Vulnerability analysis of software components

US 10,691,808 B2
Filed: 12/10/2015
Issued: 06/23/2020
Est. Priority Date: 12/10/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for monitoring security of an application, the method being executed by one or more processors and comprising:

receiving, by the one or more processors, the application developed by a first vendor;

processing, by the one or more processors, the application using an application analysis system that comprises a plurality of analysis sensors, processing comprising;

identifying a plurality of software components used by the application that were developed by vendors other than the first vendor using a first sensor of the application analysis system to provide first component information, and a second sensor of the application analysis system to provide second component information, the first sensor comprising a binary analysis sensor configured to de-compose and analyze the application to provide the first component information comprising post-compilation information corresponding to a first portion of the plurality of software components that are included in the application after compilation, the second sensor comprising a deployment sensor configured to monitor a test deployment of the application in an execution environment based on runtime dependencies of the application and to provide the second component information comprising deployment information, andproviding a list of third-party software components associated with the application at least partially by performing a correlation of the post-compilation information and the deployment information, the list comprising each of the identified software components and component information comprising origins of the identified software components, version information, and vulnerability information, wherein the correlation eliminates duplication of the identified software components and avoids missing application components that are visible for only one of the first sensor and the second sensor;

for each software component included in the list, processing, by the one or more processors, the component information to determine a vulnerability of the software component; and

correcting the vulnerability of the software component by selectively providing a code to a computing device configured to execute the application, in response to determining the vulnerability of the software component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving an application developed by a first vendor. Processing the application, by performing a byte-code analysis of the application, to: identify a plurality of software components used by the application that were developed by vendors other than the first vendor, and provide a list of third-party software components associated with the application, the list including each of the identified software components. determining, for each software component included in the list, whether the software component has a vulnerability and, if so, selectively providing code to correct the vulnerability of the software component.

Citations

19 Claims

1. A computer-implemented method for monitoring security of an application, the method being executed by one or more processors and comprising:
- receiving, by the one or more processors, the application developed by a first vendor;
  
  processing, by the one or more processors, the application using an application analysis system that comprises a plurality of analysis sensors, processing comprising;
  
  identifying a plurality of software components used by the application that were developed by vendors other than the first vendor using a first sensor of the application analysis system to provide first component information, and a second sensor of the application analysis system to provide second component information, the first sensor comprising a binary analysis sensor configured to de-compose and analyze the application to provide the first component information comprising post-compilation information corresponding to a first portion of the plurality of software components that are included in the application after compilation, the second sensor comprising a deployment sensor configured to monitor a test deployment of the application in an execution environment based on runtime dependencies of the application and to provide the second component information comprising deployment information, andproviding a list of third-party software components associated with the application at least partially by performing a correlation of the post-compilation information and the deployment information, the list comprising each of the identified software components and component information comprising origins of the identified software components, version information, and vulnerability information, wherein the correlation eliminates duplication of the identified software components and avoids missing application components that are visible for only one of the first sensor and the second sensor;
  
  for each software component included in the list, processing, by the one or more processors, the component information to determine a vulnerability of the software component; and
  
  correcting the vulnerability of the software component by selectively providing a code to a computing device configured to execute the application, in response to determining the vulnerability of the software component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, comprising providing a report indicating which of the plurality of software components in the list have vulnerabilities.
  - 3. The method of claim 1, wherein processing the application comprises:
    - identifying a first set of the plurality of software components by performing a first analysis of the application, wherein the first analysis is an analysis of byte-code of the application to identify the software components based on links to dynamic libraries; and
      
      identifying a second set of the plurality of software components by performing a second analysis of the application.
  - 4. The method of claim 3, wherein the second analysis is an analysis of the application to identify the software components based on static dependencies of the application.
  - 5. The method of claim 3, wherein the second analysis is an analysis of source code of the application to identify the software components based on portions of the software components used by the application.
  - 6. The method of claim 3, wherein the second analysis is an analysis of the application to identify the software components based on run-time dependencies of the application.
  - 7. The method of claim 3, wherein processing the application comprises:
    - determining that a name of a first software component identified by the first analysis is identical to a name of a second software component identified by the second analysis; and
      
