Comments on: Cenzic Taking SPI to Court http://www.veracode.com/blog/2007/08/cenzic-taking-spi-to-court/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Chris Eng http://www.veracode.com/blog/2007/08/cenzic-taking-spi-to-court/comment-page-1/#comment-577 Chris Eng Wed, 03 Oct 2007 22:33:45 +0000 http://www.veracode.com/blog/?p=57#comment-577 @Now Ita: I think you're the one who's rushing to judgment here. Settlement certainly does not mean that HP didn't have a leg to stand on. It means that they weighed the potential legal costs (both monetary and publicity) against the cost of settling the case, and made a business decision. Consider a hypothetical lawsuit completely unrelated to the patent process. A guy sues WidgetMart after slipping on a wet floor and hurting his back. There were warning signs around the spill and an employee telling people to be careful, but the guy wasn't paying attention. Does WidgetMart have a case here? Sure. But they'll still opt to settle for $50K rather than spend hundreds of thousands on lawyers and waiting months, if not years, for the case to be tried in court. Finally, regarding your comment that I'm biased toward certain tools, I think you missed the point of the post entirely. It was not to say that one tool is better than another, it was to point out that companies who hold patents on common, well-known techniques effectively create a barrier to entry for smaller companies with potentially innovative technology who can't afford to pony up for the licensing costs. @Now Ita: I think you’re the one who’s rushing to judgment here. Settlement certainly does not mean that HP didn’t have a leg to stand on. It means that they weighed the potential legal costs (both monetary and publicity) against the cost of settling the case, and made a business decision.

Consider a hypothetical lawsuit completely unrelated to the patent process. A guy sues WidgetMart after slipping on a wet floor and hurting his back. There were warning signs around the spill and an employee telling people to be careful, but the guy wasn’t paying attention. Does WidgetMart have a case here? Sure. But they’ll still opt to settle for $50K rather than spend hundreds of thousands on lawyers and waiting months, if not years, for the case to be tried in court.

Finally, regarding your comment that I’m biased toward certain tools, I think you missed the point of the post entirely. It was not to say that one tool is better than another, it was to point out that companies who hold patents on common, well-known techniques effectively create a barrier to entry for smaller companies with potentially innovative technology who can’t afford to pony up for the licensing costs.

]]> By: Now Ita http://www.veracode.com/blog/2007/08/cenzic-taking-spi-to-court/comment-page-1/#comment-576 Now Ita Wed, 03 Oct 2007 15:46:19 +0000 http://www.veracode.com/blog/?p=57#comment-576 From reading through Chris Eng's post, it seem like he has an underlining issue with the patent process. So instead of criticizing Cenzic and Watchfire so harshly, it looks like you should be vetting your anger at the patent process. Oh btw, HP/SPI and Cenzic patent cases just got settled. You claimed: "Hopefully HP chooses to fight it, though, because they can win this one." Obviously HP DISAGREES with you because they probably didn't have a solid leg to stand on hence they settled. Oh btw2, Veracode appear to be offering security consulting services. Is the service truly unbiased? It seem like as a prospective client, if I come up to you to recommend a tool to use in our corporate web apps, I already know what tool you would recommend even without reading your justification. Your approach to rush to judgement really does a dis-service to the consulting community. My suggestion to you: Get all the facts and pass judgement like a consultant with unbiased or not-already-made-up-mind. Be vendor-neutral and we will read your comments with better credibility. From reading through Chris Eng’s post, it seem like he has an underlining issue with the patent process. So instead of criticizing Cenzic and Watchfire so harshly, it looks like you should be vetting your anger at the patent process.

Oh btw, HP/SPI and Cenzic patent cases just got settled. You claimed: “Hopefully HP chooses to fight it, though, because they can win this one.” Obviously HP DISAGREES with you because they probably didn’t have a solid leg to stand on hence they settled.

Oh btw2, Veracode appear to be offering security consulting services. Is the service truly unbiased? It seem like as a prospective client, if I come up to you to recommend a tool to use in our corporate web apps, I already know what tool you would recommend even without reading your justification.

Your approach to rush to judgement really does a dis-service to the consulting community.

