As Web applications evolve and new features are added, security managers must be able to reassess the application’s overall security.
Cenzic Hailstorm 2.5 is a powerful tool for doing just that. It performs not just one-time but ongoing vulnerability reviews to ensure the enterprise is not compromised through a programming miscue. During these tests, Hailstorm takes the “attacker” point of view to probe applications, just like a bad guy would.
Hailstorm provides the necessary tools for managers to analyze Web applications for security issues as well as regulatory compliance and overall functionality. The reports generated after a Hailstorm scan are rich with data such as types of tests run, raw HTTP requests and responses, and the scan results.
For tests that fail — if a problem or exception is found in the application — remediation information is available in the test results to help explain the failure and provide information for correcting the problem.
I tested Hailstorm against some custom and commercial Web applications, including Microsoft Exchange 2003 on a lab server, and was impressed with how easy the tool was to use and how much information it stored from each scan. I was able to quickly see whether an application had any vulnerabilities and, if so, how severe they were. (For the record, the Exchange 2003 install didn’t have any critical flaws.) Although the price tag may run a bit high for smaller businesses, this is an application security tool worth your attention.
Hailstorm requires some horsepower to run its tests: my Pentium 4 3.2GHz PC with 1GB of RAM was quite busy during some of the deeper scans.
I used the new Security and Assessment Wizard and manual tools to create my Web application and infrastructure scans. The wizard greatly reduces the time and effort required to create a scan. All you need is the starting URL, any user log-in information, and the type of scan to run.
The wizard comes with four predefined scans: TurboCheck, BaseCheck, DeepCheck, and ExtremeCheck. Each scan looks successively harder and deeper at the application — and consequently takes much more time to complete. Advanced scan settings are available to allow security managers to tweak specific settings while still working from the wizard.
Also effective is the ability to create custom traversals — aka step-throughs — that allow you to define specific portions of the application you want to test. This way, instead of retesting an entire Web application, for example, you can test only the part that has changed.
For each traversal, Hailstorm maintains a list of the forms located in the application. Testers can insert specific information, such as user name and password, into the test application for each form. They can even set the value of check boxes and list boxes.
At the heart of Hailstorm are various policies available to throw against the application. The Policy Library groups policies into various categories for easier retrieval, such as Best Practices, GLBA (Gramm-Leach-Billey Act), OWASP (Open Web Application Security Project), and Phishing.
As policies are added to a job and traversal, managers can edit policy values to specifically test certain aspects of the application while ignoring others. For example, I was able to use a custom SQL injection file to test an application’s SQL database instead of the included default file.
Admins can create new policies to include in the library, too. This high level of customization makes Hailstorm flexible enough to meet specific testing parameters, yet powerful enough to detect and report security problems. Also available are infrastructure tests — more than 800 of them — that look at the underlying network structure hosting the Web application.
If the heart of Hailstorm is its policies, then the soul has to be its reporting engine. Based on Crystal Reports, this feature is second to none. Hailstorm creates comprehensive reports that show the results of the test run and the job runs included in the report.
The reports are interactive, allowing managers to drill down into the reports in order to get to the information they need. I was able to view the HTTP request and response for a particular vulnerability by simply double-clicking my way through the report.
Thankfully, the reporting engine is capable of filtering out redundant or unnecessary data from a report. On large tests with lots of data, this helps reduce excessive data points and makes the report easier to read.
The Delta Analysis feature is just as useful: managers can compare multiple runs of the same test against one another and look for changes over time. It comes in handy when monitoring for regulatory compliance.
Hailstorm’s scheduler is as simple to use as the rest of the program. I quickly and easily created multiple queues, each with distinct jobs and run times. First, I created a queue by naming it and setting a start time. Then, I dragged the jobs to run in that queue from the Jobs list and dropped them into the scheduler.
The scheduler allows you to set a future time and date to run jobs — “run now” is also available — but as of this writing, you cannot set a job to automatically repeat. Look for this feature in an upcoming release.
Good security requires ongoing auditing and analysis, and Hailstorm provides a good set of tools to provide that information. The product is intuitive and the reporting is exceptional.
The scheduler is a nice touch, although it will be even better when recursive schedules become available.
And don’t forget Hailstorm’s policies: It comes with a rich built-in set, and security managers can edit and create their own.