Strengths: Easy to use and understand when it comes to running scans
Weaknesses: Installation is a bit tricky, documentation is tough to find, scans are slower than other products
Verdict: A good program, but the installation and documentation need improvement
Cenzic Hailstorm is a software-based solution that performs true application vulnerability assessment. Once the product is up and running, the wizard allows you to scan websites easily if not quickly. A default scan of the small PHP-based website ran for more than 21 hours to complete the scan.
We chose the industry best practices template from the default policy templates to scan against. Hailstorm reported only one false positive and, as with other scanners, it was an SQL injection vulnerability on a site without SQL. Unlike many other scanners, the solution was not fooled by the custom error pages. The utility found 13 distinct URLs and 80 vulnerabilities.
The interface made it quite easy to see the overall status of the application, number of URLs found and forms discovered. The product also called the scanner's attention to other sites that were not visited as part of the scan.
Hailstorm can run several types of reports, from the technician report to the executive report. This feature allows for more employees in an organisation to understand the web vulnerabilities uncovered at their individual levels of interest.
The installation was the most confusing in this group test. Hailstorm had several different software installation options, two of which required the utility to connect to an existing SQL database. On the third attempt we found the correct option and a local database was installed as well as the .net framework. The process did take some time to complete, but no additional configuration was needed.
Documentation for Hailstorm was a bit difficult to find. A getting started guide was enclosed, but it does not cover the different installation types in enough detail to choose the correct installation method with confidence. References are made to a user guide, but the installation CD does not ship with the guide in PDF format, nor is the file easily available for download from the website.
Support is offered via phone, web and email. Training and other services are also available.
The pricing for Hailstorm is above average for this group at £13,000, but it is a true application vulnerability assessment application and feature rich.