ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS

US 20080209567A1
Filed: 02/15/2008
Published: 08/28/2008
Est. Priority Date: 02/16/2007
Status: Active Grant

First Claim

Patent Images

1. A method for assessing vulnerabilities of software applications, the method comprising:

providing a plurality of software assessment testing engines, each configured to perform vulnerability tests on a software application;

receiving technical characteristics of the software application;

receiving business context information relating to the software application;

determining a preferred assurance level for the software application based at least in part on the technical characteristics and business context information; and

defining a vulnerability test plan for the software application based on the preferred assurance level, wherein the vulnerability test plan comprises one or more of the vulnerability tests.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security assessment and vulnerability testing of software applications is performed based at least in part on application metadata in order to determine an appropriate assurance level and associated test plan that includes multiple types of analysis. Steps from each test are combined into a “custom” or “application-specific” workflow, and the results of each test may then be correlated with other results to identify potential vulnerabilities and/or faults.

183 Citations

22 Claims

1. A method for assessing vulnerabilities of software applications, the method comprising:
- providing a plurality of software assessment testing engines, each configured to perform vulnerability tests on a software application;
  
  receiving technical characteristics of the software application;
  
  receiving business context information relating to the software application;
  
  determining a preferred assurance level for the software application based at least in part on the technical characteristics and business context information; and
  
  defining a vulnerability test plan for the software application based on the preferred assurance level, wherein the vulnerability test plan comprises one or more of the vulnerability tests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the workflow module is further configured to execute the vulnerability test plan, thereby producing assessment test results.
  - 3. The method of claim 1 wherein the vulnerability test plan comprises two or more vulnerability tests, and further comprising:
    - performing the two or more vulnerability tests; and
      
      correlating the results of the two or more vulnerability tests to identify related faults in the software application.
  - 4. The method of claim 2 further comprising storing the results of the one or more vulnerability tests in a database.
  - 5. The method of claim 4 further comprising limiting access to portions of the vulnerability test results based on user authentication credentials.
  - 6. The method of claim 2 further comprising removing information used to identify the source of the software application from the vulnerability test results, thereby rendering the vulnerability test results anonymous.
  - 7. The method of claim 6 further comprising providing statistical analysis reports based on the anonymous vulnerability test results.
  - 8. The method of claim 2 further comprising encrypting portions of the vulnerability test results.
  - 9. The method of claim 2 further comprising applying a digital rights management process against the vulnerability test results, thereby limiting distribution and use of the test results to specified users.
  - 10. The method of claim 1 further comprising receiving application assessment input data prior to performing the vulnerability tests.
  - 11. The method of claim 10 further comprising applying a digital rights management process against the application assessment input data, thereby limiting distribution and use of the vulnerability test results to specified users.
  - 12. The method of claim 2 further comprising receiving a trigger event causing the execution of the vulnerability tests.
  - 13. The method of claim 8 further comprising receiving a request to transmit the encrypted vulnerability test results over a public network, and providing the encrypted assessment test results in response thereto.
  - 14. The method of claim 2 further comprising receiving a request to transmit the encrypted vulnerability test results over a private network, and providing the assessment test results in response thereto.
  - 15. The method of claim 1 wherein the technical characteristics of the software application comprise one or more of application source code, binary files, debug symbols, application data, uniform resource locators, user names or passwords.

16. A security assessment platform for assessing vulnerabilities of software applications, the platform comprising:
- a communications server for receiving technical characteristics of a software application and business context information relating to the software application;
  
  at least one testing engine for performing a plurality of vulnerability tests; and
  
  a testing workflow module for;
  
  defining an assurance level for the application based at least in part on the technical characteristics and business context information;
  
  defining a vulnerability test plan for the application based on the assurance level, the vulnerability test plan comprising two or more vulnerability tests to be performed by the testing engine;
  
  correlating the results of the two or more vulnerability tests to identify related faults in the application.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The platform of claim 16 further comprising a database module for storing the results of the two or more vulnerability tests.
  - 18. The platform of claim 16 further comprising a benchmarking and reporting module for removing proprietary information from the results of the vulnerability tests and providing statistical reporting of the results of the vulnerability tests in comparison to other software applications.
  - 19. The platform of claim 16 wherein the testing workflow module further comprises an abstraction layer configured to communicate with the one or more testing engines.
  - 20. The platform of claim 17 further comprising a digital rights management engine for applying a digital rights management process against application assessment input data, thereby limiting distribution and use of the vulnerability test results to specified users.

21. A method for assessing the quality of a software application, the method comprising:
- receiving technical characteristics of a software application;
  
  receiving business context information relating to the software application;
  
  defining a vulnerability test plan for the software application based on the technical characteristics and business context information, the vulnerability test plan specifying a plurality of vulnerability tests;
  
  executing, on at least one software assessment testing engine, the vulnerability tests of the test plan;
  
  storing results of the vulnerability tests in a data storage device; and
  
  assessing a quality metric of the software application by comparing the results of the vulnerability tests with vulnerability test results performed on other software applications of known quality and having technical characteristics and business context information in common with the software application.
- View Dependent Claims (22)
- - 22. The method of claim 21 wherein the vulnerability tests performed on the other software applications include or consist of the vulnerability tests specified by the vulnerability test plan.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veracode Incorporated (Broadcom, Inc.)
Original Assignee
Veracode Incorporated (Broadcom, Inc.)
Inventors
Simeonov, Simeon, Eng, Christopher J., Moynahan, Matthew P., Wysopal, Christopher J., Lockhart, Malcolm W.

Granted Patent

US 8,499,353 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

183 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

183 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links