Software Acts As Robotic Hacker

[InfoSec News <isn () C4I ORG>]

http://www.techweb.com/wire/story/TWB20000621S0013

By Rutrell Yasin, InternetWeek
Jun 21, 2000 (3:25 PM)

The best way to determine if your IT infrastructure is secure is to
have a hacker try to break into your corporate systems. Short of that,
software that simulates attacks is the next best thing. Wednesday,
Sanctum rolled out an automated audit tool that analyzes Web
applications, points to security glitches, and provides advice on how
to fix any vulnerability.

Generally, security holes are found within in-house or third-party
applications. Sanctum (formerly Perfecto Technologies) already
provides software called AppShield that prevents unauthorized users
from manipulating any type of application. AppShield recognizes the
application's security policy by analyzing the outbound HTML pages and
then enforces compliance with the policy for each incoming HTTP
request.

However, a large e-business with "5,000 Web servers can't apply
AppShield on every server," said Eran Reshef, Sanctum's co-founder and
senior vice president. As a result, the new AppScan is designed to
automatically ferret out and repair glitches that would normally take
IT managers hours to manually patch and upgrade, Reshef added.

At the heart of AppScan is the Policy Recognition Engine, which
analyzes the application while an auditor browses through it.
AppScan's RoboHacker feature can then generate potential hacks such as
hidden manipulation code, parameter tampering, cookie poisoning and
buffer overflows, as well as search for dangerous content.

If an attack is successful, it can be written into a report, and
advice on how to fix the problem is generated by the RoboAdvisor
feature.

AppScan performs the "same functions that a good consulting firm would
do when it performs a penetration test," said Gartner Group analyst
John Pescatore.

However, the tool may be too sophisticated for the average e-business,
which lacks security expertise in-house, Pescatore said.

"For the tool to be effective, companies would need a real smart
person to initiate the attack and then to interpret the results," he
said. "It might be beyond what [the typical] e-businesses can do,
except for the high-end sites with expertise in-house."

Pescatore said the tool would initially be popular among consultants
who perform security audits for companies. Reshef said Yahoo (stock:
YHOO) and Lycos's (stock: LCOS) Quote.com are early beta testers of
the product.

AppScan will be available in the third quarter. Pricing is
subscription-based, ranging between $20,000 and $75,000 per auditor.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".