Printer Friendly
The Free Library
14,598,536 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Beyond Security Introduces 80/20 Rule for 'Smart' Blackbox Testing in New Version of beSTORM; Top Security Vulnerabilities Revealed in Hours Making Automated Blackbox Testing Practical for IP Devices and Embedded Systems.


MCLEAN, Va. -- Beyond Security, a leading provider of security assessment technologies, today announced the latest version of its security analysis solution, beSTORM 2.0. The new version introduces the 80/20 rule for "smart" blackbox testing, which enables faster testing by focusing first on known vulnerability A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers.  patterns before searching for unknown problems. More precisely, the 80/20 rule allows for beSTORM to first test a small group of known scenarios that trigger the majority of the security holes in products. Beyond Security is the first to offer "smart" blackbox testing, which requires access to a deep repository of known vulnerabilities.

Targeted to software engineers and developers of IP-based devices and embedded systems Embedded systems

Computer systems that cannot be programmed by the user because they are preprogrammed for a specific task and are buried within the equipment they serve. , the new feature enables these individuals to leverage the value of fuzzing See fuzz testing.  by making it more practical to expedite ex·pe·dite  
tr.v. ex·pe·dit·ed, ex·pe·dit·ing, ex·pe·dites
1. To speed up the progress of; accelerate.

2.  testing for security holes. The 80/20 feature opens fuzzing to legions of developers who would otherwise forgo such testing as prolonged pro·long  
tr.v. pro·longed, pro·long·ing, pro·longs
1. To lengthen in duration; protract.

2. To lengthen in extent.  test periods are not practical due to time-to-market and cost considerations.

"This new feature is a direct result of interaction with customers and developers that have expressed a need for effective testing in less time," said Aviram Jenik, Beyond Security CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. . "Our 80/20 methodology makes smart fuzzing possible for products that would normally take too long to test. Our tests have shown that vulnerability testing can be reduced from weeks or days to just hours, by focusing on attack vectors The approach used to assault a computer system or network. A fancy way of saying "method or type of attack," the term may refer to a variety of vulnerabilities. For example, an operating system or Web browser may have a flaw that is exploited by a Web site.  that are known to be problematic."

There is a high level of complexity that goes hand-in-hand with blackbox testing by fuzzing. The theory is that fuzzers must try every possible attack vector or vulnerabilities will be missed. The result can mean a lengthy test cycle, taking up to several weeks to ensure that every possible scenario has been executed and that billions of attack combinations have been tested. Since many IP devices such as VoIP phones See IP phone and softphone. , network printers and consumer devices don't require high performance processors, they do not have the processing power needed for practical vulnerability assessments A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site.  using fuzzers. For example, such devices have an extremely slow test rate of approximately 1 test per second, versus hundreds of thousands per second. beSTORM, with its new smart blackbox testing strategy is ideally suited to IP-based devices and embedded systems, providing a practical solution for identifying security holes. Likewise, software developers are continually challenged with short development cycles and difficult customer requirements, and "smart" blackbox testing provides them with early insight into vulnerabilities so they can better manage their development cycle.

The new 80/20 methodology enables quicker time to market through faster security certification A certification issued by competent authority to indicate that a person has been investigated and is eligible for access to classified matter to the extent stated in the certification.  testing. The key is in the ability to test in stages. Stage one is focused on known attack vectors and is typically completed in a matter of hours. Certification testing is based on stage one testing and indicates whether or not a product meets security standards based on all known security issues that exist at that time. Stage two is an exhaustive test that expands the scope to unknown problems, or less likely attack vectors. Exhaustive testing (programming) exhaustive testing - Executing a program with all possible combinations of inputs or values for program variables.  can be completed for all products, but beSTORM provides developers the flexibility to manage the process by conducting mission critical testing first, and then launching into full testing when more time can be allocated to the process.

Beyond Security is uniquely positioned to successfully deploy a "smart" blackbox testing strategy due to its unparalleled database of security holes. As the founder and operator of www.securiteam.com, the largest independent security portal in the world, Beyond Security has been building a database of known security holes in operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap.  and software programs since 1998. In 2004, Beyond Security documented 1,258 security holes and in 2005 that number grew to 1,523 and in 2006 the rate is over 130 new security holes documented per month. No other security vendor has a database of this magnitude, positioning Beyond Security with a distinct advantage over other companies with similar products.

