Cenzic’s New Release Boosts Its Award-Winning Web Application Security Solutions

Published 19th June 2008

Santa Clara, Calif. – June 16, 2008 --Cenzic, the leading provider of Web application security vulnerability assessment and risk management solutions, today announced its 5.7 release of Cenzic Hailstorm Enterprise ARC (Application Risk Controller) and Cenzic Hailstorm Professional products with several new features. Hailstorm 5.7 meets the June 30 compliance deadline for PCI Requirement 6.6 and is an aid to organizations working to comply with this demanding Web security requirement...

The intent of PCI Council Requirement 6.6 is to ensure Web applications exposed to the public Internet are protected against the most common types of malicious input. According to the council, the two options for code reviews are manual Web application security vulnerability assessment and proper use of automated Web application vulnerability assessment tools. Cenzic, a PCI Council Approved Scanning Vendor (ASV), offers both an automated assessment solution, through its Software as a Service (SaaS) ClickToSecure as well through the new Hailstorm release, which provides a comprehensive suite of tests to secure Web applications.

Several new enhancements are available in Hailstorm 5.7, including much stronger Web Services support, PCI Compliance reporting, a new user interface for the ARC Desktop Client and numerous usability and work flow improvements for the ARC dashboard, including: customizable dashboard charts, customizable report configurations, advanced email alerts and various other changes. Cenzic updates its SmartAttack™ library at least once per week. In addition, Cenzic has introduced five new significant SmartAttacks into the product suite that provide the best protection against the latest security vulnerabilities in the industry.

“Securing Web applications is one of the primary issues security professionals face today
and the looming PCI deadline emphasizes this point for e-commerce sites,” said Mike Montecillo, analyst at Enterprise Management Associations. “Mapping smart attacks to specific sections of the API requirement is an innovative approach and allows for a thorough security assessment for all applications on a continuous basis.”

The five new SmartAttacks that have been integrated into the release are:
-Cross Site Request Forgery – This SmartAttack can find and protect against vulnerabilities that cause unauthorized commands to be transmitted by a user unknowingly. Cross-Site Request Forgery (CSRF) is an attack vector that enables an attacker to send arbitrary HTTP or HTTPS requests from a victim user. This attack exploits the trust that a site has for a particular user.

-Ineffective Session Termination – If a user session is not properly terminated, this SmartAttack can discover vulnerabilities that permit unauthorized access to that session.

-Session ID Identification – Determines the exact parameter(s) used by the application to hold the session ID(s).

-Application Path Disclosure – Reports each page where malicious input can lead to an internal application error revealing specific path information.

-Platform Path Disclosure – This SmartAttack reports each page with path disclosure vulnerabilities.

“In this new version, we concentrated our energy on improvements that customers will appreciate while also demonstrating our continuous innovation,” said John Weinschenk, CEO of Cenzic. “PCI Compliance is important to many of our customers and this release will further help them in getting compliant. Furthermore, the new SmartAttacks are very critical for customers and like many of our attacks, some of these are only offered by Cenzic solutions. As adoption of Web services continues to grow, we felt the need to offer additional support. Finally, the interface, customizable reporting, and various other features will make the user experience even more enjoyable with easy to access actionable information.”

Cenzic’s Hailstorm product suite includes assessing, analyzing, and resolving security vulnerabilities throughout the software development lifecycle (SDLC), and assists in compliance with regulatory standards. Cenzic's pre-crafted SmartAttack™ library enables enterprises to run tests out-of-the-box to find vulnerabilities in all Web applications, as well as enforce internal policies. The company's integration with Virtualization solutions, Q.A. tools, Source Code Scanners, Application Firewalls, and other security solutions gives enterprises the ability to easily address security issues as an integrated process. In addition, through its lab, CIA (Cenzic Intelligent Analysis) Research, Cenzic provides companies with ongoing and frequent updates to its SmartAttack library for the latest vulnerabilities and threats to stay ahead of the curve.