Cenzic Product Guide. Cloud, Mobile and Web Application Security

Transcription

1 Cloud, Mobile and Web Application Security

2 Table of Contents Cenzic Enterprise...3 Cenzic Desktop...3 Cenzic Managed Cloud...3 Cenzic Cloud...3 Cenzic Hybrid...3 Cenzic Mobile...4 Technology...4 Continuous Application Testing...4 Application Assessments...4 Attack Library...4 Robust, Easy Reporting...4 HARM Score...5 Web-Based Dashboard...5 Unified Architecture...6 Integration with Complementary Technologies...6 About Cenzic...6 2

3 Cenzic Enterprise Cenzic Enterprise, powered by Hailstorm, is a software solution that assesses the security of Cloud and Web applications and supports security risk management throughout the software development lifecycle. Because Cenzic Enterprise can be used in all parts of the software development lifecycle, and most importantly in production, applications are protected against new threats even after being deployed. After application vulnerabilities are identified, Cenzic Enterprise provides risk mitigation recommendations to protect data and meet compliance requirements. Cenzic Desktop Cenzic Desktop is a single-user version of Cenzic Enterprise, a software solution that assesses the security of Cloud and Web applications and supports security risk management throughout the software development lifecycle. It is designed for the power user who wants to run security assessments on Cloud and Web applications from a single system. With Cenzic Desktop, applications can be continuously assessed to reduce online security risk. Because Cenzic Desktop can be used in all parts of the software development lifecycle, and most importantly in production, applications are protected against new threats even after being deployed. After application vulnerabilities are identified, Cenzic Desktop provides risk mitigation recommendations to protect data and meet compliance requirements. Cenzic Managed Cloud Cenzic Managed Cloud, powered by Hailstorm, is a managed service that offers a range of Cloud, Mobile and Web application assessments remotely no software, no hardware and no installation needed. With Cenzic Managed Cloud, Cenzic s security experts remotely perform full vulnerability testing on Cloud, Mobile and Web applications with minimal resources and budget. Cenzic Managed Cloud, powered by Hailstorm, supports security risk management throughout the software development lifecycle. Because Cenzic Managed Cloud can be used in all parts of the software development lifecycle, and most importantly in production, applications are protected against new threats even after being deployed. After application vulnerabilities are identified, Cenzic Managed Cloud provides risk mitigation recommendations to protect data and meet compliance requirements. Cenzic Cloud Cenzic Cloud allows users to test their Cloud and Web applications for basic attacks and receive actionable results all within their own Web portal no security experts needed. It is the most costeffective, easy-to-use and robust vulnerability assessment solution available. With Cenzic Cloud, applications can be continuously assessed to reduce online security risk. Because Cenzic Cloud can be used in all parts of the software development lifecycle, and most importantly in production, applications are protected against new threats even after being deployed. After application vulnerabilities are identified, Cenzic Cloud provides risk mitigation recommendations to protect data and meet compliance requirements. Cenzic Hybrid Cenzic Hybrid, powered by Hailstorm, is a combination of software and managed services for application security assessments. It allows users to run their own Cloud and Web application vulnerability assessments using software (Cenzic Enterprise) as well as leverage Cenzic s security experts using managed services (Cenzic Managed Cloud and/or Cenzic Mobile) to perform additional application vulnerability tests, including testing Mobile apps, when the need arises. 3

