RE: Web Application Penetration Testing Methodology Patent

From: Pete Herzog (pete@isecom.org)
Date: Sat Jan 17 2004 - 08:03:39 EST


Hi,

Any IBMers out there remember doing this as part of a global service for
putting a stamp on the website that it's been tested? I know it was a
service from 1998 but I can't find name references to this service and I'm
sure it consisted of all those elements.

If it was an IBM service and active in 1998, I'm sure that would trump
Sanctum.

Sincerely,
-pete.

Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org

> -----Original Message-----
> From: Martin Mačok [mailto:martin.macok@underground.cz]
> Sent: Saturday, January 17, 2004 13:02 PM
> To: webappsec@securityfocus.com; pen-test@securityfocus.com
> Subject: Re: Web Application Penetration Testing Methodology Patent
>
>
> On Fri, Jan 16, 2004 at 06:37:36AM -0800, webtester@hushmail.com wrote:
>
> > As many of you know, Sanctum, Inc. has a been granted a patent
> > (United States Patent No. 6,584,569) describing a process for
> > automatically detecting potential application-level vulnerabilities
> > or security flaws in a web application.
>
> I already knew the process this patent is describing (and so have most
> of us) and I was using many parts of it (wget, pavuk, wwwoffle, htdig,
> paros, squid, grep, sed, cut, perl, perl-WWW-Mechanizer, curl, nikto,
> nessus, netcat, telnet, ...). I do not remember that I have ever heard
> of Sanctum, Inc. or that I have ever read/used something
> created/written by them. It is just a summarization of what we already
> have known and have used. Nothing innovative.
>
> So, how is that possible that I have to pay them for something that
> I haven't got (either directly or indirectly) from them? Something is
> fundamentaly wrong with it. It seems to me that they just "stole" it
> from all of us. Is this what the patents were supposed to be for???
>
> > However, there is a way to challenge this patent. First and foremost
> > is to find something that addresses all the above points 1 year
> > prior to when Sanctum submitted the patent.
>
> No. Something is *fundamentaly* wrong with it. What if there were
> tens, hundreds or thousands of patents like that? Should we fight each
> one separately and prove each time that we are not stealing??
>
> This just means that the penetration testing will be *much* more
> expensive in the future without having better quality or any other
> price compensation. It just gets more expensive! Our customers will
> not just pay for our technical skills in IT security field but also
> for our lawyers and licencing fees. It also means that we were, are
> and will be capable to test something but we will not be allowed to do
> so anymore!
>
> If Sanctum, Inc. have developed the application doing smoothly all of
> (1)-(4) tasks they covered with this "patent" they already have
> a great chance to make a *lot* of money with it (assuming they don't
> fsck up other things like QA, usability, marketing...). No patent is
> needed for that, it just hurts the others and makes security costing
> more which is actually *against* security (!)
>
> I don't care much about this since it is primarily an United States
> dog food. How does this applies world-wide? Is such patent going to be
> applicable in, say, EU? Asia? Or are we already "there"?
>
> Martin Mačok
> IT security consultant, penetration tester
>
> --
> Martin Mačok http://underground.cz/
> martin.macok@underground.cz http://Xtrmntr.org/ORBman/
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT