New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
John Weinschenk, Providing penetration testing service for low cost in reduced time
The growth and proliferation of the dynamic Web creates a conundrum for companies. Web applications are designed to make customers and partners visit and interact. This is how they buy your product, interact with you, gather valuable information, and enable many other critical business processes. Use of this technology greatly enhances business opportunities. On the other hand, the openness of Web applications offer attackers an avenue to access critical back-end databases not otherwise reachable from the outside. The threat to Web applications is heightened because attackers are no longer just mischievous, but instead are motivated by profit. Today's attacker is out to steal something, be it money, corporate secrets, or user data. This changing threat environment raises the stakes and makes Web application security an imperative. To protect Web-based applications enterprises are addressing the security symptoms by installing application firewalls, utilizing Web-based authentication and authorization, encryption, and patching commercial software. Like any defense-in-depth strategy, these mechanisms are important, but in a Web environment they don't get to the root of the problem: the dynamic capabilities of Web applications and the basic design and actual implementation of the code. As the Web applications become more complex and automated, there's a greater probability that the application will have inherent security flaws waiting to be exploited. Web applications are rarely developed with security in mind, or it's an aspect that gets overlooked because of go-to-market pressures. Even with the best of intentions, application security often suffers because the developers don't have strong security training, quality assurance methods may not concentrate on security functionality, and hurried development schedules could reduce the amount of testing performed. While the need for Web application security is very compelling, many organizations have not budgeted for application security testing. Since much of the spending associated with software comes out of Information Security, software development and quality assurance departments it is sometimes difficult to find a buyer for the software. The challenge for this market is that many companies have not included security within their software development lifecycles. The best way to confront both of these is with education and awareness. There are considerable efforts with the industry and from organizational groups to raise awareness on the need for Web application security. These efforts, along with increasing fear of regulatory compliance violations for poor Web-site protection, should lead to increasing funding levels.
Name: John Weinschenk Title: President and CEO Likes to be called: John Company: Cenzic
Cenzic Provides Next-Generation Web Application Testing: Information security managers and directors are faced with the enormous responsibility of keeping web applications secure from the menace of hackers. The ever-growing number of security threats and an increasing body of governmental regulations are overwhelming information security teams. With web applications constantly evolving, finding vulnerabilities is a challenging, costly and time-consuming undertaking. The solution is automated security assessment products that leverage stateful processing to comprehensively examine web applications and reveal vulnerabilities in hours rather than weeks. These powerful solutions help information security teams quickly identify problems, regularly assess web application security strength and ensure regulatory compliance. Web Application Security Vulnerabilities Web applications are growing in size and complexity. Despite their sophistication, web applications are designed to respond to simple HTTP requests. These requests can put applications and confidential information at risk as hackers can shield attacks with legal requests that pass through secured networks and intrusion detection systems. Once a malicious request interacts with a web application, it can attack via vulnerabilities within the web application. Some of the top web application vulnerabilities include: • Unvalidated input • Broken access control • Broken authentication and session management • Cross-site scripting (XSS) flaws • Buffer overflows • Injection flaws • Improper error handling • Insecure storage • Insecure configuration management Web application security vulnerabilities are very prevalent. Recently, hackers invaded databases from information industry giant LexisNexis and gained access to more than 30,000 accounts containing personal data such as names, addresses, Social Security numbers and driver's license information. Additionally, payroll- service provider PayMaxx recently exposed the Social Security numbers and related data of more than 25,000 people for tax year 2004. Nearly every day there is a new attack against a web application. Web Application Vulnerability Testing Challenges The consequences of failing to protect web applications expose companies to information theft, unhappy customers and stiff penalties when organizations are not in compliance with regulatory requirements. Even when companies do take steps to protect against web application hacking, they often face overwhelming workloads or exorbitant security assessment outsourcing costs. Consequences of Forgoing Vulnerability Testing Loss of critical customer data and violations of government regulations are two of the largest consequences of bypassing web application vulnerability testing. Information theft: Data theft takes many forms, including siphoning money from banks and financial institutions, exploiting e-commerce sites to conduct unauthorized transactions and accessing back-end databases with priceless stores of data. Information theft can force corporations to make financial restitutions and lead to customer loss. Non-compliance: Web applications that are not in compliance with government regulations, such as Sarbanes-Oxley, GLBA, SB 1386 and HIPAA, can result in severe corporate penalties. With new regulations on the horizon, corporations need a way to assess and respond quickly to regulatory requirements. The Burden of Testing Performing regular security assessments on web applications, exposing vulnerabilities and quickly fixing them are complicated undertakings. Staff overload: Running internal security assessments on web applications is a time-consuming burden on internal information security staff. Skilled hackers have far outstripped the ability of information security staff to deal with them. Testing and securing web applications is more complex than network security. Just one