Cenzic virtualizes Web apps testing

Web applications security testing specialist Cenzic announced the latest version of its flagship scanning platform on Monday, adding new capabilities for inspecting programs utilizing virtualization technologies made by VMWare.

While leading software development platform makers, including IBM and HP, have invested heavily in acquiring assets from the applications testing tools market over the last year in an effort to force programmers to improve the quality of their work, hundreds of millions of existing Web applications still need to be examined for potential flaws, Cenzic officials maintain.

However, because companies are often resistant to the idea of pointing vulnerability-testing tools at their live applications — based largely on fears of bringing the programs down or corrupting the data they handle — many businesses have been reluctant to begin scanning all of their programs for potential flaws.

By linking its Cenzic Hailstorm Enterprise ARC (Application Risk Controller) package with VMware’s Lab Manager and Virtual Center technologies, said officials with the apps testing software vendor, the company has been able to blend its security skills with widely-distributed virtualization tools being used by many large businesses today, and therein lower the impact of the vulnerability-scouring process.

The ability to use the virtualized environments provided by the Lab Manager and Virtual Center products to test exact copies of their applications without putting their real operations or data at risk should spur even greater interest in adopting applications scanning tools altogether, Cenzic executives contend.

“We think that offering the ability for companies to test their production applications in a virtual staging environment, where they aren’t exposed the same risks of slowing operations or corrupting data, will be a big deal,” said John Weinschenk, chief executive of Cenzic.

“The reason some people have avoided this level of testing is because they are too worried about disrupting their business, but the truth is these are the real applications that have the data they want to protect and that are being attacked on a daily basis” he said. “They’ve been searching for something that can protect uptime while searching for problems, and virtualization is the key to all of that.”

In addition to giving companies more flexibility for initially testing their applications for security flaws, the executive maintains that the new Hailstorm-VMWare features will also make it more palatable for organizations to engage in “continuous testing” to stay abreast of any new defects they may discover in their applications over time.

Weinschenk said that most large businesses are already using virtualization tools with a vast majority of Fortune 100 companies investing specifically in VMWare’s products.

Many of those companies are actively looking for additional areas where they can bring the tools to bear on their IT operations, he said, and the CEO contends that applications security testing will be received as an attractive opportunity to embrace virtualization even further.

Expanding the horizons of virtualization Describing VMware’s products as a “gaming console” and Cenzic’s new tools as the “next big game,” the executive said that once IT leaders realize that they can use the platforms together to more safely search their production apps for problems, he believes it will prove a significant boon to his company’s prospects.

“VMware Lab Manager enables easy reproduction of software defects and security vulnerabilities without disrupting production environments, allowing quick troubleshooting across development and test teams,” Brian Byun, vice president of global partners at VMware, said in a statement. “As a result of the integration of Cenzic Hailstorm with VMware Lab Manager, VirtualCenter customers can achieve increased productivity and security test of mission-critical Web applications while continuing normal business operations.”

Connected to the VMWare products via an API provided by the virtualization specialist, Cenzic officials said that they would also look to link Hailstorm Enterprise ARC to other similar systems in the future.

VMWare officials cited the Cenzic integration as a solid example of what types of things their products may be used for outside some of the more popular applications for virtualizations tools today, which most often revolve around lowering energy consumption and overhead IT management costs.

In addition to the new VMWare ties, Cenzic also announced an updated user interface for Hailstorm ARC along with new compliance reporting tools for creating vulnerability assessment reports to hand over to third-party auditors.

Industry watchers said that Cenzic’s virtualization strategy appears to make a lot of sense and observed that the company’s rivals will likely attempt to launch similar products in the future.

However, because two of the company’s closest rivals, Watchfire and SPI Dynamics, are involved in the process of being integrated by IBM and HP, respectively, some analysts feel that Cenzic could enjoy a significant lead time over the arrival of those competing technologies.

“It’s an innovative approach, and it definitely shows that Cenzic is using the runway that it has in advance of HP and IBM as those companies work to integrate and re-launch the products they’ve acquired,” said Nick Selby, analyst with the 451 Group. “The integration itself is on the API level, so the bar isn’t set high in terms of competitors trying to imitate what is being done here, but HP and IBM are pretty occupied and won’t be able to make it a priority to do so for a while.”

The analyst said that the integration could also help Cenzic and others in the apps testing space break through the existing barrier of whom they can market their tools to inside enterprise IT groups.

“This could be a creative way to get through the barrier that exists around apps testing between operational IT and security teams,” Selby said. “It allows the security staff not to have to get authorization from operations to do testing, while it prevents operations from needing to worry about things getting broken during the security scans.”