Whiteboard infinity

« A delicacy, it must... | Main | What crime the iron... »

Tuesday February 21, 2006

Cenzic

Cenzic is a start-up in silicon valley, in fact right across the street from Santa Clara University, an institute I spent a large part of my life in. Chatting with John Weinschenk, CEO, brought back nostalgia from my security days.

The company specializes in defending a new area of vulnerability, the company's website. What's the so new about this? After all, hackers have been attacking websites ever since Mosaic was still the dominant browser. Instead of defending the webserver, which is usually a weak target, Cenzic tries to protect the applications that web server launches upon the user's request. No, that's not really true. They try to protect the glue software that lead to the applications.

When you interact with a company via its website, the webserver launches many small programs without you knowing it. Those programs are usually written in a script language, such as Java, JavaScript, PHP, or Perl. These programs glue your data with a real, serious, many man-years of investments required, and big piece of software to do the heavy lifting. When the big guy is done, the little program feeds the result back to the webserver and you see it nicely as a webpage.

Here we have a designed security vulnerability. Theose glue programs in between are usually slapped together quickly. All they do is the equivalent of a paper-pusher. Why spend your precious QA dollars at them? No harms can really come from them.

So I have assumed all these years. And John proved me so, so wrong.

He demonstrated that pretty much all traditional attacks can be applied to those scripts and serious harms can be inflicted by a malicious hacker. Cenzic provides the tools and services for companies to find, and hopefully later, plug these holes.

I hope that I have convinced VP of Engineering, Ambarish Malpani, that Java is really a better choice. He, at least, was graceful in telling me that Cenzic has no dependency on the framework they chose and can switch easily. Ambarish, Java development environment is completely free and Cenzic can save lots of money, and gain access to many talents around the world, if you switch. Business will be better, I promise.

posted by syw Feb 21 2006, 06:21:32 AM CST Permalink Comments [2]

Comments:

I hope Java never makes it, especially not as a backend application server. It's slow. It's clumsy. It's cludgy. Did I mention that Java is slow? Java is a perfect example of how a really good idea can be implemented really badly. I'd much rather stick with PHP and do a careful auditing of code for vulnerabilities than dance around in Java pouring through endless classes and methods. There's so much work one has to do in Java to implement even most basic functionality. Java -- thanks but no thanks!

Posted by ux-admin on February 21, 2006 at 06:12 PM CST #

Regarding Comment #1, I thought the reference to Java referred to Cenzic and not other developers. I read the post to mean Cenzic should use Java as the language for coding their web application security scanning tool.

Posted by jdlilly on February 24, 2006 at 11:17 AM CST #