web application may contain tens of thousands of lines of code and countless dynamic interactions between components, making finding security vulnerabilities an extremely daunting task. Exorbitant costs: When companies can’t adequately test and protect their web applications in-house, they must outsource the job to application assessment consultants. Because qualified consultants are rare and very expensive, testing complex web applications for vulnerabilities manually can be very costly and time consuming. Enterprises can easily spend millions of dollars each year on manual penetration testing that covers only a small fraction of their web applications. Even a smaller company can easily spend $25,000 to $50,000 to test an average-sized web application a single time with no assured level of consistency. Brief Breakdown of Cenzic’s enterprise software and services: Cenzic provides breakthrough enterprise software and services for automated application security assessment and policy compliance testing that allow corporations and government organizations to dramatically improve the security of commercial and custom applications. Hailstorm enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities, and verify compliance with security policies. Using a Stateful Assessment™ approach, Hailstorm is able to provide highly accurate results with minimal false positives. Cenzic ClickToSecure™ is a managed service that allows customers to leverage the power of Hailstorm by having Cenzic run remote assessments without any software or hardware installation. The company provides the following products and services: Cenzic Hailstorm® enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities. Hailstorm benefits include reduced security risk and liability, lower development and testing costs, and faster time-to-market. Leveraging its breakthrough technology, Hailstorm provides a comprehensive coverage of wide variety of attacks that go beyond the basic coverage of Buffer Overflow, XSS, and SQL Injection and includes application logic tests, session management attacks, and regulatory compliance tests for PCI Compliance, GLBA, HIPAA, SB1386, AB1950, and many others. In addition, Hailstorm’s Stateful Assessment approach provides a comprehensive solution to test all commercial and custom applications. Cenzic ClickToSecure™ service is a software-as-a-service (SaaS) offering that combines the functionality of an enterprise-class application security assessment product with the flexibility of a managed security service. Cenzic takes its managed service seriously and takes extra steps to ensure that customers feel comfortable in outsourcing its application security testing to Cenzic. Some of these special considerations include: (1) all Cenzic employees have to get a thorough background check ; (2) Secure infrastructure with full data protection; (3) Automated tests combined with analysis from security consultants; (4) Free re-test for fixed vulnerabilities. Cenzic Assessment Methodology completes the solution with a state-of-the-art business process consulting service to help customers improve their application security methodologies. Cenzic's current focus includes financial services, e-retail, healthcare, high-tech, and government sectors. Problem Overview Web-based applications are proliferating and their availability present irresistible temptations to hackers. Web applications contain vulnerabilities in a myriad of forms. For example, a common hacker attack is SQL injection, which involves altering the expected content submitted via a form by inserting unexpected text, such as logic altering SQL code, often resulting in unrestrained database access. Challenges assessing web application vulnerabilities include: • Application vulnerabilities are growing every month: The growth of web application vulnerabilities far outstrips information security professionals' ability to deal with them. • Web applications are growing in complexity: Web applications are rapidly growing in number and complexity, making it extremely difficult and costly to test and secure even a small percentage of a company's most critical web applications. • Web application security professionals are hard to find: The majority of information security professionals do not understand the complexities of application security. • Existing staff are overloaded: Security personnel are already overworked; often meaning web application security is a low priority. • Cost: Outsourcing web application security assessment to outside consultants is extremely costly. The Solution: Stateful Security Assessment Automation for Web Applications Stateful security assessment automation performs rapid and comprehensive web application penetration testing by emulating an army of hackers. Next-generation automation solutions utilize stateful methods to produce accurate results. Leveraging automation, a stateful assessment solution acts as if it were a hacker working through dynamic web responses to find vulnerabilities. The ability to test within a changing online environment results in very high accuracy and extremely low false positives. Where manual penetration testing projects take weeks or months to accomplish, stateful assessment solutions can achieve the same or better results in hours. Stateful assessment finds vulnerabilities in real time, automates the same tasks performed by manual testers and works across a variety of development platforms. Stateful assessment recreates the exact steps a hacker would take to exploit vulnerabilities, yet does it in a fraction of the time. Stateful assessment employs a software fault injection methodology that observes the interactions among web application components to identify vulnerabilities. Benefits of Stateful Assessment Solutions Stateful security assessment automation offers dramatic benefits, including: Protects data from theft: Stateful assessment guards web applications against information theft by exposing vulnerabilities that hackers might exploit and returns clear and complete remediation information. Stateful assessment helps companies find and fix problems before any harm is done. Ensures regulatory compliance: Stateful assessment also helps companies meet regulatory compliance requirements by correlating testing to specific regulations. Because stateful assessment is policy-based, businesses can also direct the solution to test whether an application is meeting corporate compliance guidelines. Eliminates reliance on costly experts: Stateful assessment eliminates the need for trained web security assessment professionals. Automation allows businesses to simply repeat security assessments each time a web application is upgraded, eliminates human error and significantly reduces false positive results. Additional benefits include: • Replaces