Beyond Security Introduces 80/20 Rule for 'Smart' Blackbox Testing in New Version of beSTORM

September 12, 2006; 08:14 AM
Beyond Security, a leading provider of security assessment technologies, announced the latest version of its security analysis solution, beSTORM 2.0. The new version introduces the 80/20 rule for "smart" blackbox testing, which enables faster testing by focusing first on known vulnerability patterns before searching for unknown problems. More precisely, the 80/20 rule allows for beSTORM to first test a small group of known scenarios that trigger the majority of the security holes in products. Beyond Security is the first to offer "smart" blackbox testing, which requires access to a deep repository of known vulnerabilities.

Targeted to software engineers and developers of IP-based devices and embedded systems, the new feature enables these individuals to leverage the value of fuzzing by making it more practical to expedite testing for security holes. The 80/20 feature opens fuzzing to legions of developers who would otherwise forgo such testing as prolonged test periods are not practical due to time-to-market and cost considerations.

"This new feature is a direct result of interaction with customers and developers that have expressed a need for effective testing in less time," said Aviram Jenik, Beyond Security CEO. "Our 80/20 methodology makes smart fuzzing possible for products that would normally take too long to test. Our tests have shown that vulnerability testing can be reduced from weeks or days to just hours, by focusing on attack vectors that are known to be problematic."

There is a high level of complexity that goes hand-in-hand with blackbox testing by fuzzing. The theory is that fuzzers must try every possible attack vector or vulnerabilities will be missed. The result can mean a lengthy test cycle, taking up to several weeks to ensure that every possible scenario has been executed and that billions of attack combinations have been tested. Since many IP devices such as VoIP phones, network printers and consumer devices don't require high performance processors, they do not have the processing power needed for practical vulnerability assessments using fuzzers. For example, such devices have an extremely slow test rate of approximately 1 test per second, versus hundreds of thousands per second. beSTORM, with its new smart blackbox testing strategy is ideally suited to IP-based devices and embedded systems, providing a practical solution for identifying security holes. Likewise, software developers are continually challenged with short development cycles and difficult customer requirements, and "smart" blackbox testing provides them with early insight into vulnerabilities so they can better manage their development cycle.

The new 80/20 methodology enables quicker time to market through faster security certification testing. The key is in the ability to test in stages. Stage one is focused on known attack vectors and is typically completed in a matter of hours. Certification testing is based on stage one testing and indicates whether or not a product meets security standards based on all known security issues that exist at that time. Stage two is an exhaustive test that expands the scope to unknown problems, or less likely attack vectors. Exhaustive testing can be completed for all products, but beSTORM provides developers the flexibility to manage the process by conducting mission critical testing first, and then launching into full testing when more time can be allocated to the process.

Beyond Security is uniquely positioned to successfully deploy a "smart" blackbox testing strategy due to its unparalleled database of security holes. As the founder and operator of www.securiteam.com, the largest independent security portal in the world, Beyond Security has been building a database of known security holes in operating systems and software programs since 1998. In 2004, Beyond Security documented 1,258 security holes and in 2005 that number grew to 1,523 and in 2006 the rate is over 130 new security holes documented per month. No other security vendor has a database of this magnitude, positioning Beyond Security with a distinct advantage over other companies with similar products.

How does it work? beSTORM 2.0 starts by checking a relatively small number of scenarios, usually in the thousands, that are known to be especially problematic. This will fuzz what counts and can determine if there are problematic areas that warrant a more thorough test. To use the SIP protocol as an example, testing just 7,130 combinations would cover all SIP vulnerabilities found to date and their variations. Even an extremely low test rate of one attack per second can go over that many combinations in under two hours. After checking those attack combinations, beSTORM can then start testing for all other SIP implementation combinations.

Upon completing the test, beSTORM generates a compliance report which documents what was covered, what tests were completed and provides a report card with a pass or fail grade. If the report gives a failing grade, beSTORM 2.0 includes an export application that can generate a special Perl script to recreate the problem, which can be sent to developers. This makes it easier for the software developer to solve the problems or vulnerabilities that have been found.

Jenik added, "No one wants to recreate the problem when it occurred at the five millionth combination."

beSTORM was launched in March and is the cumulative result of three years of research and development. beSTORM performs exhaustive protocol analysis in order to uncover new and unknown vulnerabilities in network products. It is differentiated in that it does not require access to the source code, which makes it an ideal solution for testing third party products before they are implemented.

beSTORM 2.0 is generally available immediately and employs a client/server architecture and runs on Windows, UNIX and Linux.

In an effort to introduce smart blackbox testing to Open Source projects, Beyond Security is offering a free version, beSTORM Lite, to open source developers. beSTORM Lite can be obtained by contacting [email protected]. In addition, Beyond Security is offering a trial version of beSTORM from its website. The 30-day trial version is limited to the FTP, HTTP 1.0 and SIP (a Voice over IP Protocol) protocols but is fully functional. For more information, please visit www.beyondsecurity.com.

About Beyond Security

Beyond Security, a privately-held company, develops leading vulnerability assessment and self-management solutions that facilitate preemptive, real-time and continuous network, server, database and application security. The company was founded in 1999 by the founders of SecuriTeam portal (www.securiteam.com), a leading source for vulnerability alerts and solutions serving 1.5 million monthly page views to IT security professionals. Beyond Security's founders are great believers in automation, which is why the company sells tools instead of using them to provide services. Beyond Security's goal is to decrease the number of security holes in products to manageable levels and empower software vendors to release secure products. For more information, visit www.beyondsecurity.com.