From: Martin Mačok [mailto:martin.macok () underground cz]
Sent: Saturday, January 17, 2004 13:02 PM
To: webappsec () securityfocus com; pen-test () securityfocus com
Subject: Re: Web Application Penetration Testing Methodology Patent
On Fri, Jan 16, 2004 at 06:37:36AM -0800, webtester () hushmail com wrote:
As many of you know, Sanctum, Inc. has a been granted a patent
(United States Patent No. 6,584,569) describing a process for
automatically detecting potential application-level vulnerabilities
or security flaws in a web application.
I already knew the process this patent is describing (and so have most
of us) and I was using many parts of it (wget, pavuk, wwwoffle, htdig,
paros, squid, grep, sed, cut, perl, perl-WWW-Mechanizer, curl, nikto,
nessus, netcat, telnet, ...). I do not remember that I have ever heard
of Sanctum, Inc. or that I have ever read/used something
created/written by them. It is just a summarization of what we already
have known and have used. Nothing innovative.
So, how is that possible that I have to pay them for something that
I haven't got (either directly or indirectly) from them? Something is
fundamentaly wrong with it. It seems to me that they just "stole" it
from all of us. Is this what the patents were supposed to be for???
However, there is a way to challenge this patent. First and foremost
is to find something that addresses all the above points 1 year
prior to when Sanctum submitted the patent.
No. Something is *fundamentaly* wrong with it. What if there were
tens, hundreds or thousands of patents like that? Should we fight each
one separately and prove each time that we are not stealing??
This just means that the penetration testing will be *much* more
expensive in the future without having better quality or any other
price compensation. It just gets more expensive! Our customers will
not just pay for our technical skills in IT security field but also
for our lawyers and licencing fees. It also means that we were, are
and will be capable to test something but we will not be allowed to do
If Sanctum, Inc. have developed the application doing smoothly all of
(1)-(4) tasks they covered with this "patent" they already have
a great chance to make a *lot* of money with it (assuming they don't
fsck up other things like QA, usability, marketing...). No patent is
needed for that, it just hurts the others and makes security costing
more which is actually *against* security (!)
I don't care much about this since it is primarily an United States
dog food. How does this applies world-wide? Is such patent going to be
applicable in, say, EU? Asia? Or are we already "there"?
IT security consultant, penetration tester
Martin Mačok http://underground.cz/
martin.macok () underground cz http://Xtrmntr.org/ORBman/