White Hat Tools Turn IT Administrators Into White Hat Hackers

 
 
By John Taschek  |  Posted 2002-02-11 Email Print this article Print
 
 
 
 
 
 
 

Tester's Choice: Cenzic, which is developing an SDK-based super vulnerability scanner, has a vision that is different from what else is out there.

Death, taxes and the fact that your computer systems are vulnerable are the only things that are certain—at least in our lifetimes. Unfortunately, many companies will find this out at least once. The problem is that they rely on vendors to disclose problems, and by then its way too late. Large companies, such as IBM, Oracle and Symantec, hire their own hacking staffs to try to contain vulnerabilities in their software. Many large organizations, meanwhile, hire security consultants--usually composed, at least partially, of reformed hackers--to stress-test their systems. Most companies, however, sit and wait. And then things go awry. Statistics show, after all, that a large number of companies have had their systems compromised in some fashion during the last year (see http://www.securitystats.com). Too bad they all cant be hackers. Maybe they can. A long time ago, products such as SATAN scanned systems for known vulnerabilities. They evolved into good business plans for companies, such as ISS. Now, security scanners are a dime a dozen. Well, perhaps theyre more like $10,000 a dozen, but still the price isnt prohibitive, especially in light of what might happen if companies didnt use them. An insurance policy with no guarantees, so to speak.
Cenzic, meanwhile—a company that was once known as ClicktoSecure—has been developing a super vulnerability scanner based on an SDK they have had in the works. I had the chance to interview Cenzics CEO Alan Henricks and CTO Greg Hoglund about the state of security scanners, and its pretty clear that the companys vision is different from what else is out there.
The biggest problem, says Hoglund, is that security scanners are ineffective at solving security problems. Scanners use signature sets, tables of information about known securities, so they cant offer protection from the most dangerous problems—the ones that havent been exposed. Scanners are also application-specific, and cant scan for vulnerabilities across an entire system. Cenzic—the name is derived from "Center and Forensic"— meanwhile, moves beyond the reactive model and attempts to employ heuristics software fault injection schemes to find holes in every facet of an application--from the network layer through the presentation layer. Cenzics product is named Hailstorm, a better use of the name than Microsofts code-name for its .Net My Services. The big difference between Hailstorm and the current batch of scanners is in the fault injection methodology. A scanner that just shoots fault aimlessly will not do anyone any good. Cenzics intellectual property resides in targeted fault injection. For example, its not going to fire SQL stored procedure errors at an FTP server.
There are obvious markets for this, namely the financial services community, which stakes its business on having a secure application infrastructure. The other big market is for integrators that sell security services. Cenzics just getting started, but its a company to watch. Contact John Taschek at john_taschek@ziffdavis.com.
 
 
 
 
As the director of eWEEK Labs, John manages a staff that tests and analyzes a wide range of corporate technology products. He has been instrumental in expanding eWEEK Labs' analyses into actual user environments, and has continually engineered the Labs for accurate portrayal of true enterprise infrastructures. John also writes eWEEK's 'Wide Angle' column, which challenges readers interested in enterprise products and strategies to reconsider old assumptions and think about existing IT problems in new ways. Prior to his tenure at eWEEK, which started in 1994, Taschek headed up the performance testing lab at PC/Computing magazine (now called Smart Business). Taschek got his start in IT in Washington D.C., holding various technical positions at the National Alliance of Business and the Department of Housing and Urban Development. There, he and his colleagues assisted the government office with integrating the Windows desktop operating system with HUD's legacy mainframe and mid-range servers.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel