Death, taxes and the fact that your computer systems are vulnerable are the only things that are certain—at least in our lifetimes. Unfortunately, many companies will find this out at least once. The problem is that they rely on vendors to disclose problems, and by then its way too late.
Large companies, such as IBM, Oracle and Symantec, hire their own hacking staffs to try to contain vulnerabilities in their software. Many large organizations, meanwhile, hire security consultants–usually composed, at least partially, of reformed hackers–to stress-test their systems. Most companies, however, sit and wait. And then things go awry. Statistics show, after all, that a large number of companies have had their systems compromised in some fashion during the last year (see http://www.securitystats.com).
Too bad they all cant be hackers. Maybe they can. A long time ago, products such as SATAN scanned systems for known vulnerabilities. They evolved into good business plans for companies, such as ISS. Now, security scanners are a dime a dozen. Well, perhaps theyre more like $10,000 a dozen, but still the price isnt prohibitive, especially in light of what might happen if companies didnt use them. An insurance policy with no guarantees, so to speak.
Cenzic, meanwhile—a company that was once known as ClicktoSecure—has been developing a super vulnerability scanner based on an SDK they have had in the works. I had the chance to interview Cenzics CEO Alan Henricks and CTO Greg Hoglund about the state of security scanners, and its pretty clear that the companys vision is different from what else is out there.
The biggest problem, says Hoglund, is that security scanners are ineffective at solving security problems. Scanners use signature sets, tables of information about known securities, so they cant offer protection from the most dangerous problems—the ones that havent been exposed. Scanners are also application-specific, and cant scan for vulnerabilities across an entire system.
Cenzic—the name is derived from “Center and Forensic”— meanwhile, moves beyond the reactive model and attempts to employ heuristics software fault injection schemes to find holes in every facet of an application–from the network layer through the presentation layer.
Cenzics product is named Hailstorm, a better use of the name than Microsofts code-name for its .Net My Services. The big difference between Hailstorm and the current batch of scanners is in the fault injection methodology. A scanner that just shoots fault aimlessly will not do anyone any good. Cenzics intellectual property resides in targeted fault injection. For example, its not going to fire SQL stored procedure errors at an FTP server.
There are obvious markets for this, namely the financial services community, which stakes its business on having a secure application infrastructure. The other big market is for integrators that sell security services.
Cenzics just getting started, but its a company to watch.
Contact John Taschek at firstname.lastname@example.org.