August 01, 2007
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Easy to use and understand to run scams.
- Weaknesses: Against: Installation is a bit tricky, documentation is tough to find, and scans are slower than other products.
- Verdict: A good program, but the installation and documentation need improvement.
The Cenzic Hailstorm offering is a software-based solution which truly performs application vulnerability assessment. Once the product is up and running, the wizard allows you to scan websites easily if not quickly. A default scan of the small PHP-based website had a runtime of over 21 hours to complete the scan. The scan has several default policy templates to be scanned against and for our test we chose the industry best practices template. The utility reported only one false positive and, as with other scanners, it was an SQL injection vulnerability on a site without SQL running. The utility was not fooled by the custom error pages as other scanners often were. In the end, the utility found 13 distinct URLs and found 80 distinct vulnerabilities.
The interface made it quite easy to see the overall status of the application, number of URLs discovered, forms discovered and an overall site map. The utility also called the scanner’s attention to other sites, which were not visited as part of the scan. Hailstorm even noticed a link to an outside site that was overlooked by most utilities. Additionally, Hailstorm has the ability to run several different types of reports — from the technician report to the executive report.
The installation of Hailstorm was the most confusing among the products we examined for this Group Test. Hailstorm had several different software installation options. Two options, which appeared to be correct, required the utility to connect to an existing SQL database. On the third attempt at installation, we found the correct option and a local database was installed, as well as the .NET framework.
Documentation was a bit difficult to find. Enclosed with the CD was a getting started guide, but it does not cover the different installation types in any level of detail, such that the installer can choose the correct installation method with confidence.
Support is offered through phone, web and email. Training and professional services are also offered.
The pricing for Hailstorm is above average for this review at $26,000, but it is a true application vulnerability assessment application and feature rich.
Sign up to our newsletters
SC Magazine Articles
- APT operation 'Double Tap' exploits serious Windows OLE bug
- 'DoubleDirect' MitM attack affects iOS, Android and OS X users
- Android malware 'NotCompatible' evolves, spawns resilient botnet
- Vulnerabilities identified in three Advantech products
- The Internet of Things (IoT) will fail if security has no context
- Operators disable firewall features to increase network performance, survey finds
- DDoS attacks cost organizations $40,000 per hour, survey finds
- Waste no time patching Windows Schannel, OLE bugs, experts warn
- Study: 68 percent of healthcare breaches caused by loss or theft of devices, files
- Spin.com redirects to Rig Exploit Kit, infects users with malware, Symantec observes
- Study: 'High priority' issues hamper endpoint security solution implementation
- Researchers identify POS malware targeting ticket machines, electronic kiosks
- Pirated Joomla, WordPress, Drupal themes and plugins contain CryptoPHP backdoor
- DDoS attacks grew in size, threats became more complex, Q3 reports say
- Man gets 18 months in prison for accessing Subway POS devices, loading up gift cards