System and method for application software security and auditing
First Claim
Patent Images
1. A system comprising:
- a data processor;
a network interface, in data communication with the data processor, for communication on a data network; and
an application security management system, executable by the data processor, to;
cause installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed;
communicate with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data;
cause transfer of information indicative of the trace data in the current client app transaction to a host site via the data network;
identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and
apply the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network.
3 Assignments
0 Petitions
Accused Products
Abstract
A system and method for application software security and auditing are disclosed. A particular embodiment includes an application security management system configured to: cause installation of a client application (app) agent in a client app on a client app server; communicate with the client app agent via a data network to collect trace data corresponding to data elements accessed in the client app and previously identified as sensitive data; cause transfer of information indicative of the trace data to a host site via the data network; identify a policy corresponding to the trace data; and apply the identified policy to the sensitive data elements in the client app.
40 Citations
16 Claims
-
1. A system comprising:
-
a data processor; a network interface, in data communication with the data processor, for communication on a data network; and an application security management system, executable by the data processor, to; cause installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed; communicate with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data; cause transfer of information indicative of the trace data in the current client app transaction to a host site via the data network; identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and apply the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method, comprising:
-
causing installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed; communicating with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data; causing transfer of information indicative of the trace data in the current client app transaction to a host site via the data network; identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and applying the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory machine-useable storage medium embodying instructions which, when executed by a machine, cause the machine to:
-
cause installation of a client application (app) agent in a client app on a client app server to instrument a plurality of input/output (I/O) points of the client app using a plurality of I/O instruments embedded at the plurality of I/O points and using a small code portion to detect when an I/O point of the plurality of I/O points is accessed; communicate with the client app agent via the data network to collect trace data corresponding to data elements being accessed in the client app within a context of a current client app transaction associated with I/O point and previously identified as sensitive data; cause transfer of information indicative of the trace data in the current client app transaction to a host site via the data network; identify a policy corresponding to the trace data defined by a set of rules comprising a user output rule that is configured to add inline, field level data element encryption to the data elements being accessed as part of the current client app transaction; and apply the policy configured with the inline, field level data element encryption to the sensitive data elements in the client app causing operational modification of the client app to conform to the policy while the client app is being used and the I/O point is being accessed as part of the current client app transaction by encrypting and decrypting one or more data elements of the data elements written to and read from a resource in the data network. - View Dependent Claims (16)
-
Specification