If you’re a typical homeowner, it would probably be overkill to have a live-in plumber who spends all his time checking the pipes for leaks. But if your plumbing system were constantly getting new parts, carrying volatile new liquids, and fending off corrosive agents, it might not be such a bad idea.
That’s the basic concept behind automated penetration testing software, a corner of the computer security business pioneered several years ago by companies like Boston-based Core Security Technologies. Given the complex, ever-changing nature of most network-based enterprise software today, it’s unwise to assume that any network or application is totally secure. And by investing in software to attack your own systems, rather than waiting for hackers to do it, you might just discover vulnerabilities in time to prevent major data breaches.
Core Security’s whole business is to sell an advanced penetration testing software package called Core Impact—until this week, that is. While Core Impact has been adopted by more than 700 big-company customers, the startup wanted to make penetration testing even more accessible, so today it’s announcing a streamlined version called Core Impact Essential, with a simplified interface tailored for smaller businesses or branch offices of big enterprises. The company’s original product, now called Core Impact Pro, has also been upgraded to detect more types of vulnerabilities in Web-based applications and to deal with the new IPv6 improvements to the global Internet Protocol.
Core Security was founded in 1996, and is backed in part by Morgan Stanley Venture Partners, which contributed $4.5 million in Series B funding in 2005. We last wrote about the company in March, when it disclosed a security flaw in workstation virtualization programs from VMware that left the software vulnerable to takeover by hackers. The job of the company’s security lab, which is located in Buenos Aires, Argentina, is to seek out such vulnerabilities, design attacks that exploit them, and incorporate this information into the Core Impact software, the better to pinpoint related security holes in customers’ networks and applications.
One of the biggest reasons Core Security’s products appeal to IT administrators, says Core Security CEO Mark Hatton, is that penetration testing results help to persuade higher-ups that their companies should invest the time and money required to install patches for known vulnerabilities. “In a perfect world, all patches would be deployed, and things would be just fine,” says Hatton. But too often, he says, IT people “can’t get their own companies to agree there is a problem. Until they show that an attack can actually happen, they have disagreements about whether or not they are insecure. So one of the values of Core Impact is that it helps them to justify, internally, the need for patches.”
Automated penetration testing is gradually becoming standard practice in medium- to large-sized businesses, Hatton says; Core Impact Essential is designed to make it practical for small businesses as well. “There is independent research coming out of NIST and other sources that quite strongly advocates regular, automated penetration testing as part of a security process,” he says. “So what we are not doing today that we might have had to do four or five years ago is educate, educate, educate. We’re seeing customers say they want to do more with our product—so we’re moving quickly do address that need with different products and product families.”