inefficient and error-prone scanning tools • Streamlines the testing of application updates via auditable and repeatable processes • Reduces the time needed for security testing by an order of magnitude What to Look For in a Stateful Assessment Solution Testing web application security is critical and so is choosing the right solution. Be sure to look for the following: • Stateful testing: Seek a solution that can perform cause- and-effect analysis across multiple application components to reveal hidden vulnerabilities. • Constantly updated capabilities: Hackers work hard to find new vulnerabilities. Seek a vendor that constantly researches new vulnerabilities, frequently updates its policy library and regularly distributes updates to customers. • In-house research lab: The ideal vendor should have a state-of-the-art security vulnerability research lab that monitors and researches security vulnerabilities on a daily basis. Reusable components: Look for a modular architecture that leverages reusable components, allowing a company to streamline additional assessments by reusing tasks, settings and baseline results. • Advanced fault injection techniques: Look for a solution that can inject thousands of vulnerability strings and monitor application responses with powerful detection technology. • Navigates complex applications: Stateful assessment products must be able to navigate through even the most detailed and lengthy web applications, including complex session management, JavaScript and deep business logic. • Automated and comprehensive navigation: Look for a product built around an advanced engine that automatically and thoroughly navigates through all web pages. Many web applications contain thousands of pages and the assessment tool must reach them all. • Targeted reporting: The ideal solution should produce highly targeted, concise and accurate reports. Look for the ability to customize reports for executive, managerial and technical audiences. • Customizable product: The ideal stateful assessment tool should offer policies that allow organizations to modify security assessments or attack objects. Cenzic's Hailstorm Solution Cenzic Hailstorm® automates penetration testing for off-the-shelf and custom-developed web applications. With a unique patent-pending fault-injection and detection technology and a pre-crafted attack objects library, Hailstorm’s breakthrough technology gives businesses the power to test applications for security vulnerabilities, internal security policy enforcement and regulatory compliance. Hailstorm automates the process of application penetration testing with highly accurate and comprehensive results and enables security experts, quality assurance professionals and software developers to work together to secure web-based applications throughout the software lifecycle. Based on Stateful AssessmentTM technology, Hailstorm helps businesses perform comprehensive penetration testing in a fraction of the time and at a lower cost than outsourcing to experts. The solution is highly extensible, repeatable and offers internal policy compliance testing. Moreover, Hailstorm is extremely accurate, handles complex application interactions and is built on a modular architecture. Highly Accurate Assessments Hailstorm’s sophisticated heuristics and advanced algorithms return highly accurate results. Hailstorm’s stateful process-oriented detection technology uses software fault injection to insert thousands of vulnerability streams into a web application. These comprehensive tests check and double-check vulnerability results for accuracy and validation, correctly identifying combinations of vulnerabilities that hackers would use to launch serious exploits. Hailstorm eliminates the need for expensive outsourced consultants. In addition, the solution's customized, accurate and focused reports can generate executive, manager and technical information. Hailstorm’s extremely accurate remediation reports allow maintenance engineers to confidently perform necessary fixes. Navigates Complex Applications Hailstorm can test JavaScript-rich web applications and is optimized for complex session management, business logic and the advanced interactions that large web applications depend on. Hailstorm is the only Stateful Assessment solution that efficiently locates all web application pages and navigates through their entire logic structure, testing for vulnerabilities throughout the entire application. Leverages an Advanced Architecture Hailstorm’s modular architecture enables policy-based operations and reusable components. Cenzic’s state-of-the-art security vulnerability research lab constantly updates Hailstorm's vulnerability tests and regularly distributes updates to customers. CONCLUSIONS No one can dispute the power of Web applications to improve business processes and to offer expanded opportunities to service customers, business partners, and employees. The dynamic nature of Web applications offers users unique experiences. However the dark side of this technology is that if improperly implemented, people with malicious intent can turn this same technology against the enterprise to cause considerable damage, both financially and to a company's reputation. Nearly 1 in 5 businesses, both large and small report that hackers have exploited flaws in Web applications To protect themselves, enterprises have turned to many different security technologies that front-end the Web applications. Enterprises need to implement security controls within their software development life cycle so that vulnerabilities can be eliminated before a program becomes operational. In the long run this has security benefits, but also improves software quality and thus reduces the number of patches and modifications required. Organizations need to begin implementing a Web application software development life-cycle program, and they should investigate the available solutions in this space and budget for such products. There's too much at stake for enterprises to take a cavalier attitude towards Web application security. When evaluating application vulnerability assessment and penetration testing tools, enterprises must select solutions, such as Cenzic Hailstorm or Cenzic ClickToSecure, which integrate with the software development life-cycle and accurately discover known attacks, but also have the capability to understand the inner workings of the Web applications to uncover unknown attacks. This way, enterprises can handle both security and policy compliance issues, while benefiting from multiple delivery capabilities. Cenzic Software & Services in Action: California Identity Theft Laws and Application Security An April 2002 security breach at California’s Stephen P. Teale Data Center triggered public outrage. It eventually led to California’s