Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Web Application Penetration Testing Methodology Patent
From: "Pete Herzog" <pete () isecom org>
Date: Sat, 17 Jan 2004 14:03:39 +0100


Any IBMers out there remember doing this as part of a global service for
putting a stamp on the website that it's been tested?  I know it was a
service from 1998 but I can't find name references to this service and I'm
sure it consisted of all those elements.

If it was an IBM service and active in 1998, I'm sure that would trump


Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org

-----Original Message-----
From: Martin Mačok [mailto:martin.macok () underground cz]
Sent: Saturday, January 17, 2004 13:02 PM
To: webappsec () securityfocus com; pen-test () securityfocus com
Subject: Re: Web Application Penetration Testing Methodology Patent

On Fri, Jan 16, 2004 at 06:37:36AM -0800, webtester () hushmail com wrote:

As many of you know, Sanctum, Inc. has a been granted a patent
(United States Patent No. 6,584,569) describing a process for
automatically detecting potential application-level vulnerabilities
or security flaws in a web application.

I already knew the process this patent is describing (and so have most
of us) and I was using many parts of it (wget, pavuk, wwwoffle, htdig,
paros, squid, grep, sed, cut, perl, perl-WWW-Mechanizer, curl, nikto,
nessus, netcat, telnet, ...). I do not remember that I have ever heard
of Sanctum, Inc. or that I have ever read/used something
created/written by them. It is just a summarization of what we already
have known and have used. Nothing innovative.

So, how is that possible that I have to pay them for something that
I haven't got (either directly or indirectly) from them? Something is
fundamentaly wrong with it. It seems to me that they just "stole" it
from all of us. Is this what the patents were supposed to be for???

However, there is a way to challenge this patent. First and foremost
is to find something that addresses all the above points 1 year
prior to when Sanctum submitted the patent.

No. Something is *fundamentaly* wrong with it. What if there were
tens, hundreds or thousands of patents like that? Should we fight each
one separately and prove each time that we are not stealing??

This just means that the penetration testing will be *much* more
expensive in the future without having better quality or any other
price compensation. It just gets more expensive! Our customers will
not just pay for our technical skills in IT security field but also
for our lawyers and licencing fees. It also means that we were, are
and will be capable to test something but we will not be allowed to do
so anymore!

If Sanctum, Inc. have developed the application doing smoothly all of
(1)-(4) tasks they covered with this "patent" they already have
a great chance to make a *lot* of money with it (assuming they don't
fsck up other things like QA, usability, marketing...). No patent is
needed for that, it just hurts the others and makes security costing
more which is actually *against* security (!)

I don't care much about this since it is primarily an United States
dog food. How does this applies world-wide? Is such patent going to be
applicable in, say, EU? Asia? Or are we already "there"?

Martin Mačok
IT security consultant, penetration tester

         Martin Mačok                 http://underground.cz/
   martin.macok () underground cz        http://Xtrmntr.org/ORBman/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]