[Owasp-leaders] Owasp Inquiry on "Cenzic patent on 'Fault injection methods and apparatus' "

Chris Weber chris at casaba.com
Thu Mar 10 12:47:01 EST 2011


I came across the attached Claim 10 that Cenzic is making against NTOSpider.  This reads as a ‘Method’ patent, in which case Cenzic could apply this to manual penetration/security testing as well.  Am I right?  I’m assuming that their management is less interested in that.  I assume they want to win a few battles against small product companies so they can later approach larger ones and claim their royalties from the higher earners like Whitehat.  I assume a lot of things.

-Chris


From: Chris Weber
Sent: Thursday, February 17, 2011 4:23 PM
To: owasp-leaders at lists.owasp.org
Cc: Mark Curphey
Subject: RE: [Owasp-leaders] Owasp Inquiry on "Cenzic patent on 'Fault injection methods and apparatus' "

I’m eager to hear how that phone call goes.  Hearing how Cenzic has threatened litigation against NTO, Veracode, Acunetix, and others, their view seems pretty clear.

-Chris

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John Wilander
Sent: Thursday, February 17, 2011 3:12 PM
To: owasp-leaders at lists.owasp.org
Cc: owasp-leaders at lists.owasp.org; Mark Curphey
Subject: Re: [Owasp-leaders] Owasp Inquiry on "Cenzic patent on 'Fault injection methods and apparatus' "

Check the logos on the AppSec USA 2010 page:
http://www.owasp.org/index.php/AppSec_US_2010,_CA#tab=Sponsors

Can OWASP keep accepting Cenzic's money if we act on the patent issue? I sense potential hypocrisy.

Why not a diplomatic outreach first? Jeff calling Cenzic's CEO, telling him of the community concern and asking for their view. I'd prefer starting there.

   Regards, John


Sent from my iPad

On 17 feb 2011, at 19:57, Rex Booth <rex.booth at owasp.org<mailto:rex.booth at owasp.org>> wrote:
This "issue" is not new.  Patent squatting and similar activities is a prevalent problem throughout the US intellectual property system.  To my knowledge, OWASP has not addresses these problems in the past, so I'm at a loss to understand why we would do so now.

I, as an individual, am personally and professionally irritated by Cenzic's claim - as I'm sure we all are.  But that doesn't mean that OWASP has a play at this point.

You asked if we should wait until they come for us.  In my opinion, that is exactly what we should do.  Because until that point, their actions really have no appreciable impact on our ability to fulfill our mission.  In the meantime, let the battle be waged by the organizations who have a mission to fight these kinds of actions.  Otherwise we risk getting in WAY over our heads and drifting far from our core mission.

Rex


On 2/17/2011 1:29 PM, dinis cruz wrote:
The problem with this case is that if OWASP doesn't do anything, that in it self it taking a position (some might argue that it would be equivalent of 'putting the head into the sand and ignoring what is happening')

This is definitely a case where we will be dammed if we do and dammed if we don't (ignoring this will not make the issue go away)

This case goes to the heart of a lot of things at OWASP (including our ability to continue to innovate on the WebApp tools space).

In fact, as some of the recommendations already provided in this small thread clearly show, if there is no clear 'position' and guidelines from OWASP's community, we will actually create a much worse environment.

We need to start start this process from the point of view that we need to listen to both sides of the story, we first need to clarify what are the facts and what is really going on.

We shouldn't start from the premise that Cenzic is wrong, that its products should be boycotted or that the WebAppSec buyers should buy Cenzic's competitors products

Dinis Cruz
On 17 February 2011 18:19, Dan Cornell <dan at denimgroup.com<mailto:dan at denimgroup.com>> wrote:
> What I would do: 1) Buy NTObjectives' scanner and/or service and
> recommend it to others. 2) cite Cenzic for breach-of-contract of their
> software support & upgrade contracts, if you are a current customer of
> theirs (one cannot reasonably expect a company to be able to upgrade
> their product if they are forcing stifled innovation in a growing and
> needy industry), 3) If you're a Veracode customer, consider trading
> your credits (or budget for the year) to dynamic analysis services
> (which can only stand to help NTObjectives), and 4) If you are an
> attorney, or have a GC at your company, contact NTObjective's legal
> counsel.
>
> It also appears that one can list prior art on that stop232patent.com<http://stop232patent.com>
> website, but I have no idea what fits the criteria. Elza? Nikto?
> Phrack magazine's 1998 article on SQL injection? OULU's work on
> PROTOS? Wisc.edu<http://Wisc.edu> Bart Miller's 1989 work on fuzz.c? Gary McGraw's 1998
> book on "Software Fault Injection"?
>
Agreed!  I suppose my point is that these are all decisions/activities that make sense for people or firms to take in their name, not in the OWASP name.  And I think that is a healthier approach versus OWASP holding an ominously-named "Inquiry" into a Supporter organization (or any organization, for that matter).  Now if OWASP wanted to start a "Prior Art" project that might be something...

Thanks,

Dan

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders




_______________________________________________

OWASP-Leaders mailing list

OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110310/9b9fa3b7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NTOSpider Infringement of Cenzic Patent.pdf
Type: application/pdf
Size: 444282 bytes
Desc: NTOSpider Infringement of Cenzic Patent.pdf
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110310/9b9fa3b7/attachment-0001.pdf 


More information about the OWASP-Leaders mailing list