News
News
6/27/2006
11:10 AM
50%
50%

Cenzic's Hailstorm: Augment Your Web Security Toolbox

The updated vulnerability assessment tool can scan Ajax-enabled sites and applications for a wide range of security weaknesses.

The Dirt on AJAX Security

In our tests, Hailstorm correctly detected a wealth of conventional vulnerabilities. When we directed Hailstorm to scan live sites that use AJAX, the product discovered several authentication and authorization vulnerabilities. These holes were no surprise to us. Most AJAX-enabled sites are implemented with no real thought about security. AJAX developers aren't aware of the need for authorization at the function level; instead, they authorize access only at the application level. The number of dynamically generated URLs and the core mechanism through which AJAX communicates with back-end servers provide many opportunities for anyone bent on hacking a site.

Hailstorm only detects vulnerabilities, though its explanations and thorough remediation options would help address security holes in both AJAX and conventional Web applications. XML and SOA security vendors such as Forum Systems, Layer 7, Reactivity and DataPower focus on SOAP security, but have also always been able to secure pure XML over HTTP. In other words, once Hailstorm identifies the vulnerabilities, you have several product-based remediation options beyond tossing the app back to the developers.

Hailstorm is offered as a software solution with both user and application pricing models, and as a managed service called ClickToSecure, which is priced on a per-application basis. Both models can be purchased as subscriptions or on a perpetual basis. ClickToSecure subscribers can seamlessly migrate from the Software as a Service solution to a corporate deployment at any time. Pricing is comparable to Teros (recently acquired by Citrix) and SPI Dynamics' WebInspect, and the inclusion of AJAX-specific functionality makes it worth the price.

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at lmacvittie@nwc.com.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest August 03, 2015
The networking industry agrees that software-defined networking is the way of the future. So where are all the deployments? We take a look at where SDN is being deployed and what's getting in the way of deployments.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.