security breach notification law called SB 1386. SB 1386 calls for notification of California residents following some kinds of security breaches. On January 1, 2005, California legislation called AB 1950 went into effect. It requires businesses to protect certain “personal information.” A steady wave of security breaches involving the theft or loss of personal information in 2005 underscores the vulnerability of personal information to hackers seeking identity theft targets. It is likely that incident response costs, legal fees, and the losses from tarnished reputations imposed enormous costs on the organizations falling prey to these security breaches. AB 1950 addresses companies owning or licensing certain personal information about California residents. These companies must implement reasonable security procedures and practices to prevent the unauthorized access, destruction, use, modification, or disclosure of that personal information. SB 1386 requires businesses and state agencies to notify California residences of breaches in the security of certain “personal information” in computerized records. Other states have enacted legislation similar to SB 1386. Federal legislation is pending in Congress. Application security and automated tools to assess application security vulnerabilities protect computerized information accessible through web-enabled applications. Accordingly, application security tools are crucial for preventing unauthorized access, destruction, use, modification, or disclosure of personal information available through web applications, as required by AB 1950. The Cenzic Hailstorm® solution helps companies comply with AB 1950, because companies can use automated processes to asses risk, check for vulnerabilities, test code and controls during software development for the purpose of preventing unauthorized access, destruction, use, modification, or disclosure of personal information. Also, companies that successfully prevent security breacheshave no breaches to report under SB 1386 or similar laws. And the Hailstorm solution is a key tool to preventing breaches from occurring.
Cenzic Provides Next-Generation Web Application Testing:
Information security managers and directors are faced with the enormous responsibility of keeping web applications secure from the menace of hackers. The ever-growing number of security threats and an increasing body of governmental regulations are overwhelming information security teams. With web applications constantly evolving, finding vulnerabilities is a challenging, costly and time-consuming undertaking.
The solution is automated security assessment products that leverage stateful processing to comprehensively examine web applications and reveal vulnerabilities in hours rather than weeks. These powerful solutions help information security teams quickly identify problems, regularly assess web application security strength and ensure regulatory compliance. Web Application Security Vulnerabilities
Web applications are growing in size and complexity. Despite their sophistication, web applications are designed to respond to simple HTTP requests. These requests can put applications and confidential information at risk as hackers can shield attacks with legal requests that pass through secured networks and intrusion detection systems. Once a malicious request interacts with a web application, it can attack via vulnerabilities within the web application. Some of the top web application vulnerabilities include: • Unvalidated input • Broken access control • Broken authentication and session management • Cross-site scripting (XSS) flaws • Buffer overflows • Injection flaws • Improper error handling • Insecure storage • Insecure configuration management Web application security vulnerabilities are very prevalent. Recently, hackers invaded databases from information industry giant LexisNexis and gained access to more than 30,000 accounts containing personal data such as names, addresses, Social Security numbers and driver's license information. Additionally, payroll- service provider PayMaxx recently exposed the Social Security numbers and related data of more than 25,000 people for tax year 2004. Nearly every day there is a new attack against a web application. Web Application Vulnerability Testing Challenges The consequences of failing to protect web applications expose companies to information theft, unhappy customers and stiff penalties when organizations are not in compliance with regulatory requirements. Even when companies do take steps to protect against web application hacking, they often face overwhelming workloads or exorbitant security assessment outsourcing costs. Consequences of Forgoing Vulnerability Testing Loss of critical customer data and violations of government regulations are two of the largest consequences of bypassing web application vulnerability testing. Information theft: Data theft takes many forms, including siphoning money from banks and financial institutions, exploiting e-commerce sites to conduct unauthorized transactions and accessing back-end databases with priceless stores of data. Information theft can force corporations to make financial restitutions and lead to customer loss. Non-compliance: Web applications that are not in compliance with government regulations, such as Sarbanes-Oxley, GLBA, SB 1386 and HIPAA, can result in severe corporate penalties. With new regulations on the horizon, corporations need a way to assess and respond quickly to regulatory requirements.
The Burden of Testing Performing regular security assessments on web applications, exposing vulnerabilities and quickly fixing them are complicated undertakings. Staff overload: Running internal security assessments on web applications is a time-consuming burden on internal information security staff. Skilled hackers have far outstripped the ability of information security staff to deal with them. Testing and securing web applications is more complex than network security. Just one web application may contain tens of thousands of lines of code and countless dynamic interactions between components, making finding security vulnerabilities an extremely daunting task. Exorbitant costs: When companies can’t adequately test and protect their web applications in-house, they must outsource the job to application assessment consultants. Because qualified consultants are rare and very expensive, testing complex web applications for vulnerabilities manually can be very costly and time consuming. Enterprises can easily spend millions of dollars each year on manual penetration testing that covers only a small fraction of their web applications. Even a smaller company can easily spend $25,000 to $50,000 to test an average-sized web application a single time with no assured level of consistency.
