Cenzic is betting its two new products, announced today, will be
"eye opening" for small enterprises that haven't yet addressed Web
application security.
The two products, Hailstorm Core and Hailstorm Starter, are
intended to offer an easy, low-cost or no-cost introduction to
application security, and they extend the reach of Cenzic's
application security assessment and compliance solutions to smaller
shops by targeting the most common vulnerabilities.
 | | | | | Obviously, we're not planning a
lot of revenue from either product. The idea is to get [application
security tools] in their hands. It's awareness building.
Mandeep Khera
Vice president of marketingCenzic
Inc. |
| | | | | |
| |
|
Hailstorm Starter assesses small Web sites for cross-site
scripting (CSS) vulnerabilities and is available to download for
free. Hailstorm Core assesses Web sites for CSS as well as SQL
disclosure, SQL error, Web server version and buffer overflow. It
is available for download for $1,500.
According to Mandeep Khera, vice president of marketing at
Cenzic Inc. in Santa Clara, Calif., this move by the company gives
small enterprises a risk-free option to download and test the
security products. "I think it will open a lot of people's eyes,"
he said.
"We're finding 95% or more of companies doing business online
have no clue what application security means," he said. "A lot of
them think it means SSL."
While large organizations such as financial services companies
understand the risk and have put solutions in place, he said,
"everyone else -- from midsize companies down -- have limited
visibility to application security. They don't understand the
issues. Obviously, we're not planning a lot of revenue from either
product. The idea is to get it in their hands -- it's awareness
building."
Khera said a lot of the mom and pop shops doing business online
rely on their ISPs for security, "and the ISPs are not doing
anything about application security either. And the mom and pop
shops don't know issues or have the time [to address security], so
they don't put the pressure on the ISPs," he said.
Although Khera said he has seen a lot of improvement in
application security awareness over the last year, "it's still not
enough. We were starting with a low base last year, but especially
over the last three to six months we've seen a tremendous
awareness. All signs are that people are finally getting it, but I
still believe it's a small percentage of the total population. It's
still the tip of the iceberg."