Cosmetic flaws are mainly within the Hailstorm scanning application, rather than in the ARC Web interface. In Hailstorm, activities take a few too many clicks. Starting a new scan, for example, involves creating a job, creating a traversal, dragging the traversal to the job, dragging the smart attacks to the job, then starting the scan. Although the Web interface and the new job wizard make the process much simpler, the steps involved in creating a custom scan feel awkward and nonintuitive. Moreover, the product specs recommend 1,600x1,200 pixel resolution, high for this type of application. The Web interface was certainly usable at lower resolutions, but Hailstorm felt slightly cramped even at 1,280x1,024. Unfortunately, this means that most laptops--especially wide-screens--won't be comfortable platforms for using the scanner.
The ARC Web interface dashboard tries to display at-a-glance the current state of all applications being monitored. On the upside, the product is meant to constantly scan applications and track the overall exposure from each. This Web application vulnerability-management approach is necessary in environments where the application as tested last month isn't the application that's running now due to upgrades, patches or other fixes.
Unfortunately, all that data is displayed by way of an arbitrary "HARM" score. The metric is computed by assigning each application a risk, and computing that value together with a predefined (though customizable) rating for each instance of a discovered vulnerability. The problem with HARM is that it's overly simplistic. Is an application with a 10,000 HARM score at more risk, or more work to fix, than one with a 3,000 HARM score? Maybe, but maybe not. One of our sample applications had a very high HARM score from a single vulnerability type, for example; but if all those vulnerabilities are in the same section of easily patched code, the HARM score would not be a useful metric for overall exposure.
Those are evaluations a human needs to make. Cenzic has the right idea in integrating a dashboard display and trying to present a lot of information in a simple interface. But we're afraid it may lull some IT folks--arbitrary values have a hard time summing up complicated realities, especially without options like being able to scale multiple identical vulnerabilities on a logarithmic scale.
| ABOUT THIS ROLLING REVIEW |
| Ajax-capable app scanners are currently under test at our Real-World Labs® at the University of Florida. We're assessing general reliability; advanced features; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false positives, as well as ease in manual adjustments or product updates to address them; prevalence of false-negatives; and price. SAAS offerings will also be evaluated, though not on ease of use and advanced features. |
Verizon is demoing crowd analytics technology that uses 5G along with AI and mobile edge computing to give stadium operators insights into the flow of fans throughout a venue.
As we move closer to fully realizing the potential of Wi-Fi 7, it becomes evident that the RF, signaling, and throughput tests are not merely procedural checkpoints but the pillars of excellence in wireless communication.
With low earth orbit (LEO) satellites fast becoming the norm and 3GPP unifying telecom standards around the globe, the satellite IoT and machine-to-machine (M2M) sector ought to be looking at a bright horizon. But is this the case?
