Methods and systems for multi-tool orchestration

US 10,534,912 B1
Filed: 10/31/2018
Issued: 01/14/2020
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A system for performing code security scan, comprising:

a non-transitory computer readable medium storing;

a plurality of identifiers each identifying a software security analysis tool, the plurality of identifiers comprising;

a first identifier identifying a first software security analysis tool of a first category for performing Static Application Security Testing (SAST);

a second identifier identifying a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST); and

a third identifier identifying a third software security analysis tool of a third category for performing Open Source Analysis (OSA); and

a processor configured to;

receive code to be scanned;

select at least two identifiers from the plurality of identifiers, each of the at least two identifiers identifying a software security analysis tool from a different category for execution on the code;

determine that a license status is expired for a first software security analysis tool of the at least two software security analysis tools;

generate a license renewal request for the first software security analysis tool;

send, to a licensor of the first software security analysis tool, the license renewal request;

receive, from the licensor, a license renewal for the first software security analysis tool;

update the license status for the first software security analysis tool to a renewed license status;

analyze the code to be scanned with the at least two software security analysis tools;

receive a result from each of the at least two software security analysis tools;

aggregate the result from each of the at least two software security analysis tools; and

display, in a user interface, the aggregation of the result from each of the at least two software security analysis tools.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for performing code security scan includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores a plurality of identifiers each identifying a software security analysis tool of one of several categories, including SAST, DAST and OSA tools. The processor receives an identification of code to be scanned. The processor selects at least two identifiers from the plurality of identifiers. The at least two identifiers identify at least two select software security analysis tools for execution on the identified code. The processor receives an execution result from each select software security analysis tool after performing execution on the identified code. The processor aggregates the execution result from each select software security analysis tool. A user interface displays an aggregation of the execution result from each select software security analysis tool.

Citations

19 Claims

1. A system for performing code security scan, comprising:
- a non-transitory computer readable medium storing;
  
  a plurality of identifiers each identifying a software security analysis tool, the plurality of identifiers comprising;
  
  a first identifier identifying a first software security analysis tool of a first category for performing Static Application Security Testing (SAST);
  
  a second identifier identifying a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST); and
  
  a third identifier identifying a third software security analysis tool of a third category for performing Open Source Analysis (OSA); and
  
  a processor configured to;
  
  receive code to be scanned;
  
  select at least two identifiers from the plurality of identifiers, each of the at least two identifiers identifying a software security analysis tool from a different category for execution on the code;
  
  determine that a license status is expired for a first software security analysis tool of the at least two software security analysis tools;
  
  generate a license renewal request for the first software security analysis tool;
  
  send, to a licensor of the first software security analysis tool, the license renewal request;
  
  receive, from the licensor, a license renewal for the first software security analysis tool;
  
  update the license status for the first software security analysis tool to a renewed license status;
  
  analyze the code to be scanned with the at least two software security analysis tools;
  
  receive a result from each of the at least two software security analysis tools;
  
  aggregate the result from each of the at least two software security analysis tools; and
  
  display, in a user interface, the aggregation of the result from each of the at least two software security analysis tools.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the of code includes a component name as registered in an application.
  - 3. The system of claim 1, wherein the of code includes a directory indicating where the code is stored in the system.
  - 4. The system of claim 1, wherein each software security analysis tool of the first, second and third categories is a standalone solution, a network-based client-server solution, a web-based solution, or a cloud-based solution.
  - 5. The system of claim 1, wherein the aggregation of the result from each of the at least two software security analysis tools displayed in the user interface comprises a severity, a category, and a name of the result.
  - 6. The system of claim 1, wherein the processor is configured to identify a “
    - false positive”
      
      result, and to subsequently instruct one of the first, the second, and the third software security analysis tools to perform a security scan on the identified code.
  - 7. The system of claim 1, wherein the user interface further displays a selectable button to allow a user to configure each software security analysis tool.
  - 8. The system of claim 1, wherein the aggregation of the result from each software security analysis tool displayed in the user interface further comprises a first score for a combined static analysis result, a second score for open source license analysis, and a third score for open source known vulnerabilities.
  - 9. The system of claim 1, wherein the non-transitory computer readable medium stores information of historical scan activity performed by each software security analysis tool for display in the user interface upon request.
  - 10. The system of claim 1, wherein the non-transitory computer readable medium stores status information of execution progress for each software security analysis tool for display in the user interface upon request, the status information comprising one of the following:
    - completed, in progress, and queued.
  - 11. The system of claim 1, wherein the processor is configured to compute a confidence score.
  - 12. The system of claim 1, wherein the processor is configured to select the at least two identifiers from the plurality of identifiers based on a configuration of the code.
  - 13. The system of claim 1, wherein the processor is configured to select the at least two identifiers from the plurality of identifiers based on a user'"'"'s selection provided via the user interface.

