WebApp Sec mailing list archives
RE: Web Application Penetration Testing Methodology Patent
From: "Pete Herzog" <pete () isecom org>
Date: Sat, 17 Jan 2004 14:03:39 +0100
Hi, Any IBMers out there remember doing this as part of a global service for putting a stamp on the website that it's been tested? I know it was a service from 1998 but I can't find name references to this service and I'm sure it consisted of all those elements. If it was an IBM service and active in 1998, I'm sure that would trump Sanctum. Sincerely, -pete. Pete Herzog, Managing Director Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
-----Original Message----- From: Martin Mačok [mailto:martin.macok () underground cz] Sent: Saturday, January 17, 2004 13:02 PM To: webappsec () securityfocus com; pen-test () securityfocus com Subject: Re: Web Application Penetration Testing Methodology Patent On Fri, Jan 16, 2004 at 06:37:36AM -0800, webtester () hushmail com wrote:As many of you know, Sanctum, Inc. has a been granted a patent (United States Patent No. 6,584,569) describing a process for automatically detecting potential application-level vulnerabilities or security flaws in a web application.I already knew the process this patent is describing (and so have most of us) and I was using many parts of it (wget, pavuk, wwwoffle, htdig, paros, squid, grep, sed, cut, perl, perl-WWW-Mechanizer, curl, nikto, nessus, netcat, telnet, ...). I do not remember that I have ever heard of Sanctum, Inc. or that I have ever read/used something created/written by them. It is just a summarization of what we already have known and have used. Nothing innovative. So, how is that possible that I have to pay them for something that I haven't got (either directly or indirectly) from them? Something is fundamentaly wrong with it. It seems to me that they just "stole" it from all of us. Is this what the patents were supposed to be for???However, there is a way to challenge this patent. First and foremost is to find something that addresses all the above points 1 year prior to when Sanctum submitted the patent.No. Something is *fundamentaly* wrong with it. What if there were tens, hundreds or thousands of patents like that? Should we fight each one separately and prove each time that we are not stealing?? This just means that the penetration testing will be *much* more expensive in the future without having better quality or any other price compensation. It just gets more expensive! Our customers will not just pay for our technical skills in IT security field but also for our lawyers and licencing fees. It also means that we were, are and will be capable to test something but we will not be allowed to do so anymore! If Sanctum, Inc. have developed the application doing smoothly all of (1)-(4) tasks they covered with this "patent" they already have a great chance to make a *lot* of money with it (assuming they don't fsck up other things like QA, usability, marketing...). No patent is needed for that, it just hurts the others and makes security costing more which is actually *against* security (!) I don't care much about this since it is primarily an United States dog food. How does this applies world-wide? Is such patent going to be applicable in, say, EU? Asia? Or are we already "there"? Martin Mačok IT security consultant, penetration tester -- Martin Mačok http://underground.cz/ martin.macok () underground cz http://Xtrmntr.org/ORBman/
Current thread:
- Web Application Penetration Testing Methodology Patent webtester (Jan 16)
- Re: Web Application Penetration Testing Methodology Patent Martin Mačok (Jan 17)
- RE: Web Application Penetration Testing Methodology Patent Pete Herzog (Jan 17)
- Re: Web Application Penetration Testing Methodology Patent A.D. Douma (Jan 17)
- RE: Web Application Penetration Testing Methodology Patent Pete Herzog (Jan 17)
- <Possible follow-ups>
- RE: Web Application Penetration Testing Methodology Patent Levenglick, Jeff (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Mark Curphey (Jan 16)
- Re: Web Application Penetration Testing Methodology Patent dreamwvr () dreamwvr com (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Matthew Wagenknecht (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Richard M. Smith (Jan 16)
- Re: Web Application Penetration Testing Methodology Patent cdowns (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Levenglick, Jeff (Jan 16)
- Re: Web Application Penetration Testing Methodology Patent A.D. Douma (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Matthew Wagenknecht (Jan 16)
(Thread continues...)
- Re: Web Application Penetration Testing Methodology Patent Martin Mačok (Jan 17)