Re: Opinions on ClicktoSecure's Hailstorm Product

From: Bill Pennington (billp@boarder.org)
Date: 09/28/01 

Message-ID: <3BB40CC0.CEF6936F@boarder.org>
Date: Thu, 27 Sep 2001 22:38:08 -0700
From: Bill Pennington <billp@boarder.org>
To: Security News <secure_news@yahoo.com>
Subject: Re: Opinions on ClicktoSecure's Hailstorm Product

I had the pleasure of watching Greg run Hailstorm through its paces and
was impressed with it's abilities even though it was around 1 AM :).
This is a great R&D/QA tool, it is the closest thing I have seen to an
automated vulnerability finder. eEye has Retina which is good with its
attack language but Hailstorm makes it easier to rapidly test a device
or application.

Having said that I struggle to find good uses for it during a pen test.
I mean for a application pen test (I am thinking web application here)
you can rapidly abuse a myriad on URL parameters in a short amount of
time, this is good (well great IMHO) but we found it a little to
involved to put in our standard arsenal.

That and some licensing issues (why does money always get in the way??)
made us decide not to deploy it.

Bottom line though really cool tool that I am sure will get even better.
Anything that helps developers produce more secure products is great.
Now if Microsoft would just purchase a ton of copies maybe we could all
get a few days off...

Security News wrote:
>
> I am currently doing an evaluation of ClicktoSecure's Hailstorm product.
> Wondering if any of you have used the product, and what your opinions may
> be.
>
> Thanks
>
> dan
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/ 

-- 

Bill Pennington - CISSP

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: SQL
    ... Subject: SQL ... >> This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Insurance
    ... property--data beign deemed "intangible" for the purposes of insurance. ... for physical security testing there are often 3rd parties ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Pen-Testing Lotus Notes/Domino
    ... Subject: Pen-Testing Lotus Notes/Domino ... of document security. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • R: Pen-Testing help (Compaq Insight & htsearch)
    ... This web server happens to be in front of their ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Application & Iplanet/Apache web server vulnerability and penetration testing
    ... I don't know what to do on the web servers other than delete example ... Any suggestions on iPlanet and Apache security? ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)