Brief Breakdown of Cenzic’s enterprise software and services:
Cenzic provides breakthrough enterprise software and services for automated application security assessment and policy compliance testing that allow corporations and government organizations to dramatically improve the security of commercial and custom applications. Hailstorm enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities, and verify compliance with security policies. Using a Stateful Assessment™ approach, Hailstorm is able to provide highly accurate results with minimal false positives. Cenzic ClickToSecure™ is a managed service that allows customers to leverage the power of Hailstorm by having Cenzic run remote assessments without any software or hardware installation.
The company provides the following products and services:
Cenzic Hailstorm® enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities. Hailstorm benefits include reduced security risk and liability, lower development and testing costs, and faster time-to-market. Leveraging its breakthrough technology, Hailstorm provides a comprehensive coverage of wide variety of attacks that go beyond the basic coverage of Buffer Overflow, XSS, and SQL Injection and includes application logic tests, session management attacks, and regulatory compliance tests for PCI Compliance, GLBA, HIPAA, SB1386, AB1950, and many others. In addition, Hailstorm’s Stateful Assessment approach provides a comprehensive solution to test all commercial and custom applications.
Cenzic ClickToSecure™ service is a software-as-a-service (SaaS) offering that combines the functionality of an enterprise-class application security assessment product with the flexibility of a managed security service. Cenzic takes its managed service seriously and takes extra steps to ensure that customers feel comfortable in outsourcing its application security testing to Cenzic. Some of these special considerations include: (1) all Cenzic employees have to get a thorough background check ; (2) Secure infrastructure with full data protection; (3) Automated tests combined with analysis from security consultants; (4) Free re-test for fixed vulnerabilities.
Cenzic Assessment Methodology completes the solution with a state-of-the-art business process consulting service to help customers improve their application security methodologies. Cenzic's current focus includes financial services, e-retail, healthcare, high-tech, and government sectors.
Problem Overview Web-based applications are proliferating and their availability present irresistible temptations to hackers. Web applications contain vulnerabilities in a myriad of forms. For example, a common hacker attack is SQL injection, which involves altering the expected content submitted via a form by inserting unexpected text, such as logic altering SQL code, often resulting in unrestrained database access. Challenges assessing web application vulnerabilities include: • Application vulnerabilities are growing every month: The growth of web application vulnerabilities far outstrips information security professionals' ability to deal with them. • Web applications are growing in complexity: Web applications are rapidly growing in number and complexity, making it extremely difficult and costly to test and secure even a small percentage of a company's most critical web applications. • Web application security professionals are hard to find: The majority of information security professionals do not understand the complexities of application security. • Existing staff are overloaded: Security personnel are already overworked; often meaning web application security is a low priority. • Cost: Outsourcing web application security assessment to outside consultants is extremely costly.
The Solution: Stateful Security Assessment Automation for Web Applications Stateful security assessment automation performs rapid and comprehensive web application penetration testing by emulating an army of hackers. Next-generation automation solutions utilize stateful methods to produce accurate results. Leveraging automation, a stateful assessment solution acts as if it were a hacker working through dynamic web responses to find vulnerabilities. The ability to test within a changing online environment results in very high accuracy and extremely low false positives. Where manual penetration testing projects take weeks or months to accomplish, stateful assessment solutions can achieve the same or better results in hours. Stateful assessment finds vulnerabilities in real time, automates the same tasks performed by manual testers and works across a variety of development platforms. Stateful assessment recreates the exact steps a hacker would take to exploit vulnerabilities, yet does it in a fraction of the time. Stateful assessment employs a software fault injection methodology that observes the interactions among web application components to identify vulnerabilities.
Benefits of Stateful Assessment Solutions Stateful security assessment automation offers dramatic benefits, including: Protects data from theft: Stateful assessment guards web applications against information theft by exposing vulnerabilities that hackers might exploit and returns clear and complete remediation information. Stateful assessment helps companies find and fix problems before any harm is done. Ensures regulatory compliance: Stateful assessment also helps companies meet regulatory compliance requirements by correlating testing to specific regulations. Because stateful assessment is policy-based, businesses can also direct the solution to test whether an application is meeting corporate compliance guidelines. Eliminates reliance on costly experts: Stateful assessment eliminates the need for trained web security assessment professionals. Automation allows businesses to simply repeat security assessments each time a web application is upgraded, eliminates human error and significantly reduces false positive results. Additional benefits include: • Replaces inefficient and error-prone scanning tools • Streamlines the testing of application updates via auditable and repeatable processes • Reduces the time needed for security testing by an order of magnitude What to Look For in a Stateful Assessment Solution Testing web application security is critical and so is choosing the right solution. Be sure to look for the following: • Stateful testing: Seek a solution that can perform cause- and-effect analysis across multiple application components to reveal hidden vulnerabilities. • Constantly updated capabilities: Hackers work hard to find new vulnerabilities. Seek a vendor that constantly researches new vulnerabilities, frequently updates its policy library and regularly distributes updates to customers. • In-house research lab: The ideal vendor should have a state-of-the-art security vulnerability research lab that monitors and researches security vulnerabilities on a daily basis.
