Cenzic - Tomorrow's Technology Today - Vulnerability Assessment - California Identity Theft Laws And Application Security; AB 1950, SB 1386, and Beyond

Tomorrow's Technology Today: Application security and automated tools to assess application security vulnerabilities protect computerized information accessible through web-enabled applications. Accordingly, application security tools are crucial for preventing unauthorized access, destruction, use, modification, or disclosure of personal information available through web applications, as required by AB 1950. The Cenzic Hailstorm® solution helps companies comply with AB 1950, because companies can use automated processes to asses risk, check for vulnerabilities, test code and controls during software development for the purpose of preventing unauthorized access, destruction, use, modification, or disclosure of personal information. Also, companies that successfully prevent security breaches have no breaches to report under SB 1386 or similar laws. And the Hailstorm solution is a key tool to preventing breaches from occurring.

Cenzic Hailstormsoftware provides a solution to businesses seeking to secure Web applications in an automated fashion with limited staff and time to perform testing.

Hailstorm is an enterprise product that uses a Stateful AssessmentTM approach. Businesses implementing Web applications can use Hailstorm to perform automated security quality assurance checks on their applications. Hailstorm’s automated testing checks for vulnerabilities known in the industry. In addition, it can make use of user-defined tests for detection of vulnerabilities to attacks, such as phishing, circumvention of access controls, and code injection.

Hailstorm software helps businesses with Web applications protect personal information. The automated checks it performs expose vulnerabilities and thus help to prevent unauthorized access, destruction, use, modification, or disclosure as required by AB 1950. It is true that Hailstorm is only one solution and technical security control in an overall security program and AB 1950 compliance effort. Nonetheless, it plays a crucial role for companies with Web applications.

Further, companies successfully preventing security breaches through the rigorous testing made possible by Hailstorm have no breaches to report to customers under laws like SB 1386. Also, Cenzic has created a package of policies addressing SB 1386. It checks for vulnerabilities associated with unauthorized access or disclosure of sensitive data, such as personal information. For example, one policy checks whether forms are submitted to a Web application unencrypted, when the application should be using SSL.

In addition to facilitating compliance, Hailstorm provides crucial benefits for businesses deploying Web applications. Most importantly, Hailstorm allows businesses with Web applications to obtain the results of manual penetration testing at a fraction of the cost.

Furthermore, automated checking permits developers to test for vulnerabilities more frequently throughout the development lifecycle of Web applications, and in a more closely controlled manner. Not only can checking be done more frequently, Hailstorm makes it more practical to test earlier in the development lifecycle, saving development and testing costs.

Hailstorm provides a single, consistent security control during the development process. Its ability to check and recheck for vulnerabilities facilitates change control. If the business procuring the Web application uses a third party to develop the code, Hailstorm again assists in providing a disciplined control during the development. The business can use Hailstorm as an assessment tool to ensure the developer is creating secure code.

Hailstorm also saves time for otherwise busy security staff members and prevents them from becoming bottlenecks during development. Security professionals can use their knowledge to design tests, manage the review process, and review the tests results. They don’t need to conduct and repeat manual tests themselves. QA engineers can use Hailstorm to perform the tests in an automated fashion instead of taking up the time of security professionals.

Even after development or procurement, and the Web application goes live on production systems, the business can use Hailstorm for continued assessment to check for the application’s security in the production environment. Any new vulnerabilities uncovered can inform changes in security policies for appropriate responses, can motivate code changes, and can help in the design of new tests for additional future assessments.

The Cenzic Intelligence Lab (CIA) continually develops new attack objects. Cenzic provides these objectsto customers as updates on a regular basis. Because 75 to 100 new application vulnerabilities appear every month, the updates from Cenzic’s CIA permit customers to stay ahead of new developments.

Some of Cenzic’s customers don’t have in-house expertise or aren’t ready to deploy a product. For these customers, Cenzic offers a very convenient remote assessment service called ClickToSecureTM. Customers using this service provide the host name of the application they want to assess, and Cenzic takes care of the rest. Customers receive a professional report with a complete analysis of vulnerabilities in their applications, along with tips on fixing vulnerabilities.