Friday, June 22, 2007

Rolling Reviews: Cenzic's Hailstorm

Jordan Wiens of Network Computing (survived the layoffs) has released round two of the Rolling Reviews of Web Applications Scanners. This time up is Cenzic's Hailstorm Enterprise Application Risk Controller and Jordan is again not pulling any punches. He covers the products Ajax support, interface aesthetics, vulnerability identification, false positives, and reporting prioritization.

5 comments:

Jordan said...

Btw -- it's Wiens, though I see Weins with such frequency that I've considered just changing my name to that instead of fighting it. In fact, I think the magazine still has it spelled wrong online in a few places. ;-)

Just as a heads up for anyone who is subscribed to NWC in print -- the 25th issue with this review is the last print issue of Network Computing. We'll be moving to all online, though some of our stories will be printed in some new sections of Information Week.

But the good news is these web app reviews will keep coming! I'm working on N-Stalker and Watchfire now, and if I ever get the last few sets of credentials over to White Hat, I might even be able to finish that article too!

Also, if anybody wants to send feedback or comments about the reviews, please drop me an email at jwiens-(at)-nwc-(dot)-com. When all the individual reviews are done there will be a final wrapup piece comparing all the different products and approaches, so get yet comments in soon!

Anonymous said...

what is my comment

Anonymous said...

Writing web applications scanners reviews is good thing which will be useful for Internet community. There are some such reviews already (which I found this and last year), but there is necessity of quality reviews. So I hope these reviews (Cenzic's Hailstorm, SPI Dynamics WebInspect and future reviews) will be useful.

About Cenzic software you can make resume (about scanner's quality) from my post. As I wrote at my site http://websecurity.com.ua/588/ in last year I found hole at Cenzic's site search (they are using picosearch.com). Holes at web site (web application) of security company is very demonstrative.

Three months later after I informed them, I found that they fixed hole but incompletely (and forgot to thanks me which is typical). The hole can be used via small code modification. And only today, two months later after that, I see that they fixed vuln completely at last. Everyone will can make conclusions from this incident.

Jeremiah Grossman said...

@Jordan, oops sorry about that. I went back on correct a couple of my posts. Damn, that copy/paste.

Jordan said...

It's not a big deal. Thanks for the fix though.

I wasn't exaggerating about NWC.

Results 1 - 9 of 9 from networkcomputing.com for weins. (0.20 seconds)