Reusable components: Look for a modular architecture that leverages reusable components, allowing a company to streamline additional assessments by reusing tasks, settings and baseline results.
• Advanced fault injection techniques: Look for a solution that can inject thousands of vulnerability strings and monitor application responses with powerful detection technology. • Navigates complex applications: Stateful assessment products must be able to navigate through even the most detailed and lengthy web applications, including complex session management, JavaScript and deep business logic. • Automated and comprehensive navigation: Look for a product built around an advanced engine that automatically and thoroughly navigates through all web pages. Many web applications contain thousands of pages and the assessment tool must reach them all. • Targeted reporting: The ideal solution should produce highly targeted, concise and accurate reports. Look for the ability to customize reports for executive, managerial and technical audiences. • Customizable product: The ideal stateful assessment tool should offer policies that allow organizations to modify security assessments or attack objects. Cenzic's Hailstorm Solution Cenzic Hailstorm® automates penetration testing for off-the-shelf and custom-developed web applications. With a unique patent-pending fault-injection and detection technology and a pre-crafted attack objects library, Hailstorm’s breakthrough technology gives businesses the power to test applications for security vulnerabilities, internal security policy enforcement and regulatory compliance. Hailstorm automates the process of application penetration testing with highly accurate and comprehensive results and enables security experts, quality assurance professionals and software developers to work together to secure web-based applications throughout the software lifecycle. Based on Stateful AssessmentTM technology, Hailstorm helps businesses perform comprehensive penetration testing in a fraction of the time and at a lower cost than outsourcing to experts. The solution is highly extensible, repeatable and offers internal policy compliance testing. Moreover, Hailstorm is extremely accurate, handles complex application interactions and is built on a modular architecture.
Highly Accurate Assessments Hailstorm’s sophisticated heuristics and advanced algorithms return highly accurate results. Hailstorm’s stateful process-oriented detection technology uses software fault injection to insert thousands of vulnerability streams into a web application. These comprehensive tests check and double-check vulnerability results for accuracy and validation, correctly identifying combinations of vulnerabilities that hackers would use to launch serious exploits. Hailstorm eliminates the need for expensive outsourced consultants. In addition, the solution's customized, accurate and focused reports can generate executive, manager and technical information. Hailstorm’s extremely accurate remediation reports allow maintenance engineers to confidently perform necessary fixes. Navigates Complex Applications Hailstorm can test JavaScript-rich web applications and is optimized for complex session management, business logic and the advanced interactions that large web applications depend on. Hailstorm is the only Stateful Assessment solution that efficiently locates all web application pages and navigates through their entire logic structure, testing for vulnerabilities throughout the entire application. Leverages an Advanced Architecture Hailstorm’s modular architecture enables policy-based operations and reusable components. Cenzic’s state-of-the-art security vulnerability research lab constantly updates Hailstorm's vulnerability tests and regularly distributes updates to customers.
CONCLUSIONS
No one can dispute the power of Web applications to improve business processes and to offer expanded opportunities to service customers, business partners, and employees. The dynamic nature of Web applications offers users unique experiences. However the dark side of this technology is that if improperly implemented, people with malicious intent can turn this same technology against the enterprise to cause considerable damage, both financially and to a company's reputation. Nearly 1 in 5 businesses, both large and small report that hackers have exploited flaws in Web applications
To protect themselves, enterprises have turned to many different security technologies that front-end the Web applications. Enterprises need to implement security controls within their software development life cycle so that vulnerabilities can be eliminated before a program becomes operational. In the long run this has security benefits, but also improves software quality and thus reduces the number of patches and modifications required. Organizations need to begin implementing a Web application software development life-cycle program, and they should investigate the available solutions in this space and budget for such products. There's too much at stake for enterprises to take a cavalier attitude towards Web application security. When evaluating application vulnerability assessment and penetration testing tools, enterprises must select solutions, such as Cenzic Hailstorm or Cenzic ClickToSecure, which integrate with the software development life-cycle and accurately discover known attacks, but also have the capability to understand the inner workings of the Web applications to uncover unknown attacks. This way, enterprises can handle both security and policy compliance issues, while benefiting from multiple delivery capabilities. Cenzic Software & Services in Action: California Identity Theft Laws and Application Security
An April 2002 security breach at California’s Stephen P. Teale Data Center triggered public outrage. It eventually led to California’s security breach notification law called SB 1386. SB 1386 calls for notification of California residents following some kinds of security breaches. On January 1, 2005, California legislation called AB 1950 went into effect. It requires businesses to protect certain “personal information.” A steady wave of security breaches involving the theft or loss of personal information in 2005 underscores the vulnerability of personal information to hackers seeking identity theft targets. It is likely that incident response costs, legal fees, and the losses from tarnished reputations imposed enormous costs on the organizations falling prey to these security breaches.
