[Owasp-leaders] Owasp Inquiry on "Cenzic patent on 'Fault injection methods and apparatus' "

Andre Gironda andreg at gmail.com
Thu Feb 17 13:12:44 EST 2011

On Thu, Feb 17, 2011 at 10:28 AM, Rogan Dawes <rogan at dawes.za.net> wrote:
> Hi Dan, leaders,
> The thing is, this DOES affect OWASP, in that OWASP tools are infringing
> on this patent. WebScarab has fuzzing functionality, and I suspect that
> ZAP does too.

This is a very valid point. OWASP must make a statement on this
software patent (and at least explain what Cenzic is doing, even if we
don't take a side), and I think we should make a statement on software
patents in general (regardless of what I believe on the matter and
BECAUSE IANAL, I don't really care either way how we respond as long
as we mention what we would do, as a community, when put in the shoes
of NTObjectives, or worse, a proxy tool like WebScarab). OWASP needs
less coders in the Board and more lawyers! (J/k!)

> Do we just wait until Cenzic comes after us?

Well, according to the stop232patent.com (Someone made me aware of
this site less than 24 hours before Dinis posted to this list), we
should send money to NTObjectives in order to stop this legal
entanglement now.

What I would do: 1) Buy NTObjectives' scanner and/or service and
recommend it to others. 2) cite Cenzic for breach-of-contract of their
software support & upgrade contracts, if you are a current customer of
theirs (one cannot reasonably expect a company to be able to upgrade
their product if they are forcing stifled innovation in a growing and
needy industry), 3) If you're a Veracode customer, consider trading
your credits (or budget for the year) to dynamic analysis services
(which can only stand to help NTObjectives), and 4) If you are an
attorney, or have a GC at your company, contact NTObjective's legal

It also appears that one can list prior art on that stop232patent.com
website, but I have no idea what fits the criteria. Elza? Nikto?
Phrack magazine's 1998 article on SQL injection? OULU's work on
PROTOS? Wisc.edu Bart Miller's 1989 work on fuzz.c? Gary McGraw's 1998
book on "Software Fault Injection"?

Best of luck,

More information about the OWASP-Leaders mailing list