RSnake blogged on this first but I can’t help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they’re getting litigious. The abstract from the patent reads as follows:
A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure of the transaction baseline to obtain a modified transaction with malformed grammar; and transmitting the modified transaction to a target. The method may further include, receiving a feedback from the target to determine fault occurrence. An apparatus for testing a target in a network by fault injection, includes: a driver configured to generate patterns, where a pattern can generate a plurality of packets for transmission to the target, the pattern being represented by an expression with a literal string and a wild character class; and a network interface coupled to the driver and configured to transmit and receive network traffic.
Late last month, they filed suit for patent infringement against SPI Dynamics, who makes WebInspect, one of the leading web application scanners on the market. Conveniently, they waited until after SPI was acquired by HP, which clearly has much deeper pockets than the previously privately-held SPI.
Why do patents keep getting issued for techniques and methods that have been common practice for years? If you were doing application security consulting in the late 90s or early 2000s chances are you were using fault injection. Back at @stake, I know of two tools that we released in the 2000-01 timeframe specifically around fault injection — one was Dave Aitel’s sharefuzz tool (still available from Immunity) and another was Frank Swiderski’s feszer. And those were just the tools that were publicly released. Other security consultancies at the time were certainly using similar techniques. There’s no way the Cenzic patent has any merit, there’s too much prior art out there.
Remember the Watchfire patent on web application scanning?
A method for detecting security vulnerabilities in a web application includes analyzing the client requests and server responses resulting therefrom in order to discover pre-defined elements of the application’s interface with external clients and the attributes of these elements. The client requests are then mutated based on a pre-defined set of mutation rules to thereby generate exploits unique to the application. The web application is attacked using the exploits and the results of the attack are evaluated for anomalous application activity.
Yes, plenty of people were doing that before the patent was issued in 2001. There weren’t a lot of automated web application scanners at the time, but methodology-wise, that’s how people did manual penetration testing. Now that Watchfire (actually IBM) holds a patent on it, all of the other vendors, Cenzic and SPI/HP included, have to pay significant royalties to stay in business. What this also does is discourages new and better tools from entering the market. Creativity is stifled for fear of IBM knocking on the door and demanding their cut.
There will be a lot of eyes on the Cenzic vs. SPI case as it clearly has far-reaching implications for the security industry. Chances are it’ll get settled out of court and a licensing agreement reached, since it’d be a drop in the bucket for HP. Hopefully HP chooses to fight it, though, because they can win this one.