SECURITY ENGINEERING AND THE APPLICATION LIFE CYCLE

US 20070162890A1
Filed: 05/11/2006
Published: 07/12/2007
Est. Priority Date: 12/29/2005
Status: Abandoned Application

First Claim

Patent Images

1. A system that facilitates security engineering of an application, comprising:

a security engineering component that includes a plurality of security engineering activities; and

a security integration component that integrates a subset of the plurality of security engineering activities into development of the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel approach to security engineering that leverages expertise to enable a user to design, build and deploy secure applications is disclosed. In doing so, the innovation discloses novel techniques and mechanisms that integrate security into the application development lifecycle and to adapt current software engineering practices and methodologies to include specific security related activities. These activities include identifying security objectives, creating threat models, applying secure design guidelines, patterns and principles, conducting security design inspections, performing regular code inspections, testing for security, and conducting deployment inspections to ensure secure configuration.

79 Citations

View as Search Results

20 Claims

1. A system that facilitates security engineering of an application, comprising:
- a security engineering component that includes a plurality of security engineering activities; and
  
  a security integration component that integrates a subset of the plurality of security engineering activities into development of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, the plurality of security engineering activities includes at least one of identifying security objectives, identifying threat models, applying secure design guidelines, conducting security design inspections, performing regular security code inspections, implementing security testing, and conducting security deployment inspections.
  - 3. The system of claim 1, the security integration component integrates the subset of the plurality of security engineering activities based upon a phase of the development of the application.
  - 4. The system of claim 3, the subset of the plurality of security engineering activities includes a security objectives identification activity and the phase is a requirements and analysis phase.
  - 5. The system of claim 3, the subset of the plurality of security engineering activities includes at least one of a security design guidelines activity, a threat modeling activity and a security architecture and design inspection activity and the phase is an architecture and design phase.
  - 6. The system of claim 3, the subset of the plurality of security engineering activities includes a security code inspection activity and the phase is a development phase.
  - 7. The system of claim 3, the subset of the plurality of security engineering activities includes a security testing activity and the phase is a testing phase.
  - 8. The system of claim 3, the subset of the plurality of security engineering activities includes a security deployment inspection activity and the phase is a deployment phase.
  - 9. The system of claim 1, the security integration component comprises a security objectives identification component that interfaces with a user to identify a plurality of security objectives.
  - 10. The system of claim 9, the security objectives identification component includes at least one of a tangible asset, an intangible asset, a compliance requirement and a quality of service requirement.
  - 11. The system of claim 9, the security objectives identification component comprises a security frame component that defines a set of security-related categories based upon a type of the application.
  - 12. The system of claim 11, the set of security-related categories comprises at least one of shares, services, accounts, auditing and logging, files and directory registry, patches and updates, protocols and ports.

13. A computer-implemented method of engineering an application, comprising:
- identifying a category;
  
  identifying a security objective based at least in part upon the category; and
  
  integrating a security engineering activity based at least in part upon the security objective.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-implemented method of claim 13, further comprising establishing security design guidelines based at least in part upon the security objective.
  - 15. The computer-implemented method of claim 13 further comprising reviewing the application from an architectural and design security perspective.
  - 16. The computer-implemented method of claim 13, the act of identifying the security objective comprises:
    - identifying data to protect;
      
      identifying compliance requirements;
      
      identifying quality of service requirements; and
      
      identifying intangible assets to protect.
  - 17. The computer-implemented method of claim 13, further comprising identifying a threat based at least in part upon the objective.
  - 18. The computer-implemented method of claim 17, the act of identifying the threat comprises:
    - identifying at least one of a common threat and an attack;
      
      identifying the threat based at least in part upon a usage scenario; and
      
      identifying the threat based at least in part upon a data flow of the application.

19. A computer-executable system that facilitates security engineering of an application, comprising:
- means for identifying a usage scenario associated with the application;
  
  means for identifying a security objective based at least in part upon the usage scenario; and
  
  means for integrating security expertise into the application based at least in part upon the performance objective.
- View Dependent Claims (20)
- - 20. The computer-executable system of claim 19, the means for integrating a security objective comprises at least one of:
    - means for establishing security design guidelines;
      
      means for threat modeling;
      
      means for conducting a security design inspection;
      
      means for testing security; and
      
      means for conducting a security deployment inspection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Meier, John, Dunner, Michael, Wastell, Blaine, Vasireddy, Srinath

Application Number

US11/382,858
Publication Number

US 20070162890A1
Time in Patent Office

Days
Field of Search
US Class Current

717/100
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06F 8/20 Software design

SECURITY ENGINEERING AND THE APPLICATION LIFE CYCLE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY ENGINEERING AND THE APPLICATION LIFE CYCLE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links