NT Objectives, a small Web application scanning vendor, on Feb. 14 filed a lawsuit in the U.S. District Court in the Central District of California for a declaratory judgment of noninfringement, calling the patent invalid and unenforceable after Cenzic threatened litigation. Cenzic claims its patent, awarded in 2007, gives it exclusive rights to use the technology, and that after making "good faith attempts to resolve issues amicably" with NT Objectives, it decided to file a lawsuit late last week.
This isn't the first time Cenzic has sued a security firm over the use of this Web application vulnerability scanning technology: In August 2007, Cenzic filed a patent infringement suit against SPI Dyamics, which HP was in the process of acquiring. The suit put Web application security vendors and penetration testers on alert, and several hackers associated with the sla.ckers.org site demonstrated their displeasure with the patent at the time by exposing cross-site scripting flaws in Cenzic's website. HP later settled with Cenzic by signing a cross-licensing agreement. IBM also signed such an agreement nearly two years later with Cenzic.
At the heart of the Cenzic patent dispute is the so-called "prior art": Security experts argue that there are already some fault-injection tools that were released in the 2000-2001 time frame, well before Cenzic first filed for its patent, which would basically render the so-called Patent 232 moot. And critics say the patent is far too broad, covering the day-to-day tasks of most security scanners, penetration testing tools, and even that of the penetration testers themselves.
Neither Cenzic nor NT Objectives would comment on the cases, but some security researchers have begun rallying behind NT Objectives. A site called Stop Cenzic 232 Patent has been launched, and its author is calling for a Month of Prior Art on the technology at issue in the patent that will begin on April 1.
"Now this patent is of no concern if they used the patent 'defensively,' but Cenzic has chosen to go around chasing companies that create Web scanners for licensing money using this broad and unfortunately granted patent," blogged Enrique Sanchez Montellano.
Mantellano lists several products that could also be subject to Cenzic's patent claims because they employ the same method of injection, including Rapid7 Nexpose, Nessus, eEye Retia, McAfee Foundscan, nCircle Suite360, Qualys, Metasploit, Core Impact, and Burp Proxy.
According to a penetration tester familiar with the case and who requested anonymity, the way the patent is written, it could even apply to SQL injection and cross-site scripting attacks or pen tests. It could apply to any products that execute these techniques for bypassing normal security routines. "Even when I do this manually -- it would apply. So as a pen tester, I couldn't do that" according to the lawsuit, the source says.
Alan Shimel, CEO of The CISO Group, says he has heard from sources that Cenzic is "looking for seven figures" from NT Objectives.
"Initially, it looked like Cenzic was using the patent defensively. But now they are using it offensively," Shimel says. "This is just a lousy patent. There's a lot of prior art that should have been looked at before it was granted."
Meanwhile, among the Cenzic employees named in the patent when it was filed in 2002 include Greg Hoglund, founder and CEO of HBGary, whose company was targeted by the Anonymous hacking group.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.