AB 1950 addresses companies owning or licensing certain personal information about California residents. These companies must implement reasonable security procedures and practices to prevent the unauthorized access, destruction, use, modification, or disclosure of that personal information. SB 1386 requires businesses and state agencies to notify California residences of breaches in the security of certain “personal information” in computerized records. Other states have enacted legislation similar to SB 1386. Federal legislation is pending in Congress.
Application security and automated tools to assess application security vulnerabilities protect computerized information accessible through web-enabled applications. Accordingly, application security tools are crucial for preventing unauthorized access, destruction, use, modification, or disclosure of personal information available through web applications, as required by AB 1950. The Cenzic Hailstorm® solution helps companies comply with AB 1950, because companies can use automated processes to asses risk, check for vulnerabilities, test code and controls during software development for the purpose of preventing unauthorized access, destruction, use, modification, or disclosure of personal information. Also, companies that successfully prevent security breacheshave no breaches to report under SB 1386 or similar laws. And the Hailstorm solution is a key tool to preventing breaches from occurring.
Cenzic ClickToSecure is the only managed service for application security assessment that uses a Stateful Assessment approach. The service leverages the powerful Cenzic Hailstorm product to deliver the service. With a strong technology platform and professional security experts, Cenzic is able to deliver highly accurate, thorough, fast and extremely cost-effective results with no software or hardware installation. Since the service uses Cenzic’s software product, customers can transition the program back in- house at any point with the full software solution. Stateful security assessment automation offers dramatic benefits for targeted end-users, including: Protects data from theft: Stateful assessment guards web applications against information theft by exposing vulnerabilities that hackers might exploit and returns clear and complete remediation information. Stateful assessment helps companies find and fix problems before any harm is done. Ensures regulatory compliance: Stateful assessment also helps companies meet regulatory compliance requirements by correlating testing to specific regulations. Because stateful assessment is policy-based, businesses can also direct the solution to test whether an application is meeting corporate compliance guidelines. Eliminates reliance on costly experts: Stateful assessment eliminates the need for trained web security assessment professionals. Automation allows businesses to simply repeat security assessments each time a web application is upgraded, eliminates human error and significantly reduces false positive results. Replaces inefficient and error-prone scanning tools Streamlines the testing of application updates via auditable and repeatable processes Reduces the time needed for security testing by an order of magnitude Cenzic is addressing challenges head-on is by making it easy for organizations to purchase Hailstorm. The company sells just the one product, and doesn't break it into pieces to cover the different software life-cycle segments. Cenzic isn't concerned with whether the product is used in development, production, or for compliance validation. They also offer flexible pricing models with user based, or application based pricing depending on customers’ needs. This pricing simplicity makes it easier for a user to purchase and use the product without worrying about what licensing method the product was purchased under. The ClickToSecure service also provides customers with buying flexibility. Many companies are interested in outsourcing their testing to a solid vendor due to lower Total Cost of Ownership (TCO) and lack of in-house security expertise. Cenzic ClickToSecure is very appealing for many companies due to the following: Cenzic does a thorough background check of all of its employees, provides a secure infrastructure for its ClickToSecure service, Cenzic delivers a complete report on vulnerabilities with automation and detailed analysis from its security experts, and customers have an option to migrate to the software at any point with all of its jobs saved in the product. Most other products on the market utilize a signature based scanning technique. However, such an approach is handicapped by the fact that there is no uniform signature for the success of cookie substitution, reuse, and theft as this relates to access control. Different applications respond in their own unique manner to attacks of this sort. Signature-based tools must rely on external tool-kits or widgets that only perform one small part of the testing process, leaving the remainder of the work to be done manually. Hailstorm's Session Management SmartAttacks are unique in the industry. Because most other products implement a signature based scanning technique, they are unable to test for session management vulnerabilities. Cenzic’s Stateful Assessment approach therefore makes it a unique offering in the industry for being able to do so. While most application security companies provide basic protection and coverage – touching upon common vulnerabilities such as buffer overflow, SQL injection and cross site scripting – Cenzic provides premium protection, going the extra mile beyond this basic coverage to include tests for session management, phishing, authentication bypass, application logic tests and custom attack objects.
Cenzic ClickToSecure is the only managed service for application security assessment that uses a Stateful Assessment approach. The service leverages the powerful Cenzic Hailstorm product to deliver the service. With a strong technology platform and professional security experts, Cenzic is able to deliver highly accurate, thorough, fast and extremely cost-effective results with no software or hardware installation. Since the service uses Cenzic’s software product, customers can transition the program back in- house at any point with the full software solution.
