Review: Cenzic Hailstorm ARC 5.0

portal software

At a glance, ARC's main summary page is the key to the entire product. There, IT managers can view all of the applications across an entire enterprise. ARC comes with a tool that scans a whole network and finds Web applications. After identifying all of the applications, the ARC software starts collecting Hailstorm test runs.

In addition to displaying all the applications, the graphs on the summary page can show what frequency and level of testing is being performed on applications and whether any security policies have been implemented. The graphs indicate what applications have been tested, which have not been tested within a given period and which new applications are currently untested.

Hailstorm tests are recommended regardless of the changes made to applications. By conducting regular tests, IT managers can determine how applications are being patched. Managers can also use results to evaluate developers and testers.

ARC provides highly structured schedules for managers, who can see what applications are being tested on a weekly, monthly and quarterly basis. The views can change, depending on how IT managers want to scale the graphs. Graphs can also provide granular views to show vulnerabilities.

id
unit-1659132512259
type
Sponsored post

Whenever developers start testing a new application, the number of vulnerabilities should reduce over time. Because the fixing process is iterative, developers have to go over the same code several times before getting it to acceptable levels. Ultimately, a manager's security policy determines what is meant by getting source code to an acceptable level.

Some companies rely on their security teams to run Hailstorm modules in the ARC interface. These teams are responsible for setting up the service modules while the development team executes the tests. Whether developers have full control over the security test scripts is a trust issue.

ARC gives managers the option to not only verify results independently but also set up the tests. This is a sticky point for many enterprise customers when evaluating RFPs. Solution providers can win or lose a bid simply based on the security methodology they can offer and the level of security support they can provide during a project's life cycle.

Hailstorm application risk metric (HARM) scores are based on level of vulnerability given to applications. By default, Hailstorm comes with risk values for each of its exploits. The values are based on the ease with which hackers exploit each vulnerability and the potential damage each one creates. The HARM rating is calculated by multiplying all of the identified vulnerabilities within an application by the level of importance managers give to that application.

Next: The Bottom Line ARC displays both the vulnerability value and the HARM rating. Two applications that have an equal number of vulnerabilities or that score equally on vulnerabilities might not receive equal treatment. One application could be storing sensitive customer data and the other might not. Obviously, managers will give a higher weighting score to the application that stores sensitive data. The two values shown in ARC can help managers determine how to proceed in development, testing stages and in production.

Using HARM scores during development is a good way for solution providers to gain the expertise required to maintain project schedules while managing security. That is a feat in and of itself, especially when writing multitier applications that communicate with many other systems. Security testing is an intensive, iterative process.

Solution providers also can use HARM scores to implement permanent policies during development and before deploying applications. For instance, if an application receives a HARM rating higher than a certain amount or receives one or more high vulnerability scores, solution providers can freeze the code before it is put into production.

ARC scores can help solution providers identify weaknesses in development teams. When managing multiple projects, ARC scores can be used to move developers around and to prioritize which applications need more testing.

If an application keeps getting many buffer overflow vulnerabilities during testing, solution providers can shift teams around and bring in more experienced developers.

ARC shows all of Hailstorm's reports and output on its panes, so developers get a step-by-step sequence of each attack, even what input values Hailstorm decided to use. Developers are able to compare how pages are structured both before and after an attack.

Hailstorm provides details on how the server code reacts during response from page requests. The Render Response button will take a response and place it into a browser. The browser receives a cached copy of an attack, and developers can replicate the execution with the cached code. With every attack, Hailstorm provides recommendations on how to remediate the code as well.

Solution providers can also offer training to in-house developers based on the number and types of vulnerabilities found during development. For instance, if Hailstorm finds many cross-site scripting vulnerabilities, providers can offer courses in cleaning cross-site scripts.

Managers can use ARC scores in any number of ways to control system-wide development life cycles. Because development stages such as application integration, data resolution and management, orchestration and workflows are all connected by source code, ARC can centralize security testing and promote enterprise-wide security standards.

Right now, ARC can only associate general HARM scores with applications. But Cenzic is planning on adding a hierarchical scoring format so companies can create application groups based on different types of scores.

To work around this limit, project managers can tag applications to fall into specific groups. The tags filter out less critical applications and help determine what issues need to be addressed first. For instance, a tag can determine if all applications are live or what applications must adhere to certain regulatory standards. The filters also can help create views for high-level executives.