A New Hailstorm for Application Security

Application security doesn’t need to entirely rest in the cloud or in the corporate datacenter — it can actually exist in both locations as part of a hybrid.

That’s the view of application security vendor Cenzic, which today updated both its on-premises Hailstorm and its on-demand ClickToSecure services to version 6.0.

The new releases include new, real-time application assessment monitoring support as well as expanded Flash application security vulnerability scanning. Cenzic’s release comes as the need for application security continues to mount, with application security vendors and others working to clamp down. HP, for instance, recently rolled out new tools to secure Flash.

“Large companies have many applications, and it makes sense for them to balance their overall resources,” Mandeep Khera, chief marketing officer at Cenzic, told InternetNews.com. “What’s happening in the down economy is people don’t have the resources to work on everything themselves.”

Khera explained that Cenzic has customers that have a thousand or more applications running on their networks. They don’t have the resources to run all of the application assessments themselves, so the on-demand cloud offering is a way to offload the work. The cloud-based ClickToSecure assessment can then be imported back into a user’s own on-site Hailstorm dashboard for future analysis.

Both the on-site and cloud version of Cenzic’s software have been updated to provide even more capabilities for finding AJAX and Flash vulnerabilities — an attack landscape that Khera said continues to evolve.

It’s also an area on which Cenzic continues to improve, most recently with its ClickToSecure 5.9 release back in April.

The new Cenzic releases now will spider all of the URLs found within Flash files to hunt down vulnerabilities. Cenzic’s traditional rivals, HP and IBM, have both been active in improving their own Flash vulnerability scanning this year. HP introduced its new WebInspect 8.0 platform for application security in April. IBM’s AppScan platform was updated in February for Flash.

Hailstorm 6.0 has also been updated to provide users with real-time, interactive results as the scan is occurring.

“Sometimes, customers have different authentication schemes, where it’s not easy to spider — say, a bank that changes a PIN code every time a user logs in,” Khera said. “So by doing interactive results, they can see results instantly as they walk though the pages.”

Additionally, Cenzic’s results can now be integrated with security vendor Imperva’s Web Application Firewall (WAF). As a result, new issued detected by a vulnerability scan can be shored up with a new WAF rule while the underlying application is being patched.

Khera added that Cenzic is looking at expanding the WAF integration with other WAF vendors over time.

The issue for Cenzic, though, isn’t just about finding new attack vectors but also about ensuring that applications are monitored and assessed for security both when in development and in live production.

“Most companies are focused on testing applications in development, but most in-production applications continue to remain vulnerable,” Khera said.

It’s a problem that Cenzic tried to address in 2007 with its Hailstorm 5.5 release, which introduced integration with VMware virtualization. The basic idea is to take live snapshots of a production Web server and test them in a virtual environment.

Khera said that even with that solution in place, the majority of Cenzic users are not testing live production applications using the virtualization capabilities.

“The issue is that some users are immature in terms of virtualization concepts,” Khera said. “They’re virtualized at the desktop and the server, but when it comes to virtualization at the application level, they are still behind the curve.”

News Around the Web