Security policy management
First Claim
1. A method performed by a computing system, the method comprising:
- with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism;
with the computing system, receiving a data structure associated with the application and the security policy, wherein the data structure associates a logged denial by the security enforcement mechanism with a rule of the security policy, wherein the data structure further associates the logged denial with a test for the rule, the test to determine if the rule prevents the denial;
with the computing system, applying the test using a temporary security policy, the temporary security policy having the rule removed; and
with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial, flagging the data structure.
1 Assignment
0 Petitions
Accused Products
Abstract
A method performed by a computing system includes, with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism, with the computing system, receiving a data structure associated with the application and the security policy, wherein the data structure associates a logged denial by the security enforcement mechanism with a rule of the security policy, wherein the data structure further associates the logged denial with a test for the rule, the test to determine if the rule prevents the denial, with the computing system, applying the test using a temporary security policy, the temporary security policy having the rule removed, and with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial, flagging the data structure.
-
Citations
20 Claims
-
1. A method performed by a computing system, the method comprising:
-
with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism; with the computing system, receiving a data structure associated with the application and the security policy, wherein the data structure associates a logged denial by the security enforcement mechanism with a rule of the security policy, wherein the data structure further associates the logged denial with a test for the rule, the test to determine if the rule prevents the denial; with the computing system, applying the test using a temporary security policy, the temporary security policy having the rule removed; and with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial, flagging the data structure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
with a computing system, receiving an application and a security policy corresponding to the application, the security policy for use with a security enforcement mechanism; with the computing system, receiving a data structure associated with the application and the security policy, the data structure comprising a set of tuples, each tuple associating a logged denial by the security enforcement mechanism with a rule of the security policy that caused that denial and a test for the rule; with the computing system, for each tuple, applying the test of that tuple using a temporary security policy, the temporary security policy having the rule of that tuple removed; and with the computing system, in response to determining that the applying does not result in a denial corresponding to the logged denial of that tuple, flagging the tuple; and with the computing system, removing the tuple without removing unflagged tuples. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A method performed by a computing system, the method comprising:
-
with a computing system, during a testing phase for development of an application, running the application with a security policy on a system that uses a security enforcement mechanism; with the computing system, in response to determining that the application causes a denial, creating a data structure that associates the denial with the rule intended to prevent the denial and a test used to determine if the rule prevents the denial; with the computing system, after the testing phase, applying the test using a temporary security policy, the temporary security policy having the rule disabled; and with the computing system, in response to determining that the applying does not result in a new denial corresponding to the denial, flagging the information within the data structure; with the computing system, in response to flagging the information within the data structure, removing the flagged information without removing information that is not flagged. - View Dependent Claims (19, 20)
-
Specification