RSS

Tools

Beyond Security's beStorm Speeds Up Bug Discovery In Applications

By Kevin McLaughlin, October 16, 2006

Beyond Security is using a common hacker technique to help software developers and testers weed out glitches in applications that could later become the target of exploits.
Beyond Security is using a common hacker technique to help software developers and testers weed out glitches in applications that could later become the target of exploits.

The idea behind the technique, called "fuzzing," is to take a certain requestbetween a Web browser and server, for exampleand modify it so that it's slightly different from what one side expects. Although time-consuming, fuzzing can yield interesting results that point to security vulnerabilities, causing servers to crash or applications to provide access to unauthorized users, said Aviram Jenik, CEO of Beyond Security, McLean, Va.

With the mid-September release of beStorm 2.0, Beyond Security is introducing 'smart' black-box testing, which begins by fuzzing a small group of known attack vectors in order to speed up the process of finding the majority of undiscovered vulnerabilities, Jenik said.

"This method can give you an idea or metric to measure what your risks are. You can run the test inside an hour to give you a rough idea of what vulnerabilities exist," Jenik said.

The technique is especially suited to testing devices with limited processing power such as printers and VoIP phones, he added.

Once this initial phase is completed, beStorm then attempts to fuzz every combination within a protocol in order to find unknown vulnerabilities, Jenik said. For example, with FTP, there are 10 million testing scenarios that are valid within the protocol, he said. "You're not drilling for oil, but covering the whole area and checking the whole application, which is what you want if you're the 'good guy' and want to uncover all vulnerabilities," Jenik said.

Brandon Buhai, COO at Beyond IP, a Chicago-based solution provider, said Beyond Security has built a lot of automation into its technology, but not at the expense of accuracy. "At the end of the day, you're able to eradicate all vulnerabilities and stop things like backdoors and intruders from getting on the network," he said.

Beyond Security currently packages beStorm as Windows server software but plans to eventually target VARs and integrators with a plug-and-play appliance, Jenik said. "You could plug in particular protocols or applications you wanted to test, and this could become part of the life-cycle management of the various protocol tests that you run," he said.

Pricing starts at $7,500.


Related Reading

News

Most Popular

Commentary

On the Web

Video

Slideshow

More Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>
INFO-LINK




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

DrDobbs encourages readers to engage in spirited, healthy debate, including taking us to task. However, DrDobbs moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. DrDobbs further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Best of the Web

What the New iPad and iOS 5.1 Mean for Developers

The new display is gorgeous. But local storage for HMTL5 is currently broken on the new iPad and performance of some apps is slower. Here's a deep dive into the issues, including benchmarks and analysis.

Quick Read

Triple Buffering as A Concurrency Mechanism

Triple Buffering is a way of passing data between a producer and a consumer running at different rates. It ensures that the consumer sees only complete data with minimal lag.

Quick Read

Embedding GDB Breakpoints in C Source Code

Have you ever wanted to embed GDB breakpoints in C source code? Something like this:
printf("Hello,\n");
EMBED_BREAKPOINT;
printf("world!\n");

Quick Read

Writing Kernel Exploits

Why attack the kernel? Because it has a huge attack surface with potential for very interesting bugs. This presentation (pdf) takes a code-level dive into recently reported Linux-kernel exploits.

Quick Read


More "Best of the Web" >>

Tools Recent Articles

Most Popular

Stories Blogs

Video

View All Videos

Featured Reports

Featured Whitepapers

Featured Webcasts

Most Recent Premium Content

Digital Issues

Enabling People and Organizations to Harness the Transformative Power of Technology