The problem with doing application vulnerability testing in a live
production environment is just that — it’s a live production environment, and if you break something, it could cause a lot of harm.
Yet there is a real need for live production server testing, since new attack vectors and vulnerabilities emerge on an almost-daily basis. The answer to the problem, according to application vulnerability testing vendor Cenzic, is virtualization.
Not surprisingly, it’s the cornerstone of Cenzic’s new Hailstorm 5.5
“Application security testing is not like running antivirus,” John Weinschenk, president and CEO of Cenzic told InternetNews.com. “If you run antivirus, it warns you that you have a virus and you get rid of it. In application security, when you do attacks against an application, a successful attack could be very harmful to the system itself.”
“Virtualization gives you the ability to take a copy of the production app and test against it,” he said.
Cenzic worked closely with VMware to develop a deep integration between Cenzic’s Hailstorm and two of the virtualization player’s products: Lab Manager, which takes virtual snapshots of an application, and Virtual Center, a management application for virtual machine resources and deployment.
As a result, Hailstorm can test production applications without impacting live performance or data.
Weinschenk explained that Hailstorm 5.5 understands all the applications that are virtualized and knows what applications are available to be attacked. He added that during testing, a user doesn’t have to log directly into the VMware console, either — they can do the testing directly
via the Hailstorm interface.
“The real benefit is that now companies can test their application in a
seamless virtual environment,” Weinschenk said. “It’s an automated
solution, so once you set it up and set the recurrences up, you’re up and running, getting real-time data.”
The catch, though, is that Cenzic’s virtualization capabilities rely on VMware, which users will need to have in place.
Weinschenk said Cenzic’s go-to-market strategy is to approach VMware’s installed customer base. He added that Cenzic and VMware already share customers in many cases.
“We believe we should be able to pull additional VMware sales with our
solution as well, ” Weinschenk said. ” People will want to be able to
Weinschenk declined to comment, however, on whether Cenzic plans to work with Citrix’s XenSource division to integrate with the Xen virtualization solutions.
The Hailstorm 5.5 release also adds new compliance reporting technology for application vulnerability testers.
Weinschenk said the software now includes a summary report for an application test against multiple security compliance specifications, including PCI, GLBA, HIPAA and AB 1950. The report will identify what parts of the specification need to be tested and where the tested application fails compliance.
The release comes as Cenzic faces increasingly deep-pocketed rivals. Its principal competitors in the application security space were both bought out this year by larger vendors, with IBM taking Watchfire and HP snapping up SPI Dynamics.
The previous-generation offering from Cenzic, Hailstrom version 5, provided data integration from both competitors. Weinschenk said neither rival offers comparable virtualization integration yet.
“This [virtualization] is a huge issue and I think this will open the
market quite a bit,” Weinschenk said. “I wouldn’t be surprised if our
competitors rethink their strategy and try to develop a solution like this.”
Watchfire released its latest software application, AppScan 7.7, in mid-November.