How does it work? beSTORM 2.0 starts by checking a relatively small number of scenarios, usually in the thousands, that are known to be especially problematic. This will fuzz what counts and can determine if there are problematic areas that warrant a more thorough test. To use the SIP protocol as an example, testing just 7,130 combinations would cover all SIP vulnerabilities found to date and their variations. Even an extremely low test rate of one attack per second can go over that many combinations in under two hours. After checking those attack combinations, beSTORM can then start testing for all other SIP implementation combinations.

Upon completing the test, beSTORM generates a compliance report which documents what was covered, what tests were completed and provides a report card with a pass or fail grade. If the report gives a failing grade, beSTORM 2.0 includes an export application that can generate a special Perl script to recreate the problem, which can be sent to developers. This makes it easier for the software developer to solve the problems or vulnerabilities that have been found.

Jenik added, "No one wants to recreate the problem when it occurred at the five millionth combination."

beSTORM was launched in March and is the cumulative result of three years of research and development. beSTORM performs exhaustive protocol analysis in order to uncover new and unknown vulnerabilities in network products. It is differentiated in that it does not require access to the source code, which makes it an ideal solution for testing third party products before they are implemented.

beSTORM 2.0 is generally available immediately and employs a client/server architecture An environment in which the application processing is divided between client workstations and servers. It implies the use of desktop computers interacting with servers in a network in contrast to processing everything in a large centralized mainframe. See client/server.  and runs on Windows, UNIX UNIX

Operating system for digital computers, developed by Ken Thompson of Bell Laboratories in 1969. It was initially designed for a single user (the name was a pun on the earlier operating system Multics).  and Linux.

In an effort to introduce smart blackbox testing to Open Source projects, Beyond Security is offering a free version, beSTORM Lite, to open source developers. beSTORM Lite can be obtained by contacting bestorm-foss@beyondsecurity.com. In addition, Beyond Security is offering a trial version of beSTORM from its website. The 30-day trial version is limited to the FTP FTP
 in full file transfer protocol

Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to , HTTP HTTP
 in full HyperText Transfer Protocol

Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol.  1.0 and SIP (a Voice over IP Protocol) protocols but is fully functional. For more information, please visit www.beyondsecurity.com.

About Beyond Security

Beyond Security, a privately-held company, develops leading vulnerability assessment and self-management solutions that facilitate preemptive pre·emp·tive or pre-emp·tive  
adj.
1. Of, relating to, or characteristic of preemption.

2. Having or granted by the right of preemption.

3.
a. , real-time and continuous network, server, database and application security. The company was founded in 1999 by the founders of SecuriTeam portal (www.securiteam.com), a leading source for vulnerability alerts and solutions serving 1.5 million monthly page views to IT security professionals. Beyond Security's founders are great believers in automation, which is why the company sells tools instead of using them to provide services. Beyond Security's goal is to decrease the number of security holes in products to manageable levels and empower software vendors to release secure products. For more information, visit www.beyondsecurity.com.
COPYRIGHT 2006 Business Wire
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2006, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Publication:Business Wire
Date:Sep 12, 2006
Words:1133
Previous Article:Cisco Networking Academy Program Announces ''3R'' Recognition Award Winners; Students, Instructors and Institutions Lauded for Excellence in Academic...
Next Article:Ethanol Provider Everton Energy Launches with Appointment of Bert Farrish as CEO; Company Plans Quick Time to Market, Developing 100 Million Gallon...
Topics:



Related Articles
Database and Network Journal Editorial Features 2000.(News Briefs)
LANguard Network Scanner upgraded. (Network Products).(Product Announcement)
IP SAN or Fibre Channel SAN?(Storage Management)
Network configuration management: an innovative, additional layer of network security.(Storage Networking)
Tower Semiconductor expedites production of mixed-signal integrated circuit for Smart Link.
93% website apps vulnerable after 'fixing'.(News)
Sygate introduces next phase of endpoint security solution for Windows XP embedded devices.
Curbing Security Issues in Software Applications Becomes Focus for Developers; Beyond Security Readies New Tool to Plug Security Holes before Product...
Beyond Security Launches Security Analysis Solution That Changes the Face of Vulnerability Assessment; beSTORM Tests Billions of Attack Combinations...
ClarusIPC Software Delivers Enhanced Security Reporting for IP Telephony; Latest Release of ClarusIPC Operations Also Features Improved Testing for...

Terms of use | Copyright © 2009 Farlex, Inc. | Feedback | For webmasters | Submit articles