WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spi's products worth a try? Or any suggestions for developers' tool?

From: "App Master" <appmasterzero () hotmail com>
Date: Mon, 07 Nov 2005 16:04:59 -0500
Aman,
Cenzic's Hailstorm has also recieved great reviews. In my experience its the most accurate tool available for auditing a web application for security vulnerabilities. Gives you lots of control. It would be very useful for your developers to use to scan their applications. Hailstorm itself doesn't do source code scanning, but it excells in statefully testing a web application for vulnerability, and in this regard, you fill find its results reliable and second to none. 

Please allow me to explain:
When you manually test an application, its time consuming, but it has the advantage of greater accuracy than you ordinarily get out of an ordinary off-the-shelf "App Scanner." You see, a lot of security products are just like machine guns that fire strings at an application and then grep the HTML for another response string. This is the reason that after you run them it takes so long to verify if the results are correct or not, because its mostly pure signature matching -- stateless -- of raw HTML and server response codes, without any visibility as to what is occuring in the browser (at the application level), or if the application is causally or statefully affected by injected values.
Hailstorm does it differently, using what you might think of as active payloads. It monitors what each injected payload does and then monitors browser memory (it uses a baked-in version of Mozilla) to trap when code or events execute in the application space as a result of its actions. This is a world of difference between other black-box tools. Hailstorm also uses fairly advanced AI when it comes to analyzing server behavior: heuristics, causal and behavior triggers, a significant number of configuration options for advanced tuning. I like it because it gives me better, more accurate, more actionable, results. Period. I am certain it would benefit your team. 

Check it out at: www.cenzic.com

Thanks

Appman Zero

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Previous By Date Next
Previous By Thread Next

Current thread: