System and method for application software security and auditing

US 10,594,733 B2
Filed: 04/05/2017
Issued: 03/17/2020
Est. Priority Date: 04/06/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a data processor;

a network interface, in data communication with the data processor, for communication on a data network; and

an application security management system, executable by the data processor, to;

cause installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed;

communicate with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data;

cause transfer of information indicative of the trace data in the current client app transaction to a host site via the data network;

identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and

apply the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for application software security and auditing are disclosed. A particular embodiment includes an application security management system configured to: cause installation of a client application (app) agent in a client app on a client app server; communicate with the client app agent via a data network to collect trace data corresponding to data elements accessed in the client app and previously identified as sensitive data; cause transfer of information indicative of the trace data to a host site via the data network; identify a policy corresponding to the trace data; and apply the identified policy to the sensitive data elements in the client app.

40 Citations

View as Search Results

16 Claims

1. A system comprising:
- a data processor;
  
  a network interface, in data communication with the data processor, for communication on a data network; and
  
  an application security management system, executable by the data processor, to;
  
  cause installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed;
  
  communicate with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data;
  
  cause transfer of information indicative of the trace data in the current client app transaction to a host site via the data network;
  
  identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and
  
  apply the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, whereinthe application security management system being further configured to generate a user interface to prompt user selection of the sensitive data elements to monitor in the client app.
  - 3. The system of claim 1, whereinthe sensitive data elements being of a type from the group consisting of:
    - a database, a file system, a file directory, a software library, a file grouping, a dataset grouping, an individual file, a data object, a file portion, an individual table, a specific row or column within a table, a specific row or column within a database, a specific row or column within a spreadsheet, an individual data field or data item within a file, an individual data field or data item within a table, an individual data field or data item within a database, an individual data field or data item within a spreadsheet, an individual data field or data item within a web page, a textual data element, an image or graphical data element, an audio or video element, a data path, a data route, and a Uniform Resource Locator (URL).
  - 4. The system of claim 1, whereinthe application security management system being further configured to prompt user definition or configuration of the policy corresponding to the sensitive data elements in the client app.
  - 5. The system of claim 1, whereinthe policy includes a condition and an action to perform when the condition is detected, andthe set of rules that define the policy comprise one or more output rules that further comprise at least a log rule or a user output rule.
  - 6. The system of claim 1, whereinthe policy being of a type from the group consisting of:
    - a count policy, an alert policy, a redaction policy, and an encryption policy.
  - 7. The system of claim 1, whereinthe application security management system being further configured to generate an audit of instances of detection of access to the sensitive data elements in the client app,the audit identifies routes from which the sensitive data is accessed, to where the sensitive data is written, and where the sensitive data surfaces.

8. A computer-implemented method, comprising:
- causing installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed;
  
  communicating with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data;
  
  causing transfer of information indicative of the trace data in the current client app transaction to a host site via the data network;
  
  identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and
  
  applying the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, comprisinggenerating a user interface to prompt user selection of the sensitive data elements to monitor in the client app.
  - 10. The method of claim 8, whereinthe sensitive data elements being of a type from the group consisting of:
    - a database, a file system, a file directory, a software library, a file grouping, a dataset grouping, an individual file, a data object, a file portion, an individual table, a specific row or column within a table, a specific row or column within a database, a specific row or column within a spreadsheet, an individual data field or data item within a file, an individual data field or data item within a table, an individual data field or data item within a database, an individual data field or data item within a spreadsheet, an individual data field or data item within a web page, a textual data element, an image or graphical data element, an audio or video element, a data path, a data route, and a Uniform Resource Locator (URL).
  - 11. The method of claim 8, comprisingprompting user definition or configuration of the policy corresponding to the sensitive data elements in the client app.
  - 12. The method of claim 8, whereinthe policy includes a condition and an action to perform when the condition is detected, andthe set of rules that define the policy comprise one or more output rules that further comprise at least a log rule or a user output rule.
  - 13. The method of claim 8, whereinthe policy being of a type from the group consisting of:
    - a count policy, an alert policy, a redaction policy, and an encryption policy.
  - 14. The method of claim 8, comprisinggenerating an audit of instances of detection of access to the sensitive data elements in the client app.

15. A non-transitory machine-useable storage medium embodying instructions which, when executed by a machine, cause the machine to:
- cause installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed;
  
  communicate with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data;
  
  cause transfer of information indicative of the trace data in the current client app transaction to a host site via the data network;
  
  identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and
  
  apply the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network.
- View Dependent Claims (16)
- - 16. The machine-useable storage medium of claim 15, whereinthe instructions being further configured to generate a user interface to prompt user selection of the sensitive data elements to monitor in the client app.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid7, Inc.
Inventors
Feiertag, Michael, Held, Garrett, Eriksson, Andre, Saar, William
Primary Examiner(s)
Kim, Tae K

Application Number

US15/480,229
Publication Number

US 20170295206A1
Time in Patent Office

1,077 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6245   Protecting personal data, e...

G06F 2221/033   Test or assess software

G06F 8/61   Installation

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

System and method for application software security and auditing

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for application software security and auditing

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others