My suggestion to you: Get all the facts and pass judgement like a consultant with unbiased or not-already-made-up-mind. Be vendor-neutral and we will read your comments with better credibility.

]]> By: Mark Curphey http://www.veracode.com/blog/2007/08/cenzic-taking-spi-to-court/comment-page-1/#comment-549 Mark Curphey Wed, 22 Aug 2007 12:46:37 +0000 http://www.veracode.com/blog/?p=57#comment-549 If you ever talk to a patent attorney about an idea most will start the conversation with something along the lines of “assume that whatever you are doing has been done before, now let’s start to think about our claims”. Most patent attorneys will encourage people to write claims that cannot be copied easily, others will encourage clients to write claims that others will easily or inadvertently trip over. Neither patents are “rocket science” and there are a number of researchers and consultants who have been using these broad techniques for many years before the patents were granted. Cenzic have a history of making “interesting claims” such as claiming that they can automatically scan for the OWASP Top Ten. Without having ever touched or seen their tools I can tell you categorically that they can’t because no automated tools can with any credible degree of accuracy or completeness. Based on this history I would tend to consider any claims they make with a healthy dose of skepticism! If you ever talk to a patent attorney about an idea most will start the conversation with something along the lines of “assume that whatever you are doing has been done before, now let’s start to think about our claims”. Most patent attorneys will encourage people to write claims that cannot be copied easily, others will encourage clients to write claims that others will easily or inadvertently trip over. Neither patents are “rocket science” and there are a number of researchers and consultants who have been using these broad techniques for many years before the patents were granted.

Cenzic have a history of making “interesting claims” such as claiming that they can automatically scan for the OWASP Top Ten. Without having ever touched or seen their tools I can tell you categorically that they can’t because no automated tools can with any credible degree of accuracy or completeness. Based on this history I would tend to consider any claims they make with a healthy dose of skepticism!

]]> By: Chris Eng http://www.veracode.com/blog/2007/08/cenzic-taking-spi-to-court/comment-page-1/#comment-548 Chris Eng Tue, 21 Aug 2007 21:28:24 +0000 http://www.veracode.com/blog/?p=57#comment-548 @Hoff: Hah, yes, OK perhaps better wording was in order. I know why companies file for them. I just wish there was a guy at the USPTO to look at things like that and say "you must be kidding me" instead of just pulling out the rubber stamp. Here's <a href="http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=7228298.PN." rel="nofollow">another great one</a> (courtesy of <a href="http://lawgeek.typepad.com/lawgeek/silly_patents_trix_are_for_kids/index.html" rel="nofollow">LawGeek</a>). @Hoff: Hah, yes, OK perhaps better wording was in order. I know why companies file for them. I just wish there was a guy at the USPTO to look at things like that and say “you must be kidding me” instead of just pulling out the rubber stamp.

Here’s another great one (courtesy of LawGeek).

]]> By: Christofer Hoff http://www.veracode.com/blog/2007/08/cenzic-taking-spi-to-court/comment-page-1/#comment-547 Christofer Hoff Tue, 21 Aug 2007 21:00:59 +0000 http://www.veracode.com/blog/?p=57#comment-547 Eng Asketh: "Why do patents keep getting issued for techniques and methods that have been common practice for years?" Hoff Respondeth: "$$$" EOM. Eng Asketh:

“Why do patents keep getting issued for techniques and methods that have been common practice for years?”

Hoff Respondeth:

“$$$”

EOM.

]]> By: Kyle C. Quest http://www.veracode.com/blog/2007/08/cenzic-taking-spi-to-court/comment-page-1/#comment-546 Kyle C. Quest Tue, 21 Aug 2007 16:20:31 +0000 http://www.veracode.com/blog/?p=57#comment-546 It won't be too bad if HP looses... Maybe they'll learn a valuable lesson and stop similar patent applications themselves (e.g., their attempt to patent an IPS system that uses vulnerability-based signatures/fingerprints/whateveryouwannacallit). It won’t be too bad if HP looses… Maybe they’ll learn a valuable lesson and stop similar patent applications themselves (e.g., their attempt to patent an IPS system that uses vulnerability-based signatures/fingerprints/whateveryouwannacallit).

]]>