RSnake blogged on this first but I can't help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they're getting litigious. The abstract from the patent reads as follows:

A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure of the transaction baseline to obtain a modified transaction with malformed grammar; and transmitting the modified transaction to a target. The method may further include, receiving a feedback from the target to determine fault occurrence. An apparatus for testing a target in a network by fault injection, includes: a driver configured to generate patterns, where a pattern can generate a plurality of packets for transmission to the target, the pattern being represented by an expression with a literal string and a wild character class; and a network interface coupled to the driver and configured to transmit and receive network traffic.

Late last month, they filed suit for patent infringement against SPI Dynamics, who makes WebInspect, one of the leading web application scanners on the market. Conveniently, they waited until after SPI was acquired by HP, which clearly has much deeper pockets than the previously privately-held SPI.

Why do patents keep getting issued for techniques and methods that have been common practice for years? If you were doing application security consulting in the late 90s or early 2000s chances are you were using fault injection. Back at @stake, I know of two tools that we released in the 2000-01 timeframe specifically around fault injection -- one was Dave Aitel's sharefuzz tool (still available from Immunity) and another was Frank Swiderski's feszer. And those were just the tools that were publicly released. Other security consultancies at the time were certainly using similar techniques. There's no way the Cenzic patent has any merit, there's too much prior art out there.

Remember the Watchfire patent on web application scanning?

A method for detecting security vulnerabilities in a web application includes analyzing the client requests and server responses resulting therefrom in order to discover pre-defined elements of the application's interface with external clients and the attributes of these elements. The client requests are then mutated based on a pre-defined set of mutation rules to thereby generate exploits unique to the application. The web application is attacked using the exploits and the results of the attack are evaluated for anomalous application activity.

Yes, plenty of people were doing that before the patent was issued in 2001. There weren't a lot of automated web application scanners at the time, but methodology-wise, that's how people did manual penetration testing. Now that Watchfire (actually IBM) holds a patent on it, all of the other vendors, Cenzic and SPI/HP included, have to pay significant royalties to stay in business. What this also does is discourages new and better tools from entering the market. Creativity is stifled for fear of IBM knocking on the door and demanding their cut.

There will be a lot of eyes on the Cenzic vs. SPI case as it clearly has far-reaching implications for the security industry. Chances are it'll get settled out of court and a licensing agreement reached, since it'd be a drop in the bucket for HP. Hopefully HP chooses to fight it, though, because they can win this one.

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (6)

Kyle C. Quest | August 21, 2007 11:20 am

It won't be too bad if HP looses... Maybe they'll learn a valuable lesson and stop similar patent applications themselves (e.g., their attempt to patent an IPS system that uses vulnerability-based signatures/fingerprints/whateveryouwannacallit).

Christofer Hoff | August 21, 2007 4:00 pm

Eng Asketh:

"Why do patents keep getting issued for techniques and methods that have been common practice for years?"

Hoff Respondeth:



CEng | August 21, 2007 4:28 pm

@Hoff: Hah, yes, OK perhaps better wording was in order. I know why companies file for them. I just wish there was a guy at the USPTO to look at things like that and say "you must be kidding me" instead of just pulling out the rubber stamp.

Here's <a href=";Sect2=HITOFF&amp;d=PALL&amp;p=1&amp;u=/netahtml/srchnum.htm&amp;r=1&amp;f=G&amp;l=50&amp;s1=7228298.PN." rel="nofollow">another great one</a> (courtesy of <a href="" rel="nofollow">LawGeek</a>).

Mark Curphey | August 22, 2007 7:46 am

If you ever talk to a patent attorney about an idea most will start the conversation with something along the lines of “assume that whatever you are doing has been done before, now let’s start to think about our claims”. Most patent attorneys will encourage people to write claims that cannot be copied easily, others will encourage clients to write claims that others will easily or inadvertently trip over. Neither patents are “rocket science” and there are a number of researchers and consultants who have been using these broad techniques for many years before the patents were granted.

Cenzic have a history of making “interesting claims” such as claiming that they can automatically scan for the OWASP Top Ten. Without having ever touched or seen their tools I can tell you categorically that they can’t because no automated tools can with any credible degree of accuracy or completeness. Based on this history I would tend to consider any claims they make with a healthy dose of skepticism!

Now Ita | October 3, 2007 10:46 am

From reading through Chris Eng's post, it seem like he has an underlining issue with the patent process. So instead of criticizing Cenzic and Watchfire so harshly, it looks like you should be vetting your anger at the patent process.

Oh btw, HP/SPI and Cenzic patent cases just got settled. You claimed: "Hopefully HP chooses to fight it, though, because they can win this one." Obviously HP DISAGREES with you because they probably didn't have a solid leg to stand on hence they settled.

Oh btw2, Veracode appear to be offering security consulting services. Is the service truly unbiased? It seem like as a prospective client, if I come up to you to recommend a tool to use in our corporate web apps, I already know what tool you would recommend even without reading your justification.

Your approach to rush to judgement really does a dis-service to the consulting community.

My suggestion to you: Get all the facts and pass judgement like a consultant with unbiased or not-already-made-up-mind. Be vendor-neutral and we will read your comments with better credibility.

CEng | October 3, 2007 5:33 pm

@Now Ita: I think you're the one who's rushing to judgment here. Settlement certainly does not mean that HP didn't have a leg to stand on. It means that they weighed the potential legal costs (both monetary and publicity) against the cost of settling the case, and made a business decision.

Consider a hypothetical lawsuit completely unrelated to the patent process. A guy sues WidgetMart after slipping on a wet floor and hurting his back. There were warning signs around the spill and an employee telling people to be careful, but the guy wasn't paying attention. Does WidgetMart have a case here? Sure. But they'll still opt to settle for $50K rather than spend hundreds of thousands on lawyers and waiting months, if not years, for the case to be tried in court.

Finally, regarding your comment that I'm biased toward certain tools, I think you missed the point of the post entirely. It was not to say that one tool is better than another, it was to point out that companies who hold patents on common, well-known techniques effectively create a barrier to entry for smaller companies with potentially innovative technology who can't afford to pony up for the licensing costs.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.