WebApp Sec mailing list archives
RE: Web Application Penetration Testing Methodology Patent
From: <pentester2189114 () hushmail com>
Date: Mon, 19 Jan 2004 05:20:27 -0800
Hi Mark, you may have already received this message, if so please disregard this one. I agree that the Sanctum patent should be a really important issue for the web security industry and the people that subscribe to this list. The Sanctum patent is a method patent, meaning that Sanctum now owns the method for conducting a web application security audit. The patent was issued June 2003. Until the patent is declared invalid by either the United States Patent & Trademark Office (PTO) or the United States Federal court, Sanctum does in fact own this. The question is, what is required to reverse this screw up by the PTO? There are multiple ways to invalidate a patent, but the best way is to find a single piece of prior art that invalidates all of the primary claims in the patent. Whomever posted the original message on this subject appears to know his/her stuff; read the message carefully, the poster is asking for a single piece of prior art. http://www.securityfocus.com/archive/107/349930/2004-01-16/2004-01-22/0 Its important that this be one piece of prior art, rather than two or more pieces that, when linked together, invalidate all of the claims. Tools that do some of this stuff are abundant and dont necessarily cause the PTO to change anything. One piece of prior art that 1) crawls, 2) discovers the links and input fields, 3) sends unauthorized requests, 4) reports on the results. This can be software, but it can also be a methodology followed by a pen tester as documented in his/her report. The prior art needs to be older than March 3, 2000, and its better if it predates March 3, 1999. No doubt (imo) that this is the right list. Where better to find someone that was doing application pen testing prior to March 3, 1999, and that documented his/her methodology! If that piece of prior art is revealed, there are plenty of Sanctum competitors that will quickly submit it to the PTO with a reexamination request. Patents dont work like copyrights and trademarks. Sanctum does not have to stop violators to maintain its ownership. They can lie in the weeds and pick off individual competitors. In other words, whenever anyone starts to either make money or pose a competitive threat, Sanctum can come after them. They can insist on a license fee, or they can make the infringer stop and pay damages. Anything released as open source after the patent issue date is also subject to this, and Sanctum can come after the releasing party. We could debate the merits of this law indefinitely, but thats not the point. I agree with you Mark. We should care about this, and we should find that piece of prior art that will make this silly nonsense go away. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- RE: Web Application Penetration Testing Methodology Patent, (continued)
- RE: Web Application Penetration Testing Methodology Patent Levenglick, Jeff (Jan 16)
- Re: Web Application Penetration Testing Methodology Patent A.D. Douma (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Matthew Wagenknecht (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Levenglick, Jeff (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Thermos, Panayiotis A. [RA] (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent sullo (Jan 16)
- Re: Web Application Penetration Testing Methodology Patent A.D. Douma (Jan 16)
- Re: Web Application Penetration Testing Methodology Patent sullo (Jan 17)
- Re: Web Application Penetration Testing Methodology Patent Matt Kenigson (Jan 17)
- RE: Web Application Penetration Testing Methodology Patent sullo (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent Levenglick, Jeff (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent sullo (Jan 16)
- RE: Web Application Penetration Testing Methodology Patent pentester2189114 (Jan 20)
- RE: Web Application Penetration Testing Methodology Patent sullo (Jan 20)
- RE: Web Application Penetration Testing Methodology Patent pentester2189114 (Jan 20)
- RE: Web Application Penetration Testing Methodology Patent owasp (Jan 20)
- RE: Web Application Penetration Testing Methodology Patent pentester2189114 (Jan 20)