any data that is entered into forms, to test only the pages and forms involved with a common interaction or transaction. As we discovered in tests, the spider traversal can sometimes get stuck in a particularly complicated site, so the interactive traversal was beneficial in helping us complete our site inventory.

From the Jobs tab, we could apply policies to a stored traversal. Individual policies represent tests against a particular class or type of vulnerability, such as a buffer overflow, a Web server configuration error or a development error that allows a cross-site scripting attack.

Each policy offers a high-level explanation of the targeted vulnerability, the steps involved in the penetration test and possible remediation tips. Administrators also can easily define policy parameters, including certain pages to exempt from testing or specific injection lengths to test for possible overflows.

Administrators needing even more control can access the script that underlies each policy.

On the dashboard, policies are further organized into several packages based on advisory input or regulation compliance measures from many different sources, allowing us to easily initiate the right tests to meet our security goals. Packages include security guidelines from American Express Co., Visa USA Inc. and MasterCard International Inc., as well as regulation compliance for the Sarbanes-Oxley Act.

Although a wide range of policies and packages were listed on the dashboard immediately after we installed Hailstorm, many were not available until we updated the product. Policy updates are easily retrieved via the integrated auto-update function. According to company representatives, Cenzics development teams are constantly improving policies, and new signature updates should be available every two weeks or so.

Next page: Evaluation Shortlist: Related Products.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel