Greg Hoglund is widely regarded as one of the brightest minds in application security. In 1997, he created one of the first security ‘scanners’ – software that assesses the security of a system or network. In the process, he claims, he ignited a passion for developing technology that “helps the end user and software vendor find the problems before the hackers do”.
The result of those efforts is Cenzic, a Californian start-up co-founded by Hoglund in 2000. Here, as chief technology officer, he has taken the concept of scanning a step further, building a more sophisticated software platform that analyses and assesses vulnerabilities in enterprise networks and applications. “Cenzic’s platform is thorough in its testing, comprehensive in reaching all the components of complex enterprise networks and largely automatic,” he boasts.
To achieve this greater level of sophistication, Hoglund has incorporated ‘fault-injection’ into his scanning platform. This involves injecting faults, such as randomly generated malicious code, into a network in order to identify vulnerabilities. By comparing reports generated by the software with an assessment of the risks attached to each fault, says Hoglund, end users can focus IT resources only where they are critically needed. Users also benefit from a single view of the network, as results from thousands of tests – covering performance, security procedures and protocols – are collated.
Cenzic’s ability to spot as yet unexperienced problems, says Alan Henricks, the company’s CEO, is what clearly differentiates it from competitors. “A lot of other security products can only deduce and infer where vulnerabilities may be on the basis of reported problems and known viruses,” he says. And because Cenzic’s scanner tests both the network and the applications, it is effective for both proprietary and customised applications. “No other product out there can do that,” he says.
The release of a developer version of the software, dubbed Hailstorm, has certainly attracted substantial interest. Some 30 companies, all from within the developer community, have signed up for the product.
Encouraged by this response, Cenzic managed to convince Hummer Winblad, one of the most highly respected US venture capital groups, and JK&B Capital, with limited partners such as Charles Wang and the Soros group, to stump up $5 million in the harsh funding climate of January 2002. Along with that money came Henricks, formerly of Documentum, Interwoven and Borland. His remit: to ready Cenzic for the launch of an enterprise version of Hailstorm.
Henricks admits that, to be successful in the corporate environment, Cenzic must make its technology more “usable”. The enterprise release, scheduled for the second quarter of 2002, will, he says, include a user-friendly interface to allow customers to easily pick and choose tests, customise them and, for more skilled IT managers, create their own.
Further automation is planned for future versions of the software. Ultimately, says Henricks, Hailstorm will automatically send potential ‘signatures’ (a description of a method of an attack) to the network’s intrusion detection systems (IDS). Most security management systems can only detect attacks by comparing them to a database of already known signatures.
At present, the company lists application defence vendors Sanctum of California and Kavado of New York as its closest competitors (see also Application defence). Sanctum and Kavado, however, offer both scanners and application security. Cenzic only offers the former.
Henricks argues that the company’s superior scanning technology makes it a more appealing choice, particularly to systems integrators and consultants looking for a tool from an independent vendor. “Its very hard to identify vulnerabilities at the application level,” says Henricks. “Cenzic has demonstrated its strong technical expertise by managing to do so.”
This market, however, looks set to get increasingly competitive. And, as has been shown time and time before, just having the best technology is no guarantee of success.