The Cenzic Hailstorm offering is a software-based solution which truly performs application vulnerability assessment. Once the product is up and running, the wizard allows you to scan websites easily if not quickly. A default scan of the small PHP-based website had a runtime of over 21 hours to complete the scan. The scan has several default policy templates to be scanned against and for our test we chose the industry best practices template. The utility reported only one false positive and, as with other scanners, it was an SQL injection vulnerability on a site without SQL running. The utility was not fooled by the custom error pages as other scanners often were. In the end, the utility found 13 distinct URLs and found 80 distinct vulnerabilities.
The interface made it quite easy to see the overall status of the application, number of URLs discovered, forms discovered and an overall site map. The utility also called the scanner’s attention to other sites, which were not visited as part of the scan. Hailstorm even noticed a link to an outside site that was overlooked by most utilities. Additionally, Hailstorm has the ability to run several different types of reports — from the technician report to the executive report.
The installation of Hailstorm was the most confusing among the products we examined for this Group Test. Hailstorm had several different software installation options. Two options, which appeared to be correct, required the utility to connect to an existing SQL database. On the third attempt at installation, we found the correct option and a local database was installed, as well as the .NET framework.
Documentation was a bit difficult to find. Enclosed with the CD was a getting started guide, but it does not cover the different installation types in any level of detail, such that the installer can choose the correct installation method with confidence.
Support is offered through phone, web and email. Training and professional services are also offered.
The pricing for Hailstorm is above average for this review at $26,000, but it is a true application vulnerability assessment application and feature rich.