Cenzic Web application security tool targets CSRF attacks

By SearchSoftwareQuality.com Staff 16 Jun 2008 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

Cenzic, a provider of Web application security vulnerability assessment and risk management solutions, Monday announced release 5.7 of Cenzic Hailstorm Enterprise ARC (Application Risk Controller) and Cenzic Hailstorm Professional.

Several new enhancements are available in Hailstorm 5.7, including much stronger Web services support, PCI compliance reporting, a new user interface for the ARC Desktop Client, and several usability and work low improvements for the ARC dashboard.

In addition, Cenzic has introduced five new significant SmartAttacks into the product suite:

• Cross-site request forgery (CSRF) -- This SmartAttack can find and protect against vulnerabilities that cause unauthorized commands to be transmitted by a user unknowingly. CSRF is an attack vector that enables an attacker to send arbitrary HTTP or HTTPS requests from a victim user. This attack exploits the trust that a site has for a particular user.

• Ineffective session termination -- If a user session is not properly terminated, this SmartAttack can discover vulnerabilities that permit unauthorized access to that session.

• Session ID identification -- Determines the exact parameter(s) used by the application to hold the session ID(s).

• Application path disclosure -- Reports each page where malicious input can lead to an internal application error revealing specific path information.

• Platform path disclosure -- This SmartAttack reports each page with path disclosure vulnerabilities.

Hailstorm 5.7 meets the June 30, 2008, compliance deadline for PCI Data Security Standard (DSS) Requirement 6.6 and is an aid to organizations working to comply with this demanding Web security requirement.

Tags: Software security testing tools,  Web application security tools and services,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing tools Put a stop to software espionage by watermarking source code How to make your software tamperproof How can I tell if my software security has been breached? Lesser-known free software testing tools testers should try Demo: Using WebGoat, a free software testing tool Rich Internet applications security testing checklist Finding cross-site scripting (XSS) application flaws checklist Webgoat Tutorial Retaking command of your hacked software Identifying whether or not your site or software has been hacked Web application security tools and services Static analysis tool helps software engineers find bugs during builds Automated security tool finds flaws in enterprise apps Parasoft enhances its Application Security Solution Ruby on Rails security audit service available Secure software measures: Their strengths and limitations HP software security suite treats vulnerabilities as defects Dynamic analysis tool from Coverity looks at concurrency defects Veracode provides security audits for externally sourced code Enhanced application protection in Dotfuscator Professional 4.3 BMC uses source code analysis to improve software line

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary penetration testing  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary