Beyond Security Checks for Unknown Vulnerabilities

Published: May 16, 2006

by Alex Woodie

Beyond Security recently launched a new security vulnerability assessment tool designed to scour applications for any sort of security weakness, including commonly known problems and entirely new ones. Because the new tool, called beSTORM, works at the network protocol layer, it can work with any application, including those running on iSeries servers. beSTORM ferrets out security problems during the development cycle, and provides a more cost-effective alternative to hiring a team of "ethical hackers," company executives say.

Beyond Security was founded in 1999 by the founders of SecuriTeam, a security portal where ethical hackers and other security researchers share information. Today, SecuiTeam is a very active Web site where leading work in software security is being done. It also functions as the R&D component of Beyond Security.

beSTORM is the second product to come out of Beyond Security, which has its U.S. headquarters in McLean, Virginia, and corporate headquarters in Israel. The first product, called Automated Scanning, checks software applications against its database of known vulnerabilities, and has been used by 60 to 70 customers, including systems integrators like IBM, EDS, and Lucent Technologies, financial services firms like American Express and Garenti Bank, manufacturers like Rayovac and Siemens, and a variety of other companies in a range of industries.

While Automated Scanning has successfully found previously known security problems in the applications of these customers, it isn't of much use in ferreting out undiscovered security problems, which can be very costly. This is where beSTORM and its brute force approach to simulating the actions of hackers comes in.

beSTORM uses patented algorithms to conduct an exhaustive protocol analysis of software applications at the network level. "It's literally automating hacking," says David Oller, Beyond Security's vice president of sales. "It's automating what thousands of hackers could attempt to do--going through each piece [of the application] with every possible combination of characters, and it's going to keep going through each part of the application, and test every conceivable combination, and see if the application might react."

This technique is effective against the most common security vulnerability--memory buffer overflows--and all sorts of other software bugs that could potentially provide viruses, worms, and hackers with pathways past security provisions, for the purpose of stealing or corrupting data, or taking over whole servers.

Because it's trying every possible permutation of user input, beSTORM will also find known security vulnerabilities, although it won't label them as such and it won't advise customers what to do when they find one, which is how Automated Scanning works. The software keeps a log of its activities that tells the users where it found security problems, and how they can be re-created in the lab.

Beyond Security is targeting beSTORM at software developers and quality assurance (QA) testers. The company tried to make the tool as easy to use as possible to avoid scaring away developers, who usually aren't overly concerned about security, Oller says. "The concept is, as you're writing new applications, you can catch a vulnerability before it gets out there," he says.

beSTORM is similar to source code auditing tools in that both classes of tools look for unknown security vulnerabilities. It also bears some resemblance to so-called "fuzzing" tools that send malformed requests to network devices and then analyzes the results, the company says. However, beSTORM works at the network protocol layer, and doesn't require the user to have the source code of the application they want to test, as is the case with source code auditing tools. Its advantage over fuzzing tools is its scalability: with enough horsepower behind it, beSTORM can simulate billions of hacker actions, the company says.

In a way, beSTORM is similar to having a collection of ethical hackers--such as the SecuiTeam community--checking an application for problems. In fact, SecuiTeam uses beSTORM to look for problems in applications from major vendors, including operating system vendors and, more importantly, network device equipment manufacturers. (The SecuriTeam practices responsible disclosure and contacts vendors about problems it finds in their products, Oller says.)

beSTORM is a multi-threaded, 32-bit application written in C++ that runs on standard X86 computers running Windows, Linux, and Unix operating systems. Pricing starts at $15,000 per server. For more information, visit www.beyondsecurity.com.