Web application security frame

US 20070199050A1
Filed: 02/14/2006
Published: 08/23/2007
Est. Priority Date: 02/14/2006
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates security modeling of a web-based application, comprising:

a web application security model configuration component that facilitates identification of engineering expertise related to a threat modeling activity; and

a web application security frame component that incorporates the engineering expertise into a schema.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web application security frame (e.g., schema) that can incorporate expertise into an engineering activity, for example, a threat modeling activity, is provided. The novel web application security frame component can be applied to a threat modeling component to converge knowledge into the activity by identifying categories, vulnerabilities, threats, attacks and countermeasures. The novel schema can create a common framework that converges knowledge with respect to any application engineering activity (e.g., threat modeling, performance modeling). Additionally, a context precision mechanism can be employed to automatically and/or dynamically determine a context of a web application environment. This context can be used to automatically generate an appropriate web application security frame component.

Citations

20 Claims

1. A system that facilitates security modeling of a web-based application, comprising:
- a web application security model configuration component that facilitates identification of engineering expertise related to a threat modeling activity; and
  
  a web application security frame component that incorporates the engineering expertise into a schema.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprising a security engineering component that executes the threat modeling activity based at least in part upon the schema.
  - 3. The system of claim 1, the engineering expertise comprises:
    - a category component;
      
      a vulnerability component;
      
      an attack component; and
      
      a countermeasure component.
  - 4. The system of claim 3, the category component is an input validation, the vulnerability is a non-validated input operation, the attack component is a cross-site scripting (XSS) operation and the countermeasure component is a constrain/reject/sanitize operation.
  - 5. The system of claim 3, the category component is at least one of an input validation system, an authentication system, an authorization system, a configuration management system, a sensitive data handling system, a session management system, a cryptography system, an exception management system and an auditing and logging system.
  - 6. The system of claim 1, further comprising a context precision component that establishes a context of the web-based application;
    - the web application security frame is based at least in part upon the context.
  - 7. The system of claim 4, the context defines a web application type.
  - 8. The system of claim 6, the web application type is an e-commerce web application.
  - 9. The system of claim 1, further comprising an artificial intelligence (AI) component that establishes the engineering expertise based at least in part upon a machine learning mechanism.

10. A computer-implemented method of executing a threat modeling activity of a web-based application, comprising:
- identifying a category component related to the threat modeling activity;
  
  identifying a vulnerability component related to the threat modeling activity;
  
  identifying an attack component related to the threat modeling activity;
  
  identifying a countermeasure component related to the threat modeling activity; and
  
  incorporating the category component, the vulnerability component, the attack component and the countermeasure component into a web application security frame.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer-implemented method of claim 10, further comprising executing the threat modeling activity based at least in part upon the web application security frame.
  - 12. The computer-implemented method of claim 11, further comprising determining a context of the web-based application and identifying the vulnerability component, the attack component and the countermeasure component based at least in part upon the context.
  - 13. The computer-implemented method of claim 12, the context includes a web application type.
  - 14. The computer-implemented method of claim 11, the web application security frame defines at least one of an input validation system, an authentication system, an authorization system, a configuration management system, a session management system and an auditing and logging system.

15. A computer-executable system that facilitates security engineering of a web-based application, comprising:
- means for identifying a context of the web-based application;
  
  means for identifying a category component based at least in part upon the context;
  
  means for identifying a vulnerability component based at least in part upon the context;
  
  means for identifying an attack component based at least in part upon the context;
  
  means for identifying a countermeasure component based at least in part upon the context; and
  
  means for incorporating the category component, the vulnerability component, the attack component and the countermeasure component into a web-based application security schema.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-executable system of claim 15, further comprising means for performing a security engineering activity based at least in part upon the web-based application security schema.
  - 17. The computer-executable system of claim 16, the means for identifying the context is a context precision component.
  - 18. The computer-executable system of claim 17, the context is a web application type.
  - 19. The computer-executable system of claim 18, the security engineering activity is a threat modeling activity.
  - 20. The computer-executable system of claim 19, further comprising means for inferring a user preference based at least in part upon the category component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Meier, John

Granted Patent

US 7,818,788 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/14   for detecting or protecting...

H04L 67/02   based on web technology, e....

Web application security frame

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Web application security frame

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links