The Cenzic Hailstorm offering is a software-based solution whichtruly performs application vulnerability assessment. Once the productis up and running, the wizard allows you to scan websites easily if notquickly. A default scan of the small PHP-based website had a runtime ofover 21 hours to complete the scan. The scan has several default policytemplates to be scanned against and for our test we chose the industrybest practices template. The utility reported only one false positiveand, as with other scanners, it was an SQL injection vulnerability on asite without SQL running. The utility was not fooled by the customerror pages as other scanners often were. In the end, the utility found13 distinct URLs and found 80 distinct vulnerabilities.

The interface made it quite easy to see the overall status of theapplication, number of URLs discovered, forms discovered and an overallsite map. The utility also called the scanner’s attention to othersites, which were not visited as part of the scan. Hailstorm evennoticed a link to an outside site that was overlooked by mostutilities. Additionally, Hailstorm has the ability to run severaldifferent types of reports — from the technician report to theexecutive report.

The installation of Hailstorm was the most confusing among theproducts we examined for this Group Test. Hailstorm had severaldifferent software installation options. Two options, which appeared tobe correct, required the utility to connect to an existing SQLdatabase. On the third attempt at installation, we found the correctoption and a local database was installed, as well as the .NETframework.

Documentation was a bit difficult to find. Enclosed with the CD wasa getting started guide, but it does not cover the differentinstallation types in any level of detail, such that the installer canchoose the correct installation method with confidence.

Support is offered through phone, web and email. Training and professional services are also offered.

The pricing for Hailstorm is above average for this review at$26,000, but it is a true application vulnerability assessmentapplication and feature rich.