The support continues to roll in. Its only Tuesday and already we have popped up on the OWASP wiki and the oldest/original security blog.

• Software [In]security: Software Patents and Fault Injection
  Gary McGraw and Jeff Voas wrote a book on Software Fault Injection that was published in 1997 which covers a great deal of the type of activities which Cenzic/Greg Hoglund decided to file a patent for in 2002.
  From the article:
  "Apparently the security testing firm Cenzic believes that they deserve a patent for software fault injection. In February 2007 (a decade after our book was published) Cenzic was awarded patent number 7185232 for "fault injection methods and apparatus." The basic claims in the patent involve injecting some faulty input into a web program (thing one) and watching for error responses (thing two). Very nice. Or maybe not. A grass roots effort to collect prior art and dispute the patent is being spearheaded on the net by Enrique A. Sanchez Montellano."
  
  
• Hacker News Network Cast
  We made this weeks Hacker News Network Cast! On this weeks episode (HNNCast.2011.02.25) at 5:46 into the episode Space Rogue discusses the Cenzic patent and quite clearly expresses the dangers it poses to the community if not stopped. I was cracking up at the sound effects and seeing our site banner on the video. Sweet.
  
  
• Jeff Williams Statement
  The president of OWASP has posted a statement about the Cenzic 232 patent on the OWASP Leadership Mailing list.
  From statement:
  "I'm much more concerned about the effect of the patent on the application security industry than on OWASP." <snip> "Regardless of the pending litigation, this patent seems to touch on a technique that is fundamental to our industry, and we are certainly entitled to discuss, analyze, and even take support one side or the other."
  
  I am regularly reading the OWASP Leadership Mailing list and know the topic is active. I think Jeff's comments are good and reasonable at this stage of what is happening. So here are my two cents for OWASP members to consider: OWASP is all about pushing forward WebAppSec. If a company, even a member company, is employing business practices which could stifle the progress of WebAppSec, doesnt this fall into conflict with OWASP's goals?
  Cenzic has sued once before, and I think it is clear that this is now a behavior pattern which we all need to be concerned about.
  
  I do agree that we all need more details, and this site is dedicated to the pursuit and disclosure of information and details about this patent.
  One problem is that a patent can sometimes mean what the patent holder wants to assert it means, until someone challenges those claims at great financial costs (like NTO is doing). I cannot know what OWASP's role should be, or what it could even do, but it is a center piece of the community and does carry a great deal of influence. Maybe its worth taking David Hoyt up on his offer to help. At least to discuss OWASP projects that might be considered to infringe.
  
  
• OWASP WikiPage for Cenzic 232 Patent
  The group at OWASP has no "official" position about this matter as discussed above. Some members have setup a page on the OWASP Wiki to keep track of activity and information. This site will be sharing data to the OWASP wiki as activities progress.
  
  
• InfoSec Place Podcast Discussion
  The Dan Kuykendall, the co-CEO of NTO discusses the topic on the podcast he co-hosts. The discussion starts 41 mins into the episode. Interesting to hear first hand discussion.
  
  

Please login or register to add comments