Stateful security assessment automation offers dramatic benefits for targeted end-users, including:
Protects data from theft: Stateful assessment guards web applications against information theft by exposing vulnerabilities that hackers might exploit and returns clear and complete remediation information. Stateful assessment helps companies find and fix problems before any harm is done.
Ensures regulatory compliance: Stateful assessment also helps companies meet regulatory compliance requirements by correlating testing to specific regulations. Because stateful assessment is policy-based, businesses can also direct the solution to test whether an application is meeting corporate compliance guidelines.
Eliminates reliance on costly experts: Stateful assessment eliminates the need for trained web security assessment professionals. Automation allows businesses to simply repeat security assessments each time a web application is upgraded, eliminates human error and significantly reduces false positive results.
Replaces inefficient and error-prone scanning tools
Streamlines the testing of application updates via auditable and repeatable processes
Reduces the time needed for security testing by an order of magnitude
Cenzic is addressing challenges head-on is by making it easy for organizations to purchase Hailstorm. The company sells just the one product, and doesn't break it into pieces to cover the different software life-cycle segments. Cenzic isn't concerned with whether the product is used in development, production, or for compliance validation. They also offer flexible pricing models with user based, or application based pricing depending on customers’ needs. This pricing simplicity makes it easier for a user to purchase and use the product without worrying about what licensing method the product was purchased under. The ClickToSecure service also provides customers with buying flexibility. Many companies are interested in outsourcing their testing to a solid vendor due to lower Total Cost of Ownership (TCO) and lack of in-house security expertise. Cenzic ClickToSecure is very appealing for many companies due to the following: Cenzic does a thorough background check of all of its employees, provides a secure infrastructure for its ClickToSecure service, Cenzic delivers a complete report on vulnerabilities with automation and detailed analysis from its security experts, and customers have an option to migrate to the software at any point with all of its jobs saved in the product.
Most other products on the market utilize a signature based scanning technique. However, such an approach is handicapped by the fact that there is no uniform signature for the success of cookie substitution, reuse, and theft as this relates to access control. Different applications respond in their own unique manner to attacks of this sort. Signature-based tools must rely on external tool-kits or widgets that only perform one small part of the testing process, leaving the remainder of the work to be done manually. Hailstorm's Session Management SmartAttacks are unique in the industry. Because most other products implement a signature based scanning technique, they are unable to test for session management vulnerabilities. Cenzic’s Stateful Assessment approach therefore makes it a unique offering in the industry for being able to do so. While most application security companies provide basic protection and coverage – touching upon common vulnerabilities such as buffer overflow, SQL injection and cross site scripting – Cenzic provides premium protection, going the extra mile beyond this basic coverage to include tests for session management, phishing, authentication bypass, application logic tests and custom attack objects.
Mr. Weinschenk currently serves as President and CEO of Cenzic. Prior to joining Cenzic, John was the Vice President of the Enterprise Services Group at VeriSign, where he held worldwide responsibility for marketing VeriSign's authentication, digital trust, and wireless services to Global 1000 companies, and forged several alliances with strategic partners. Before VeriSign, he served as CEO at TransIndigo, where he shaped it into one of the leading developers of real-time transactional authority. Prior to that, John established numerous pivotal business deals and relationships while holding various executive positions at Entegrity Solutions, including VP of Business Development and Alliances, VP of Product Operations, and VP of Worldwide Marketing. John was also the Director of Business Strategy at HAL Computer Systems. John holds an MBA from Fairleigh Dickinson University and a BS in engineering from Union College. John is also a graduate of Stanford University's Executive Management Program. John has delivered many keynote addresses and talks at the most important conferences and trade shows in the technology sector. Some of John’s most recent speaking engagements in the past year and in the coming months include the CSI NetSec conference, NYS Cyber Security Conference and Software Test & Performance.
Mr. Weinschenk currently serves as President and CEO of Cenzic. Prior to joining Cenzic, John was the Vice President of the Enterprise Services Group at VeriSign, where he held worldwide responsibility for marketing VeriSign's authentication, digital trust, and wireless services to Global 1000 companies, and forged several alliances with strategic partners. Before VeriSign, he served as CEO at TransIndigo, where he shaped it into one of the leading developers of real-time transactional authority. Prior to that, John established numerous pivotal business deals and relationships while holding various executive positions at Entegrity Solutions, including VP of Business Development and Alliances, VP of Product Operations, and VP of Worldwide Marketing. John was also the Director of Business Strategy at HAL Computer Systems. John holds an MBA from Fairleigh Dickinson University and a BS in engineering from Union College. John is also a graduate of Stanford University's Executive Management Program.
John has delivered many keynote addresses and talks at the most important conferences and trade shows in the technology sector. Some of John’s most recent speaking engagements in the past year and in the coming months include the CSI NetSec conference, NYS Cyber Security Conference and Software Test & Performance.
Cenzic, Inc. 455 El Camino Real Suite 100 Santa Clara, CA 95050 USA
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
