Review: Cenzic Hailstorm ARC 5.0

ARC displays both the vulnerability value and the HARM rating. Two applications that have an equal number of vulnerabilities or that score equally on vulnerabilities might not receive equal treatment. One application could be storing sensitive customer data and the other might not. Obviously, managers will give a higher weighting score to the application that stores sensitive data. The two values shown in ARC can help managers determine how to proceed in development, testing stages and in production.

Using HARM scores during development is a good way for solution providers to gain the expertise required to maintain project schedules while managing security. That is a feat in and of itself, especially when writing multitier applications that communicate with many other systems. Security testing is an intensive, iterative process.

Solution providers also can use HARM scores to implement permanent policies during development and before deploying applications. For instance, if an application receives a HARM rating higher than a certain amount or receives one or more high vulnerability scores, solution providers can freeze the code before it is put into production.

ARC scores can help solution providers identify weaknesses in development teams. When managing multiple projects, ARC scores can be used to move developers around and to prioritize which applications need more testing.

If an application keeps getting many buffer overflow vulnerabilities during testing, solution providers can shift teams around and bring in more experienced developers.

ARC shows all of Hailstorm's reports and output on its panes, so developers get a step-by-step sequence of each attack, even what input values Hailstorm decided to use. Developers are able to compare how pages are structured both before and after an attack.

Hailstorm provides details on how the server code reacts during response from page requests. The Render Response button will take a response and place it into a browser. The browser receives a cached copy of an attack, and developers can replicate the execution with the cached code. With every attack, Hailstorm provides recommendations on how to remediate the code as well.

Solution providers can also offer training to in-house developers based on the number and types of vulnerabilities found during development. For instance, if Hailstorm finds many cross-site scripting vulnerabilities, providers can offer courses in cleaning cross-site scripts.

Managers can use ARC scores in any number of ways to control system-wide development life cycles. Because development stages such as application integration, data resolution and management, orchestration and workflows are all connected by source code, ARC can centralize security testing and promote enterprise-wide security standards.

Right now, ARC can only associate general HARM scores with applications. But Cenzic is planning on adding a hierarchical scoring format so companies can create application groups based on different types of scores.

To work around this limit, project managers can tag applications to fall into specific groups. The tags filter out less critical applications and help determine what issues need to be addressed first. For instance, a tag can determine if all applications are live or what applications must adhere to certain regulatory standards. The filters also can help create views for high-level executives.