14. A multi-tool security analysis system comprising:
- one or more processors; and
  
  a memory in communication with the one or more processors and storing;
  
  a plurality of identifiers each identifying a software security analysis tool, the plurality of identifiers comprising;
  
  a first identifier identifying a first software security analysis tool of a first category for performing Static Application Security Testing (SAST);
  
  a second identifier identifying a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST); and
  
  a third identifier identifying a third software security analysis tool of a third category for performing Open Source Analysis (OSA);
  
  wherein the software security analysis tools are presented on a multi-tool security analysis website associated with a host server, andwherein the memory stores instructions that, when executed by the one or more processors, are configured to cause the system to;
  
  receive, from the host server via a real-time application programming interface (API), an analysis request comprising code to be analyzed and at least two identifiers from the plurality of identifiers, the at least two identifiers identifying two or more software security analysis tools from two categories for execution on the software code;
  
  determine that a license status is expired for a first software security analysis tool of the two or more software security analysis tools;
  
  generate a license renewal request for the first software security analysis tool;
  
  send, to a licensor of the first software security analysis tool, the license renewal request;
  
  receive, from the licensor, a license renewal for the first software security analysis tool;
  
  update the license status for the first software security analysis tool to a renewed license status;
  
  analyze, with an execution of the two or more software security analysis tools, the code;
  
  aggregate an analysis output from each of the two or more software security analysis tools to create an aggregate result; and
  
  provide, to the host server via the real-time API, the aggregate result for a presentation on the multi-tool security analysis website.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the analysis request further comprising a software code identifier;
    - andwherein the software code identifier comprises a directory indicating a storage location of the code.
  - 16. The system of claim 14, wherein the aggregate result comprises an indication of a severity, a category, a name, and a confidence score for each of a plurality of identified vulnerabilities.
  - 17. The system of claim 14, wherein the instructions are further configured to cause the system to:
    - receive, from the host server via the real-time API, user-inputted configuration settings corresponding to at least one of the two or more software security analysis tools; and
      
      configure the at least one of the two or more software security analysis tools based on the user-inputted configuration settings.
  - 18. The system of claim 14, wherein the aggregate result comprises a first score for a combined static analysis result, a second score for open source license analysis, and a third score for open source known vulnerabilities.

19. A multi-tool security analysis system comprising:
- one or more processors; and
  
  a memory in communication with the one or more processors and storing;
  
  a plurality of identifiers each identifying a software security analysis tool, the plurality of identifiers comprising;
  
  a first identifier identifying a first software security analysis tool of a first category for performing Static Application Security Testing (SAST);
  
  a second identifier identifying a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST); and
  
  a third identifier identifying a third software security analysis tool of a third category for performing Open Source Analysis (OSA);
  
  wherein the software security analysis tools are presented on a multi-tool security analysis website, andinstructions that, when executed by the one or more processors, are configured to cause the system to;
  
  receive an analysis request comprising a software code identifier for software code to be analyzed and at least two identifiers from the plurality of identifiers, the at least two identifiers identifying at least two software security analysis tools from two categories for execution on the software code;
  
  determine that a license status is expired for a first software security analysis tool of the at least two software security analysis tools;
  
  generate a license renewal request for the first software security analysis tool;
  
  send, to a licensor of the first software security analysis tool, the license renewal request;
  
  receive, from the licensor, a license renewal for the first software security analysis tool;
  
  update the license status for the first software security analysis tool to a renewed license status;
  
  analyze, with the at least two software security analysis tools, the software code;
  
  aggregate a vendor-specific output from each of the at least two software security analysis tools to create an aggregate result; and
  
  provide the aggregate result for presentation on the multi-tool security analysis website.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Youngberg, Adam
Primary Examiner(s)
Turchen, James R

Application Number

US16/177,178
Time in Patent Office

440 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 21/105   Arrangements for software l...

G06F 21/554   involving event detection a...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 9/44536   Selecting among different v...

G06F 9/52   Program synchronisation; Mu...

Methods and systems for multi-tool orchestration

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for multi-tool orchestration

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links