      determining to include the first software component in list of third-party software components and to not include the second software component in the list of third-party software components, wherein the determination is based on characteristics of the first analysis and characteristics of the second analysis.
  - 8. The method of claim 3, wherein the first analysis is performed at a first stage of development of the application and the second analysis is performed at a second stage of development of the application.
  - 9. The method of claim 1, wherein the list of third-party software components comprises characteristics associated with each of the software components.
  - 10. The method of claim 9, wherein the characteristics comprise one of a major version of a first component of the software components, a minor version of a second component of the software components, and an origin of a third component of the software components.
  - 11. The method of claim 1, wherein determining, for each software component in the list, whether the software component has an exploitable vulnerability comprises regularly querying a server system for vulnerabilities associated with the software component.
  - 12. The method of claim 11, wherein the server system is a database listing known vulnerabilities.
  - 13. The method of claim 11, wherein the server system is a website of a third-party vendor.
  - 14. The method of claim 1, wherein determining, for each software component in the list, whether the software component has the vulnerability comprises determining a version of the software component, for which the vulnerability has been corrected.
  - 15. The method of claim 1, wherein determining, for each software component in the list, whether the software component has the vulnerability comprises:
    - identifying a portion of the software component affected by the vulnerability; and
      
      determining whether the application is exposed to the portion of the software component affected by the vulnerability.
  - 16. The method of claim 15, wherein identifying the portion of the software component affected by the vulnerability comprises identifying a specific function or method of the software component that is affected by the vulnerability.
  - 17. The method of claim 15, wherein determining whether the application is exposed to the portion of the software component affected by the vulnerability comprises:
    - determining whether the application uses the portion of the software component affected by the vulnerability; and
      
      determining whether the portion of the software component affected by the vulnerability can be accessed from the application by a user.

18. A system for monitoring security of an application, the system comprising:
- one or more computers; and
  
  a computer-readable medium coupled to the one or more computers having instructions stored thereon which, when executed by the one or more computers, cause the one or more computers to perform operations, the operations comprising;
  
  receiving the application developed by a first vendor;
  
  processing the application using an application analysis system that comprises a plurality of analysis sensors, processing comprising;
  
  identifying a plurality of software components used by the application that were developed by vendors other than the first vendor using a first sensor of the application analysis system to provide first component information, and a second sensor of the application analysis system to provide second component information, the first sensor comprising a binary analysis sensor configured to de-compose and analyze the application to provide the first component information comprising post-compilation information corresponding to a first portion of the plurality of software components that are included in the application after compilation, the second sensor comprising a deployment sensor configured to monitor a test deployment of the application in an execution environment based on runtime dependencies of the application and to provide the second component information comprising deployment information, andproviding a list of third-party software components associated with the application at least partially by performing a correlation of the post-compilation information and the deployment information, the list comprising each of the identified software components and component information comprising origins of the identified software components, version information, and vulnerability information, wherein the correlation eliminates duplication of the identified software components and avoids missing application components that are visible for only one of the first sensor and the second sensor;
  
  for each software component included in the list, processing the component information to determine a vulnerability of the software component; and
  
  correcting the vulnerability of the software component by selectively providing a code to a computing device configured to execute the application, in response to determining the vulnerability of the software component.

19. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for monitoring security of an application, the operations comprising:
- receiving the application developed by a first vendor;
  
  processing the application using an application analysis system that comprises a plurality of analysis sensors, processing comprising;
  
  identifying a plurality of software components used by the application that were developed by vendors other than the first vendor using a first sensor of the application analysis system to provide first component information, and a second sensor of the application analysis system to provide second component information, the first sensor comprising a binary analysis sensor configured to de-compose and analyze the application to provide the first component information comprising post-compilation information corresponding to a first portion of the plurality of software components that are included in the application after compilation, the second sensor comprising a deployment sensor configured to monitor a test deployment of the application in an execution environment based on runtime dependencies of the application and to provide the second component information comprising deployment information, andproviding a list of third-party software components associated with the application at least partially by performing a correlation of the post-compilation information and the deployment information, the list comprising each of the identified software components and component information comprising origins of the identified software components, version information, and vulnerability information, wherein the correlation eliminates duplication of the identified software components and avoids missing application components that are visible for only one of the first sensor and the second sensor;
  
  for each software component included in the list, processing the component information to determine a vulnerability of the software component; and
  
  correcting the vulnerability of the software component bar selectively providing a code to a computing device configured to execute the application, in response to determining the vulnerability of the software component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Brucker, Achim D., Dashevskyi, Stanislav
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/965,449
Publication Number

US 20170169229A1
Time in Patent Office

1,657 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Vulnerability analysis of software components

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Vulnerability analysis of software components

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links