Web Application Scanners: Web application scanners have properties of conventional VA scanners as well as similarities to the Protocol Modeler testing platform. Generally using a proxy-based architecture, they can crawl automatically or be driven by a user "test case" through a Web application. By watching for typical insecure Web programming practices and running checks against suspect components, the tools can discover and evaluate these vulnerabilities. Application tampering, including malicious cookie tampering and hidden value attacks, can be detected and identified by these tools. Protocol Modeler can pinpoint some of these Web application bugs, though the feature sets and strengths relative to Protocol Modeler will depend on the product in question.
Toolkits and Libraries: The final product space is largely noncommercial. Loads of open-source programming libraries, APIs and toolkits are available to help automate the process of network vulnerability testing. Using them will require deep technical knowledge of the protocols involved as well as programming and Unix expertise. These are not for the faint of heart. Fuzzerstools that feed pathologically formed input to a program (in this context, a network-enabled application) to produce a fault--fall in this category. Security consultancy @Stake produces one such tool, called Spike. Protocol Modeler can undertake many of these tasks. In fact, the real value proposition of this product is that it provides a faster and more effective way to create many tests that would otherwise have to be assembled using these different network security toolkits.
Cenzic has been seeking its target customer for a long time. The problem is that the core audience-- network security experts with deep technical knowledge-- is quite small, and few have $25,000 to spend on a single tool. We can't help but wonder if Cenzic might generate more revenue by slashing Hailstorm's price and moving more copies. In the right hands, the program is an incredibly powerful tool. But as it stands, its accessibility is extremely limited.
So who is this product for? First, your hard-core security analysts, such as those working for a lab that tests security software and hardware. This category includes me, a writer who works for Neohapsis. One area in which Neohapsis specializes is NIDSs (network intrusion detection systems). We could use Hailstorm to automate some of the scripting involving in NIDS signature testing,
for example. Crafting other specialized attacks with which to test NIDS systems, including various RFC (request for comment) violations, could also prove useful.
Another potential customer base is application development organizations?in-house application development teams and companies producing end-user applications. Cenzic has started to build in tools to make Hailstorm more usable in this type of quality assurance role. For example, support for scheduling recurring tests provides a degree of automation. You can have Hailstorm, once a night, scan the latest beta build of your Web application for SQL disclosure vulnerabilities on newly added pages that accept user-supplied input.
Bottom line, Hailstorm is the artificially overpriced prescription drug of the network security testing world?efficacious when given to the right person but available only to the economically elite.