Beyond Security launches security analysis solution that changes the face of vulnerability assessmentIRVINE, Calif., March 28, 2006
Beyond Security, a leading provider of security assessment technologies, today announced the launch of its new security analysis solution, beSTORM. The cumulative result of three years of research and development, beSTORM changes the way security assessment is conducted by uncovering unknown vulnerabilities in network-enabled software applications during the development cycle. By automatically testing billions of attack combinations, beSTORM ensures the security of products before they are deployed saving companies millions in costs associated with fixing security holes after products are shipped.
As corporate professionals are driven by compliancy regulations for financial records and overall data security, there is a growing requirement for many companies to ensure that third party software applications meet stringent security certifications.
"Software applications that are not fully tested prior to deployment make companies more vulnerable and leave customers feeling insecure," said Aviram Jenik, Beyond Security CEO. "Security certifications are becoming a requirement of vendors by many companies. This is because too many products have been deployed that are vulnerable to attacks and too much money has been spent on fixing the problem after-the-fact."
beSTORM arms developers, quality assurance teams and security professionals with a tool that helps them to test for security holes while they are still in the development phase. The new product enables development teams to schedule security testing into the product release process giving them time to fix their code before product is shipped.
Unlike the current generation of assessment tools, beSTORM does not look for specifically defined attack signatures or attempt to locate known vulnerabilities in products and it does not require the source-code (like source-code audit tools). Rather, beSTORM focuses on network-enabled applications and models the protocols used to communicate with them. beSTORM exercises the protocol with a specific emphasis on technically legal but functionally erroneous cases. Simply put, beSTORM performs exhaustive protocol analysis in order to uncover new and unknown vulnerabilities in network products. As an example, beSTORM automatically tries every protocol combination possible until a buffer overflow is triggered. This level of intensive security penetration testing is not available in any other product on the market.
"Most security holes found today can be discovered automatically," added Jenik. "By using an automated attack tool that tries virtually every attack combination and has the ability to detect certain application anomalies and indicate a successful attack, security holes can be found with almost no user intervention."
To date, computer hackers have targeted operating systems but this has changed and now software applications are the focal point for their antics. Many software vendors are making an honest effort to fix the growing problem of security issues but are ineffective because of the existing tools at their disposal. Some vendors hire consultants to perform manual security audits that are often expensive and can only be done periodically. This solution is often chosen by default, because vendors are unaware of other alternatives.
"Many vendors conduct manual audits of their products. We call this 'throwing money at the proble' and it includes hiring third party consulting firms to audit products to identify as many security holes as possible," added Jenik. Other alternatives include source-code analysis tools which attempt to find holes during development similar to beSTORM. The main drawbacks to these solutions are scalability, false-positives and access to source code is required.
"Fuzzing tools are probably the closest in comparison to beSTORM. Fuzzing tools take an existing network protocol and 'fuzz' it, which means it sends malformed requests and analyzes the results," said Jenik. "Fuzzers are usually limited in bandwidth trying hundreds or millions of different attack combinations where beSTORM can try billions."
beSTORM's main features include:
- Broad Range - Most of the common Internet protocols can be tested including SIP (used in VoIP products)
- Attack Prioritization - Special attack prioritizing algorithms allow beSTORM to start with the attacks most likely to succeed, depending on the specific protocol that is tested
- Report Accuracy - beSTORM checks the application externally by actually triggering the attacks and a vulnerability is reported only if an attack was successful
- Scalability - Multiple processors (or machines) can be used to parallelize the audit and reduce testing time
- Extensibility and Flexibility - Testing the protocol rather than the product, beSTORM can be used to test extremely complicated products with a large code base. Protocol analysis can be extended to support proprietary protocol
- Language Independent - beSTORM supports all programming language
Beyond Security has built its reputation on its network security solutions that facilitate preemptive, real-time and continuous network, server, database and application security. Their flagship product, Automated Scanning, conducts automatic penetration testing on a daily basis and has been adopted by a variety of global-based companies that include systems integrators. Beyond Security is also the founder and operator of www.securiteam.com the largest independent security portal.
beSTORM is generally available immediately and employs a client/server architecture and runs on Windows, UNIX and Linux.
About Beyond Security
Beyond Security, a privately-held company, develops leading vulnerability assessment and self-management solutions that facilitate preemptive, real-time and continuous network, server, database and application security. The company was founded in 1999 by the founders of SecuriTeam portal (www.securiteam.com), a leading source for vulnerability alerts and solutions serving 1.5 million monthly page views to IT security professionals. Beyond Security's founders are great believers in automation, which is why the company sells tools instead of using them to provide services. Beyond Security's goal is to decrease the number of security holes in products to manageable levels and empower software vendors to release secure products. For more information, visit www.beyondsecurity.com.