Networking

04:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Rolling Review: N-Stalker Seeks, Doesn't Find

In the third installment of this Rolling Review, we found that not all scanners are created equal.

The Upshot

Claim
Web application scanners in this Rolling Review must not only find traditional vulnerabilities, like XSS and SQL injection flaws, but also handle Ajax applications, in which part of the app is running locally in the browser.
Context
Complex Ajax apps represent a new twist for these products, and we don't recommend purchasing a scanner that isn't able to handle Web 2.0 environments, given that so much future development is moving in that direction. And, Web application scanners should be just one element in a comprehensive, layered program—educating developers and integrating security reviews into the development lifecycle are just as crucial.
Credibility
N-Stalker's scanner failed to deliver on basic Web application security detection, let alone finding Ajax flaws. It does have the potential to be a useful scanner for known vulnerabilities once some quirks and bugs are cleaned up, but it simply can't compare to the first two products in this Rolling Review.

N-Stalker's Web Application Security Scanner 2006 Enterprise Edition.
Eight IP N-Stalker Enterprise Edition is $2,899 with 20% maintenance per year

The range of products calling themselves "security scanners" is so broad that the designation is flirting with irrelevance. You have your vulnerability assessment software, which uses large databases of known vulnerabilities. Then there are penetration testing applications that focus on fewer vulnerabilities, but include the ability to exploit flaws instead of just identify them. More relevant to this Rolling Review are Web application scanners, which attempt to uncover problems in newly developed software—before they get exploited.

As an added twist in this review, we've focused our testing on Ajax applications. We've already evaluated Hewlett-Packard's WebInspect (formerly from SPI Dynamics) and Cenzic's Hailstorm. Both are Web application vulnerability scanners aimed primarily at crawling new Web apps looking for exploitable flaws. Sure, they're able to detect some common misconfigurations within Web servers and languages, even pick up a few stock bugs in known programs. But that's not their primary focus.

Unfortunately, the newest entry in this Rolling Review, N-Stalker's Web Application Security Scanner 2006 Enterprise Edition (say that five times fast), doesn't measure up to the previously tested scanners, despite its hefty built-in database of vulnerabilities in known Web servers and Web applications.

Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed