Static security scanner for applications in a remote network management platform
First Claim
1. A remote network management system comprising:
- a computational instance associated with a managed network, the computational instance running in an environment having hardware resources configured to host a particular application, wherein the particular application is based on program code, uses one or more database tables, and defines at least two user roles with respect to accessing the program code and the one or more database tables, wherein a first user role of the at least two user roles and a second role of the at least two user roles have different sets of access permissions to the program code and the one or more database tables; and
one or more processors; and
a memory, wherein the memory includes instructions, that when executed by the one or more processors, cause the one or more processors to;
receive, from a graphical user interface displayed on a client device, a request to scan the particular application, wherein the request comprises an identifier of the computational instance, a password for access to the computational instance, and an identifier of the particular application;
in response to receiving the request to scan the particular application, retrieve the program code, the one or more database tables, and the one or more user roles from the computational instance based on the identifier of the computational instance, the password for access to the computational instance, and the identifier of the particular application;
conduct a static security scan of the program code, the one or more database tables, and the one or more user roles, wherein conducting the security scan comprises;
applying a set of rules that define security vulnerabilities that can be found in hosted applications on the remote network management system, wherein the set of rules take into account (i) relationships between the at least two user roles and the program code, (ii) relationships between the at least two user roles and the one or more database tables, and (iii) relationships between the at least two user roles; and
identifying, as a security vulnerability, a relationship between the first user role and a second user role, wherein the relationship comprises the first user role deriving access permissions from the second user role; and
transmit, to the client device, an update to the graphical user interface, wherein the update contains a categorized list of observed security vulnerabilities of the particular application that were found by the static security scan.
1 Assignment
0 Petitions
Accused Products
Abstract
An example embodiment may involve a remote network management platform including a computational instance hosting a particular application. The particular application may be based on a unit of program code, use one or more database tables, and define one or more user roles with respect to accessing the program code and the database tables. A scanner application may be configured to: receive, from a client device, a request to scan the particular application; retrieve the particular application; conduct a static security scan by applying a set of rules that define security vulnerabilities, where the rules take into account (i) relationships between the user roles and the unit of program code, and (ii) relationships between the user roles and the database table; and transmit, to the client device, a representation of a web page that contains observed security vulnerabilities of the particular application.
-
Citations
20 Claims
-
1. A remote network management system comprising:
-
a computational instance associated with a managed network, the computational instance running in an environment having hardware resources configured to host a particular application, wherein the particular application is based on program code, uses one or more database tables, and defines at least two user roles with respect to accessing the program code and the one or more database tables, wherein a first user role of the at least two user roles and a second role of the at least two user roles have different sets of access permissions to the program code and the one or more database tables; and one or more processors; and a memory, wherein the memory includes instructions, that when executed by the one or more processors, cause the one or more processors to; receive, from a graphical user interface displayed on a client device, a request to scan the particular application, wherein the request comprises an identifier of the computational instance, a password for access to the computational instance, and an identifier of the particular application; in response to receiving the request to scan the particular application, retrieve the program code, the one or more database tables, and the one or more user roles from the computational instance based on the identifier of the computational instance, the password for access to the computational instance, and the identifier of the particular application; conduct a static security scan of the program code, the one or more database tables, and the one or more user roles, wherein conducting the security scan comprises; applying a set of rules that define security vulnerabilities that can be found in hosted applications on the remote network management system, wherein the set of rules take into account (i) relationships between the at least two user roles and the program code, (ii) relationships between the at least two user roles and the one or more database tables, and (iii) relationships between the at least two user roles; and identifying, as a security vulnerability, a relationship between the first user role and a second user role, wherein the relationship comprises the first user role deriving access permissions from the second user role; and transmit, to the client device, an update to the graphical user interface, wherein the update contains a categorized list of observed security vulnerabilities of the particular application that were found by the static security scan. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
receiving, by a processor and from a graphical user interface displayed on a client device, a request to scan a particular application, wherein a remote network management platform includes a computational instance running in an environment having hardware resources configured to host the particular application, wherein the particular application is based on program code, uses one or more database tables, and defines at least two user roles with respect to accessing the program code and the one or more database tables, wherein a first user role of the at least two user roles and a second role of the at least two user roles have different sets of access permissions to the program code and the one or more database tables, and wherein the request comprises an identifier of the computational instance, a password for access to the computational instance, and an identifier of the particular application; in response to receiving the request to scan the particular application, retrieving, by the processor, the program code, the one or more database tables, and the one or more user roles from the computational instance based on the identifier of the computational instance, the password for access to the computational instance, and the identifier of the particular application; conducting, by the processor, a static security scan of the program code, the one or more database tables, and the one or more user roles, wherein conducting the security scan comprises; applying a set of rules that define security vulnerabilities that can be found in hosted applications on the remote network management platform, wherein the set of rules take into account (i) relationships between the at least two user roles and the program code, (ii) relationships between the at least two user roles and the one or more database tables, and (iii) relationships between the at least two user roles; and identifying, as a security vulnerability, a relationship between the first user role and a second user role, wherein the relationship comprises the first user role deriving access permissions from the second user role; and transmitting, by the processor and to the client device, an update to the graphical user interface, wherein the update contains a categorized list of observed security vulnerabilities of the particular application that were found by the static security scan. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. An article of manufacture including a non-transitory computer-readable medium, having stored thereon program instructions for a scanner application that, upon execution by a computing device, cause the computing device to perform operations comprising:
-
receiving, from a graphical user interface displayed on a client device, a request to scan a particular application, wherein a remote network management system includes a computational instance running in an environment having hardware resources configured to host the particular application, wherein the particular application is based on program code, uses one or more one or more database tables, and defines at least two user roles with respect to accessing the program code and the one or more database tables, wherein a first user role of the at least two user roles and a second role of the at least two user roles have different sets of access permissions to the program code and the one or more database tables, and wherein the request comprises an identifier of the computational instance, a password for access to the computational instance, and an identifier of the particular application; in response to receiving the request to scan the particular application, retrieving the program code, the one or more database tables, and the one or more user roles from the computational instance based on the identifier of the computational instance, the password for access to the computational instance, and the identifier of the particular application; conducting a static security scan of the program code, the one or more database tables, and the one or more user roles, wherein conducting the security scan comprises; applying a set of rules that define security vulnerabilities that can be found in hosted applications on the remote network management system, wherein the set of rules take into account (i) relationships between the at least two user roles and the program code, (ii) relationships between the at least two user roles and the one or more database tables, and (iii) relationships between the at least two user roles; and identifying, as a security vulnerability, a relationship between the first user role and a second user role, wherein the relationship comprises the first user role deriving access permissions from the second user role; and transmitting, to the client device, an update to the graphical user interface, wherein the update contains a categorized list of observed security vulnerabilities of the particular application that were found by the static security scan.
-
Specification