A couple of weeks back, I had a chance to converse with Mandeep Khera, Vice President of Marketing for web application security vendor Cenzic . The company provides testing tools for systems administrators, allow the overworked to scan their web software for potential security vulnerabilities.
There are a myriad of products to test your applications for holes, but Cenzic takes the process to a higher level. Their base application, Hailstorm, tests for all the generic stuff like open ports, unpatched software, etc. Then, they dive into the application itself, beating it for cross-site scripting, cross-frame scripting, buffer overflow exploits, SQL disclosure, Windows command injection, and on and on and on. The output is an extremely detail report, noting the number and type of vulnerabilities, grouped by security policy type and by Cenzic’s opinion of severity. Basic testing scripts are reusable as changes are made to systems, so auditors can make minor modifications to coincide with changes to the app itself. The database of vulnerabilities/tests is updated as often as the user likes.
Not to be outdone by the growing number of services offering remote testing, Cenzic is now pushing that is well under the new “ClickToSecure” name. Their service uses the same testing library as their flagship Hailstorm product, but with a lower cost of ownership (and application of service fees towards Hailstorm purchase should you decide to take the process back in-house). Best of all, Cenzic thinks the web is only going to be safe when everyone has filled in their holes, so they are offering a one-time ClickToSecure scan to anyone who wants one, good through September.
Yea, you are probably asking yourself what Spamroll is doing plugging some company, but I say these guys impressed me. And by the way, up until now I was using a competing vendor for this kind of testing. I was offered the same free audit that Cenzic is presently providing to any server off the street, but after the hour chat and WebEx demo, I think I am going to round-a-bout with my crew and do a little more hammering on our application before we let Cenzic loose on it.
In other words, these guys know their stuff, and I’d hate to get embarrassed (I can do that any old day just by putting my foot in my mouth like I usually do).