"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge.
If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning techniques.
Cenzic, which in June was awarded a patent for its so-called "fault injection" technology, is going after SPI Dynamics -- now a part of Hewlett-Packard -- for using fault injection in SPI's line of Web application scanner products. But Cenzic's patent had previously stirred the ire of researchers, including white-hat hackers on the sla.ckers.org site, some of whom demonstrated their displeasure by revealing cross-site scripting bugs in Cenzic's own Website.
Web applications are considered the biggest bull's eye for attackers these days -- experts estimate that 70 to 80 percent of all Websites harbor app bugs. And because applications are proprietary, many app security researchers are often afraid to report a bug on a Website, even if they come across it accidentally. (See Laws Threaten Security Researchers.)
Critics argue that Cenzic's patent has no merit, because other technologies doing much the same thing have been around for several years. But they say they worry that if HP/SPI loses the case, the outcome would set a dangerous precedent. "