A rchive Date
[ 21-02-2005 ]
Category
[ Information Technologies ]
sub-Categoy
[ Networking ]
|
[http://www.eweek.com/article/0,3658,s=702&a=22568,00.asp
White Hat Tools Turn IT Administrators Into White Hat Hackers
By John Taschek
February 11, 2002
Death, taxes and the fact that your computer systems are vulnerable are the only things that are certain - at least in our lifetimes. Unfortunately, many companies will find this out at least once. The problem is that they rely on vendors to disclose problems, and by then it's way too late.
Large companies, such as IBM, Oracle and Symantec, hire their own hacking staffs to try to contain vulnerabilities in their software. Many large organizations, meanwhile, hire security consultants - - usually composed, at least partially, of reformed hackers - - to stress - test their systems. Most companies, however, sit and wait. And then things go awry.
Statistics show, after all, that a large number of companies have had their systems compromised in some fashion during the last year (see http://www.securitystats.com).
Too bad they all can't be hackers. Maybe they can. A long time ago, products such as SATAN scanned systems for known vulnerabilities. They evolved into good business plans for companies, such as ISS. Now, security scanners are a dime a dozen. Well, perhaps they're more like $10,000 a dozen, but still the price isn't prohibitive, especially in light of what might happen if companies didn't use them. An insurance policy with no guarantees, so to speak.
Cenzic, meanwhile - a company that was once known as ClicktoSecure - has been developing a super vulnerability scanner based on an SDK they have had in the works. I had the chance to interview Cenzic's CEO Alan Henricks and CTO Greg Hoglund about the state of security scanners, and it's pretty clear that the company's vision is different from what else is out there.
The biggest problem, says Hoglund, is that security scanners are ineffective at solving security problems. Scanners use signature sets, tables of information about known securities, so they can't offer protection from the most dangerous problems - the ones that haven't been exposed. Scanners are also application - specific, and can't scan for vulnerabilities across an entire system.
Cenzic - the name is derived from "Center and Forensic" - meanwhile, moves beyond the reactive model and attempts to employ heuristics software fault injection schemes to find holes in every facet of an application - - from the network layer through the presentation layer.
Cenzic's product is named Hailstorm, a better use of the name than Microsoft's code - name for its .Net My Services. The big difference between Hailstorm and the current batch of scanners is in the fault injection methodology. A scanner that just shoots fault aimlessly will not do anyone any good. Cenzic's intellectual property resides in targeted fault injection. For example, it's not going to fire SQL stored procedure errors at an FTP server.
There are obvious markets for this, namely the financial services community, which stakes its business on having a secure application infrastructure. The other big market is for integrators that sell security services.
Cenzic's just getting started, but it's a company to watch.
Contact John Taschek at john_taschek@ziffdavis.com]
Cross-Indexed:
|
|