Re: Web Application Penetration Testing Methodology Patent

From: Martin Mačok (martin.macok@underground.cz)
Date: Sat Jan 17 2004 - 07:02:07 EST


On Fri, Jan 16, 2004 at 06:37:36AM -0800, webtester@hushmail.com wrote:

> As many of you know, Sanctum, Inc. has a been granted a patent
> (United States Patent No. 6,584,569) describing a process for
> automatically detecting potential application-level vulnerabilities
> or security flaws in a web application.

I already knew the process this patent is describing (and so have most
of us) and I was using many parts of it (wget, pavuk, wwwoffle, htdig,
paros, squid, grep, sed, cut, perl, perl-WWW-Mechanizer, curl, nikto,
nessus, netcat, telnet, ...). I do not remember that I have ever heard
of Sanctum, Inc. or that I have ever read/used something
created/written by them. It is just a summarization of what we already
have known and have used. Nothing innovative.

So, how is that possible that I have to pay them for something that
I haven't got (either directly or indirectly) from them? Something is
fundamentaly wrong with it. It seems to me that they just "stole" it
from all of us. Is this what the patents were supposed to be for???

> However, there is a way to challenge this patent. First and foremost
> is to find something that addresses all the above points 1 year
> prior to when Sanctum submitted the patent.

No. Something is *fundamentaly* wrong with it. What if there were
tens, hundreds or thousands of patents like that? Should we fight each
one separately and prove each time that we are not stealing??

This just means that the penetration testing will be *much* more
expensive in the future without having better quality or any other
price compensation. It just gets more expensive! Our customers will
not just pay for our technical skills in IT security field but also
for our lawyers and licencing fees. It also means that we were, are
and will be capable to test something but we will not be allowed to do
so anymore!

If Sanctum, Inc. have developed the application doing smoothly all of
(1)-(4) tasks they covered with this "patent" they already have
a great chance to make a *lot* of money with it (assuming they don't
fsck up other things like QA, usability, marketing...). No patent is
needed for that, it just hurts the others and makes security costing
more which is actually *against* security (!)

I don't care much about this since it is primarily an United States
dog food. How does this applies world-wide? Is such patent going to be
applicable in, say, EU? Asia? Or are we already "there"?

Martin Mačok
IT security consultant, penetration tester

-- 
         Martin Mačok                 http://underground.cz/
   martin.macok@underground.cz        http://Xtrmntr.org/ORBman/
---------------------------------------------------------------------------
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT