Cenzic, a provider of Web application security vulnerability assessment and risk management solutions, Monday announced release 5.7 of Cenzic Hailstorm Enterprise ARC (Application Risk Controller) and Cenzic Hailstorm Professional.
Several new enhancements are available in Hailstorm 5.7, including much stronger Web services support, PCI compliance reporting, a new user interface for the ARC Desktop Client, and several usability and work low improvements for the ARC dashboard.
In addition, Cenzic has introduced five new significant SmartAttacks into the product suite:
- Cross-site request forgery (CSRF) -- This SmartAttack can find and protect against vulnerabilities that cause unauthorized commands to be transmitted by a user unknowingly. CSRF is an attack vector that enables an attacker to send arbitrary HTTP or HTTPS requests from a victim user. This attack exploits the trust that a site has for a particular user.
- Ineffective session termination -- If a user session is not properly terminated, this SmartAttack can discover vulnerabilities that permit unauthorized access to that session.
- Session ID identification -- Determines the exact parameter(s) used by the application to hold the session ID(s).
- Application path disclosure -- Reports each page where malicious input can lead to an internal application error revealing specific path information.
- Platform path disclosure -- This SmartAttack reports each page with path disclosure vulnerabilities.
Hailstorm 5.7 meets the June 30, 2008, compliance deadline for PCI Data Security Standard (DSS) Requirement 6.6 and is an aid to organizations working to comply with this demanding Web security requirement.