WebApp Sec mailing list archives
Sanctum Patent Summary
From: <patent.crapscan () hushmail com>
Date: Tue, 20 Jan 2004 15:52:27 -0800
Firstly I am not a lawyer and what follows is my personal commentary. I am posting this from a hushmail account as I need to protect my identity and not have my views associated with my employer in any way. For the record I work for a fin serv company in NYC and spent much of Friday on the phone to various venture capitalists and recruiters who (like em or loath em) have their ears to ground on these matters. I do think its a significant issue and want to ensure my information is out there so that others can act if they think its appropriate. I also appreciate the moderators fine line on this issue and hope they let this post through on the basis it ads significant value. I think it (as with all other securityfocus mailing lists) has been handled well, allowing free discussion without degenerating into noise. The facts as I see them are as follows. Sanctum has obtained two patents, one for black box web application auditing and one for web application IDS. The testing patent is a method patent that covers both process and technology. There has been much debate about what / how this patent could be enforced. Word on the street is that 3 demands for licenses have already been issued (2 for the testing, 1 for the IDS). No services demands have yet been made or any to open source software. From advice it seems that this is fairly standard tactics for a company in this position. By issuing demands to your biggest competitors, you ensure that any merger or acquisition activity focused on your competitors is stopped dead in the water and increase your chances of being consumed. It also prevents new companies from entering the market with fines significantly higher for people knowingly violating a patent. Any company with its back to the wall, lower than expected sales, significant money owed to VCs for a long period has to find a way to pay it back. This is a proven alternative business strategy and most likely what is being played out here. It doesnt help if your software isnt great either. Most of the financial services companies that I have spoken to are generally disappointed with this class of software and are ether not purchasing or not renewing maintenance. Most have seen the inherent weakness of this kind of testing and are opting for a more efficient process of building a good SDLC and undertaking code review and manual inspection. The January article in Info Security Magazine probably didnt help sales much either. http://infosecuritymag.techtarget.com/2003/jan/toc.shtml Intrigued to see if they have got any better over the last year I and some others ran them against OWASPs WebGoat 3.0. The best any could do was 4 with Sanctum product at the bottom of the pile managing 1. The EULA prevents details being published (and in fairness we didn't tune anything) but I think someone needs to find a way to benchmark these things officially. A quick scan of the patent office looks to me that they are in violation of several patents themselves. Obvious one like web crawling and javascript parsing / execution. However advice indicates that this is also normal with patent bargaining the norm. Many companies also obtain patents so that companies cant do to them what Sanctum appear to be doing to others, i.e. defensive. They never use them maliciously. The URL is patented for instance. This means those patents may have no impact on the overall picture here. The patent is a US patent which means it is only enforceable on US companies producing software and services in the US. In other cases of this sort of issue, the development has been forced to move off-shore which just hurts the US economy. Most people I have spoken to agree it is highly unlikely this would be enforced on individuals although it could. I have a few community ideas Build Better Open Source Tools Work with EFF to invalidate Patent Vote with your Wallet Gather open source developers together and build a tool thats better than the commercial tools. This has obviously happened well with nessus but today there is no open source alternative thats has the same features. GPL the code and copyright it to the EFF or similar. Merge Nikto, Paros, WebScarab etc for a start. There are several ways to invalidate this 1. Let the commercial vendors nuke it out 2. Prior art (see original post) 3. Show obviousness One way to show obviousness is to create a petition at somewhere like www.petitiononline.com stating that the method is so obvious it is the way anyone would do it and has been doing it. Get some big names in the industry to sign it and let the commercial vendors take it to court. The other way is to let the company know what you think of them by returning licenses, telling them you do not like the practice and not renewing maintenance / annual license. I hope this is a reasonable and accurate summary and that this post makes it to the list. Again thanks to all the great people on this list. I have learnt a lot from it and wanted to give something back when I could. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Sanctum Patent Summary patent.crapscan (Jan 20)
- Sanctum Patent Summary Bryan Murphy (Jan 20)