RE: Web Application Penetration Testing Methodology Patent

[<pentester2189114 () hushmail com>]

Hi Mark, you may have already received this message, if so please disregard
this one.

I agree that the Sanctum patent should be a really important issue for
the web security industry and the people that subscribe to this list.

The Sanctum patent is a “method” patent, meaning that Sanctum now owns
the method for conducting a web application security audit.  The patent
was issued June 2003.  Until the patent is declared invalid by either
the United States Patent & Trademark Office (PTO) or the United States
Federal court, Sanctum does in fact own this.  The question is, what
is required to reverse this screw up by the PTO?

There are multiple ways to invalidate a patent, but the best way is to
find a single piece of “prior art” that invalidates all of the primary
claims in the patent.  Whomever posted the original message on this subject
appears to know his/her stuff; read the message carefully, the poster
is asking for a single piece of “prior art.” 

http://www.securityfocus.com/archive/107/349930/2004-01-16/2004-01-22/0

It’s important that this be one piece of “prior art,” rather than two
or more pieces that, when linked together, invalidate all of the claims.
 Tools that do some of this stuff are abundant and don’t necessarily
cause the PTO to change anything.  One piece of “prior art” that 1) crawls,
 2) discovers the links and input fields, 3) sends unauthorized requests,
 4) reports on the results.  This can be software, but it can also be
a methodology followed by a pen tester as documented in his/her report.
 The “prior art” needs to be older than March 3, 2000, and it’s better
if it predates March 3, 1999.

No doubt (imo) that this is the right list.  Where better to find someone
that was doing application pen testing prior to March 3, 1999, and that
documented his/her methodology!  If that piece of “prior art” is revealed,
 there are plenty of Sanctum competitors that will quickly submit it
to the PTO with a reexamination request.

Patents don’t work like copyrights and trademarks.  Sanctum does not
have to stop violators to maintain its ownership.  They can lie in the
weeds and pick off individual competitors.  In other words, whenever
anyone starts to either make money or pose a competitive threat, Sanctum
can come after them.  They can insist on a license fee, or they can make
the infringer stop and pay damages.  Anything released as open source
after the patent issue date is also subject to this, and Sanctum can
come after the releasing party.  We could debate the merits of this law
indefinitely, but that’s not the point.

I agree with you Mark.  We should care about this, and we should find
that piece of “prior art” that will make this silly nonsense go away.





Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427