Knowledge-Based and Collaborative System for Security Assessment of Web Applications

US 20090049553A1
Filed: 08/15/2007
Published: 02/19/2009
Est. Priority Date: 08/15/2007
Status: Active Grant

First Claim

Patent Images

1. A system for assessing web application security comprising:

a knowledge collection and representation component;

a knowledge presentation component; and

a knowledge integration component;

wherein the knowledge collection and representation component includesa component for organizing knowledge about threats and vulnerabilities to web applications into a standard format which relates said threats and vulnerabilities in a hierarchical manner; and

alsoa component which rates the vulnerabilities and threats according to a standard rating system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A standardized system for assessing the security of web based applications which has a component for collecting information regarding threat and vulnerabilities to web applications is described. The system includes a component for organizing the information regarding threat and vulnerabilities to web applications into a uniform language so that the information is integrated throughout the entirety of the system. Further, the system has a component for expressing the information in a structured and uniform format of a hierarchical relationship between threat and vulnerabilities which includes threat vulnerability trees. The system includes a component for rating the threats and vulnerabilities under a uniform rating system. The system includes a component for integrating the information into both a storage component and also a presentation component for presenting the information. The presentation component presents the information in a graphical format which visually demonstrates the relationships between the threats and the vulnerabilities.

Citations

20 Claims

1. A system for assessing web application security comprising:
- a knowledge collection and representation component;
  
  a knowledge presentation component; and
  
  a knowledge integration component;
  
  wherein the knowledge collection and representation component includesa component for organizing knowledge about threats and vulnerabilities to web applications into a standard format which relates said threats and vulnerabilities in a hierarchical manner; and
  
  alsoa component which rates the vulnerabilities and threats according to a standard rating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16)
- - 2. The system of claim 1, wherein the knowledge is incorporated on a computer readable medium.
  - 3. The system of claim 1, wherein said standard format for relating threats and vulnerabilities is a threat-vulnerability tree which includes a root node and at least one other node which represent the threats or vulnerabilities.
  - 4. The system of claim 3, wherein the threat-vulnerability tree is created with a computer language specifically designed to describe the threat and vulnerabilities and their relationships so that the threat and vulnerabilities are referred to in a consistent manner throughout the system.
  - 5. The system of claim 4, wherein the system contains a plurality of threat vulnerability trees which may be incorporated together via the knowledge integration component of the system.
  - 6. The system of claim 1, wherein the system incorporates a uniform standard for scoring and rating vulnerabilities and threats.
  - 7. The system of claim 1, wherein the knowledge integration component includes a repository for storing the knowledge organized by the knowledge collection and representation component and wherein the knowledge integration component integrates the knowledge to link the knowledge together with other knowledge in the repository.
  - 8. The system of claim 7, wherein the knowledge integration component integrates the knowledge of the knowledge collection and representation component with the knowledge presentation component.
  - 9. The system of claim 8, wherein the knowledge presentation component presents the information of the knowledge collection and representation component in a graphical format.
  - 10. The system of claim 9, wherein the knowledge presentation component includes a web based system for presenting results of the system.
  - 11. The system of claim 10, wherein the web based system is interactive and allows a user to provide feedback to the system.
  - 12. The system of claim 8, wherein the knowledge integration component integrates a threat vulnerability tree of the knowledge collection and representation component into a graphical embodiment of the threat vulnerability tree so that the graphical embodiment of the threat vulnerability tree is presented via the knowledge presentation component.
  - 16. The method of claim 12, wherein a web based tool presents the threat vulnerability tree in a graphical format to graphically demonstrate the relationships between threats and vulnerabilities.

13. A method of assessing web application security comprising:
- collecting knowledge about web application security including information regarding threats and vulnerabilities of web applications;
  
  determining whether the knowledge is qualified;
  
  discarding knowledge that is not qualified;
  
  organizing the qualified knowledge into a structured format such that relationships of the threats and vulnerabilities are described in a hierarchical manner;
  
  assigning a rating to each of the threats and vulnerabilities based on a uniform rating system;
  
  integrating the organized knowledge into a presentation system; and
  
  presenting the knowledge to users to assess security of web applications.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein organizing the knowledge into a structured format includes organizing the knowledge into a threat-vulnerability tree.
  - 15. The method of claim 13, wherein presenting the knowledge includes presenting knowledge with a web based tool.

17. A standardized system for assessing security of web based applications comprising:
- a component configured to collect information regarding threats and vulnerabilities to web applications from several different sources including experts in different fields and to collect information into a database;
  
  a component for organizing the information regarding threats and vulnerabilities to web applications into a uniform language;
  
  a component for expressing the information in a structured and uniform format of a hierarchical relationship between threats and vulnerabilities which includes threat vulnerability trees;
  
  a component for rating the threats and vulnerabilities under a uniform rating system;
  
  a component for integrating the information into both a storage component for storing the information and also a presentation component for presenting the information;
  
  wherein the storage component links the information with other information in the system including other threat vulnerability trees and documents which include further information about threats, vulnerabilities or suggestions for avoiding threats or vulnerabilities,wherein the presentation component presents the information in a graphical format to demonstrate the relationships between the threats and the vulnerabilities.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the component for knowledge presentation is interactive and allows for feedback from a user to maintain the system with current information.
  - 19. The system of claim 17, wherein the component for knowledge presentation is web based and includes links for accessing other information in the system including information in other threat vulnerability trees and documents which include further information about threats, vulnerabilities or suggestions for avoiding threats or vulnerabilities.
  - 20. The system of claim 17, wherein the threat vulnerability trees contain root nodes, leaf nodes and sub-trees.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Vasudeva, Weimin

Granted Patent

US 8,099,787 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

Knowledge-Based and Collaborative System for Security Assessment of Web Applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Knowledge-Based and Collaborative System for Security Assessment of Web Applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links