Sanctum Patent Summary

[<patent.crapscan () hushmail com>]

Firstly I am not a lawyer and what follows is my personal commentary.
I am posting this from a hushmail account as I need to protect my identity
and not have my views associated with my employer in any way. For the
record I work for a fin serv company in NYC and spent much of Friday
on the phone to various venture capitalists and recruiters who (like
em or loath em) have their ears to ground on these matters. 

I do think it’s a significant issue and want to ensure my information
is out there so that others can act if they think it’s appropriate. I
also appreciate the moderator’s fine line on this issue and hope they
let this post through on the basis it ads significant value. I think
it (as with all other securityfocus mailing lists) has been handled well,
 allowing free discussion without degenerating into noise.

The facts as I see them are as follows.

Sanctum has obtained two patents, one for black box web application auditing
and one for web application IDS. The testing patent is a method patent
that covers both process and technology.

There has been much debate about what / how this patent could be enforced.
Word on the street is that 3 demands for licenses have already been issued
(2 for the testing, 1 for the IDS). No services demands have yet been
made or any to open source software. From advice it seems that this is
fairly standard tactics for a company in this position. By issuing demands
to your biggest competitors, you ensure that any merger or acquisition
activity focused on your competitors is stopped dead in the water and
increase your chances of being consumed. It also prevents new companies
from entering the market with fines significantly higher for people knowingly
violating a patent.  Any company with its back to the wall, lower than
expected sales, significant money owed to VC’s for a long period has
to find a way to pay it back. This is a proven alternative business strategy
and most likely what is being played out here.

It doesn’t help if your software isn’t great either. Most of the financial
services companies that I have spoken to are generally disappointed with
this class of software and are ether not purchasing or not renewing maintenance.
Most have seen the inherent weakness of this kind of testing and are
opting for a more efficient process of building a good SDLC and undertaking
code review and manual inspection. The January article in Info Security
Magazine probably didn’t help sales much either. 

http://infosecuritymag.techtarget.com/2003/jan/toc.shtml

Intrigued to see if they have got any better over the last year I and
some others ran them against OWASP’s WebGoat 3.0. The best any could
do was 4 with Sanctum product at the bottom of the pile managing 1. The
EULA prevents details being published (and in fairness we didn't tune
anything) but I think someone needs to find a way to benchmark these
things officially.


A quick scan of the patent office looks to me that they are in violation
of several patents themselves. Obvious one like web crawling and javascript
parsing / execution. However advice indicates that this is also normal
with patent bargaining the norm. Many companies also obtain patents so
that companies can’t do to them what Sanctum appear to be doing to others,
 i.e. defensive. They never use them maliciously. The URL is patented
for instance. This means those patents may have no impact on the overall
picture here. 

The patent is a US patent which means it is only enforceable on US companies
producing software and services in the US. In other cases of this sort
of issue, the development has been forced to move off-shore which just
hurts the US economy.

Most people I have spoken to agree it is highly unlikely this would be
enforced on individuals although it could.

I have a few community ideas

Build Better Open Source Tools
Work with EFF to invalidate Patent
Vote with your Wallet

Gather open source developers together and build a tool that’s better
than the commercial tools. This has obviously happened well with nessus
but today there is no open source alternative that’s has the same features.
GPL the code and copyright it to the EFF or similar. Merge Nikto, Paros,
 WebScarab etc for a start.

There are several ways to invalidate this

1.      Let the commercial vendors nuke it out
2.      Prior art (see original post)
3.      Show obviousness

One way to show obviousness is to create a petition at somewhere like
www.petitiononline.com stating that the method is so obvious it is the
way anyone would do it and has been doing it. Get some big names in the
industry to sign it and let the commercial vendors take it to court.

The other way is to let the company know what you think of them by returning
licenses, telling them you do not like the practice and not renewing
maintenance / annual license. 

I hope this is a reasonable and accurate summary and that this post makes
it to the list. Again thanks to all the great people on this list. I
have learnt a lot from it and wanted to give something back when I could.




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427