Review: Cenzic Hailstorm ARC 5.0

With the release of version 5.0, the Hailstorm Enterprise ARC Web-based management application can now deploy the Hailstorm security engine across an enterprise. ARC is more than just a portal that manages many Hailstorm engines simultaneously. The software also helps IT managers and developers manage unsecured code.

At a glance, ARC's main summary page is the key to the entire product. There, IT managers can view all of the applications across an entire enterprise. ARC comes with a tool that scans a whole network and finds Web applications. After identifying all of the applications, the ARC software starts collecting Hailstorm test runs.

In addition to displaying all the applications, the graphs on the summary page can show what frequency and level of testing is being performed on applications and whether any security policies have been implemented. The graphs indicate what applications have been tested, which have not been tested within a given period and which new applications are currently untested.

Hailstorm tests are recommended regardless of the changes made to applications. By conducting regular tests, IT managers can determine how applications are being patched. Managers can also use results to evaluate developers and testers.

ARC provides highly structured schedules for managers, who can see what applications are being tested on a weekly, monthly and quarterly basis. The views can change, depending on how IT managers want to scale the graphs. Graphs can also provide granular views to show vulnerabilities.

Whenever developers start testing a new application, the number of vulnerabilities should reduce over time. Because the fixing process is iterative, developers have to go over the same code several times before getting it to acceptable levels. Ultimately, a manager's security policy determines what is meant by getting source code to an acceptable level.

Some companies rely on their security teams to run Hailstorm modules in the ARC interface. These teams are responsible for setting up the service modules while the development team executes the tests. Whether developers have full control over the security test scripts is a trust issue.

ARC gives managers the option to not only verify results independently but also set up the tests. This is a sticky point for many enterprise customers when evaluating RFPs. Solution providers can win or lose a bid simply based on the security methodology they can offer and the level of security support they can provide during a project's life cycle.

Hailstorm application risk metric (HARM) scores are based on level of vulnerability given to applications. By default, Hailstorm comes with risk values for each of its exploits. The values are based on the ease with which hackers exploit each vulnerability and the potential damage each one creates. The HARM rating is calculated by multiplying all of the identified vulnerabilities within an application by the level of importance managers give to that application.

Next: The Bottom Line