Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Rolling Review: N-Stalker Seeks, Doesn't Find: Page 2 of 6

With three different iterations of the product—the QA Edition; the Infra Edition, for infrastructure scanning; and the Enterprise Edition, which includes the QA and Infra versions as well as audit and penetration test capabilities—N-Stalker has a great conceptual approach that, on paper, made it look like an ideal fit for this review. We're looking for products that take into account the different potential use cases for application scanners, and on the face of it, N-Stalker's three-pronged approach is perfect.

Unfortunately, while the QA and Infra offerings may be somewhat useful thanks to their large built-in vulnerability databases, the audit and penetration-test modes are plagued not only by poor detection capabilities for new vulnerabilities, but also a severe lack of tools to aid in advanced manual penetration.

In our evaluation, N-Stalker's scanner failed to find a number of vulnerabilities that all of the other products were able to identify. Additionally, the engine was too easily caught in unintentional scanning loops on one site that generated recursive links. Without recognizing the subsequent URLs as having repeated identical variables, the product was tripped up.

From a usability standpoint, N-Stalker's scanner not only fails to hit the bar set by WebInspect, it doesn't even compare well to the weaker interface found in Cenzic Hailstorm. Adding credentials for an application was a trivial matter with both WebInspect and Hailstorm, for example, but not only did N-Stalker fail to include any kind of automated log-in detection, even using the manual process was tedious, requiring at least twice the number of mouse clicks and keystrokes as rival products.
Numerous other usability flaws and outright bugs abound: Multiple application windows that randomly failed to display in the Windows taskbar. Buttons silently failing to work. Having to guess a right-click is the next necessary step, non-resizable windows hiding necessary data, and more. N-Stalker says it is addressing at least some of these usability issues in its 2007 Edition release, due in October.

There were a few brief, shining moments where this product stood out, or at least broke even. As previously mentioned, it sports a large internal database of attack signatures for stock applications and would excel when primarily used to scan Web servers for known vulnerabilities. The reporting interface is flexible enough, and reports are attractive, though we would like to see XML output for further processing.