4 Cenzic Mobile Cenzic Mobile service extends application security to protect data on the latest online front. Since many mobile applications connect to databases on the backend, they are a target of hackers. Cenzic leverages its Hailstorm technology and more than a decade of application security experience to deliver services that analyze Mobile applications and detect vulnerabilities in critical areas, including input validation authentication mechanisms, session security, encryption usage and policy compliance. Technology Cenzic Hailstorm was built from the ground up by Cenzic s engineering team and powers solutions that are different than other application security assessment products. Only Cenzic Hailstorm can test for vulnerabilities across all types of applications, including commercial and proprietary Cloud, Mobile and Web applications. In addition, only Cenzic Hailstorm allows organizations to test deployed applications using virtualization. Cenzic Hailstorm goes beyond a signature-based approach, for application vulnerability assessment. Cenzic Hailstorm emulates a true hacker with its Stateful Assessment approach that maintains the state of the application while attacking the application in production. This approach allows Cenzic Hailstorm to find all critical vulnerabilities with test results that are the most accurate in the industry yielding fewer false positives and finding more real threats. Continuous Application Testing Due to the unceasing onslaught of hackers employing new methods to access valuable data organizations, application security must be an ongoing effort. Effective application security is not a one-time event, but a discipline of testing and re-testing continuously throughout an application s lifecycle. Continuous testing is the only way to protect applications from the hundreds of new threats that come out every month. Application Assessments Cenzic users select the type of assessment needed for each application, such as PCI, OWASP Top 10, internal best practices and others. During the assessment, applications are crawled automatically or guided interactively by the user. Attack Library Cenzic s vulnerability discovery is driven by the Cenzic SmartAttacks library, which encapsulates best practices to test attack resistance, validate conformance to regulatory compliance and confirm internal security compliance. Robust, Easy Reporting With Cenzic, users can quickly and easily generate reports in a variety of formats, including PDF, Excel and Word. The reports include an application vulnerability summary, a total vulnerability risk score (HARM) and details on all the specific findings. 4

5 HARM Score The Cenzic HARM score helps you better understand your applications risks, measure progress toward security goals such as protecting your brand or getting compliant with regulations, and also gives you a measurement of your security baseline. For a given application, the HARM score is calculated by a series of formulas that determine how vulnerabilities detected by a potential attack are weighted. The HARM base score sums both applications total vulnerability profile and vulnerabilities detected by a particular SmartAttack in each application considering the following four areas: Application Session Browser Environment A complexity factor is applied to determine the means by which the vulnerability may be exploited. For instance, simple attacks such as those performed in a browser or automated with publicly available tools are considered higher risk. These are in contrast with attacks that require custom coded scripts. Web-Based Dashboard The Cenzic dashboard provides a standardized platform to manage application security risk throughout the enterprise. Role-based visibility provides a company-wide view of security status to executives as well as customized views to other users. Access is managed through the dashboard to control permissions of users and govern application access. The dashboard is designed so that users do not need to be security experts to run application tests and pull reports from Cenzic. From an intuitive interface, users can quickly see applications tested, vulnerability trends, applications most at risk, performance of business units conducting and remediation assessments. The Cenzic dashboard also gives users a summary of testing results including a prioritized listing of vulnerabilities based on Cenzic s quantitative risk scoring system (HARM ) to show what needs fixing first. A Web-based dashboard of application vulnerabilities is accessible in real-time to instantly show results and priorities for remediation. 5

6 Unified Architecture Because all Cenzic products are built on the same Hailstorm technology platform, users can effortlessly transfer data between software deployments (Cenzic Enterprise and Cenzic Desktop) and cloud deployments (Cenzic Managed Cloud, Cenzic Cloud and Cenzic Mobile). Cenzic products can also be deployed in combination Cenzic Hybrid (software and cloud). This deployment provides maximum flexibility as users are able to perform vulnerability testing using the software on premise or by leveraging Cenzic s expert security services team. Integration with Complementary Technologies Cenzic s integration with related technologies helps users more quickly block and correct application vulnerabilities. Integration with WAF (web application firewall), SIEM (security information and event management), SDLC (software development lifecycle), GRC (governance, risk management, and compliance), QA tools and other technologies ensures that vulnerabilities can be identified and immediately addressed. About Cenzic Cenzic provides an application security intelligence platform to continuously assess Cloud, Mobile and Web vulnerabilities. This helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Today, Cenzic secures more than half a million online applications and trillions of dollars of commerce for Fortune 1000 companies, all major security companies, government agencies, universities and SMBs. Cenzic, Inc CENZIC ( ) request@cenzic.com Cenzic, Inc. All rights reserved. Cenzic, Hailstorm, Stateful Assessment, HARM, and SmartAttack are registered trademarks of Cenzic, Inc.