Core Security Brings Penetration Testing to Broader Market

If you’re a typical homeowner, it would probably be overkill to have a live-in plumber who spends all his time checking the pipes for leaks. But if your plumbing system were constantly getting new parts, carrying volatile new liquids, and fending off corrosive agents, it might not be such a bad idea.

That’s the basic concept behind automated penetration testing software, a corner of the computer security business pioneered several years ago by companies like Boston-based Core Security Technologies. Given the complex, ever-changing nature of most network-based enterprise software today, it’s unwise to assume that any network or application is totally secure. And by investing in software to attack your own systems, rather than waiting for hackers to do it, you might just discover vulnerabilities in time to prevent major data breaches.

Core Security’s whole business is to sell an advanced penetration testing software package called Core Impact—until this week, that is. While Core Impact has been adopted by more than 700 big-company customers, the startup wanted to make penetration testing even more accessible, so today it’s announcing a streamlined version called Core Impact Essential, with a simplified interface tailored for smaller businesses or branch offices of big enterprises. The company’s original product, now called Core Impact Pro, has also been upgraded to detect more types of vulnerabilities in Web-based applications and to deal with the new IPv6 improvements to the global Internet Protocol.

Core Security was founded in 1996, and is backed in part by Morgan Stanley Venture Partners, which contributed $4.5 million in Series B funding in 2005. We last wrote about the company in March, when it disclosed a security flaw in workstation virtualization programs from VMware that left the software vulnerable to takeover by hackers. The job of the company’s security lab, which is located in Buenos Aires, Argentina, is to seek out such vulnerabilities, design attacks that exploit them, and incorporate this information into the Core Impact software, the better to pinpoint related security holes in customers’ networks and applications.

One of the biggest reasons Core Security’s products appeal to IT administrators, says Core Security CEO Mark Hatton, is that penetration testing results help to persuade higher-ups that their companies should invest the time and money required to install patches for known vulnerabilities. “In a perfect world, all patches would be deployed, and things would be just fine,” says Hatton. But too often, he says, IT people “can’t get their own companies to agree there is a problem. Until they show that an attack can actually happen, they have disagreements about whether or not they are insecure. So one of the values of Core Impact is that it helps them to justify, internally, the need for patches.”

Automated penetration testing is gradually becoming standard practice in medium- to large-sized businesses, Hatton says; Core Impact Essential is designed to make it practical for small businesses as well. “There is independent research coming out of NIST and other sources that quite strongly advocates regular, automated penetration testing as part of a security process,” he says. “So what we are not doing today that we might have had to do four or five years ago is educate, educate, educate. We’re seeing customers say they want to do more with our product—so we’re moving quickly do address that need with different products and product families.”

Author: Wade Roush

Between 2007 and 2014, I was a staff editor for Xconomy in Boston and San Francisco. Since 2008 I've been writing a weekly opinion/review column called VOX: The Voice of Xperience. (From 2008 to 2013 the column was known as World Wide Wade.) I've been writing about science and technology professionally since 1994. Before joining Xconomy in 2007, I was a staff member at MIT’s Technology Review from 2001 to 2006, serving as senior editor, San Francisco bureau chief, and executive editor of TechnologyReview.com. Before that, I was the Boston bureau reporter for Science, managing editor of supercomputing publications at NASA Ames Research Center, and Web editor at e-book pioneer NuvoMedia. I have a B.A. in the history of science from Harvard College and a PhD in the history and social study of science and technology from MIT. I've published articles in Science, Technology Review, IEEE Spectrum, Encyclopaedia Brittanica, Technology and Culture, Alaska Airlines Magazine, and World Business, and I've been a guest of NPR, CNN, CNBC, NECN, WGBH and the PBS NewsHour. I'm a frequent conference participant and enjoy opportunities to moderate panel discussions and on-stage chats. My personal site: waderoush.com My social media coordinates: Twitter: @wroush Facebook: facebook.com/wade.roush LinkedIn: linkedin.com/in/waderoush Google+ : google.com/+WadeRoush YouTube: youtube.com/wroush1967 Flickr: flickr.com/photos/wroush/ Pinterest: pinterest.com/waderoush/