Method and Apparatus for Security Assessment of a Computing Platform

US 20090205047A1
Filed: 02/08/2008
Published: 08/13/2009
Est. Priority Date: 02/08/2008
Status: Active Grant

First Claim

Patent Images

1. A system for detecting security vulnerabilities in a computing platform, said computing platform comprising one or more front end components which provide services to other applications or users, and one or more back end components which supply required information to said one or more front end components to fulfill said services, said system comprising:

one or more first monitoring modules communicatively linked to said one or more front end components, and operatively configured to monitor said one or more front end components while communicating data with said one or more front end components;

one or more second monitoring modules communicatively linked to said one or more back end components, and operatively configured to monitor said one or more back end components while said one or more back end components supply required information to said one or more front end components;

wherein said one or more first monitoring modules communicate data with said one or more front end components and monitors the activities of said one or more front end components, while said one or more second monitoring modules monitor the activities of said one or more back end components; and

wherein the resulting activity information extracted may be combined to contribute to identification of one or more security vulnerabilities within said computing platform.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for automated security testing are disclosed. The disclosure provides for automated discovery of security vulnerabilities through the monitoring of activities that occur throughout the separate components of a computing platform during a testing session through a communications interface.

121 Citations

28 Claims

1. A system for detecting security vulnerabilities in a computing platform, said computing platform comprising one or more front end components which provide services to other applications or users, and one or more back end components which supply required information to said one or more front end components to fulfill said services, said system comprising:
- one or more first monitoring modules communicatively linked to said one or more front end components, and operatively configured to monitor said one or more front end components while communicating data with said one or more front end components;
  
  one or more second monitoring modules communicatively linked to said one or more back end components, and operatively configured to monitor said one or more back end components while said one or more back end components supply required information to said one or more front end components;
  
  wherein said one or more first monitoring modules communicate data with said one or more front end components and monitors the activities of said one or more front end components, while said one or more second monitoring modules monitor the activities of said one or more back end components; and
  
  wherein the resulting activity information extracted may be combined to contribute to identification of one or more security vulnerabilities within said computing platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system as claimed in claim 1, wherein said resulting activity information is used to define a further testing of said computing platform to identify said one or more security vulnerabilities.
  - 3. The system as claimed in claim 1, wherein the one or more back end components supply additional services to one or more additional back end components in a multi-tier application.
  - 4. The system as claimed in claim 1, wherein said one or more first monitoring modules comprise a scanner for communicating data with said one or more front end components.
  - 5. The method of claim 1, wherein said one or more first monitoring modules receives pushed output data from said one or more first components while monitoring same.
  - 6. The method of claim 1, wherein said one or more first monitoring modules send data requests to and receive responses from said one or more front end components while monitoring same.
  - 7. The system as claimed in claim 1, wherein said one or more first monitoring modules and said one or more second monitoring modules are implemented via distinct computing platforms.
  - 8. The system as claimed in claim 1, wherein said one or more first monitoring modules and said one or more second monitoring modules are implemented via a common computing platform.
  - 9. The system as claimed in claim 1, wherein said one or more first monitoring modules interface with said one or more front end components via one or more front end communication protocols, whereas said one or more second monitoring modules interface with said one or more back end components via one or more application specific protocols.
  - 10. The system as claimed in claim 9, wherein said one or more front end communication protocols comprise a Hypertext Transfer Protocol (HTTP) for communicating data with said one or more front end components, and one or more of a File System Access protocol and a Network File System (NFS) protocol to monitor same.
  - 11. The system as claimed in claim 9, wherein said one or more application-specific protocols comprise one or more of an Open Database Connectivity (ODBC) protocol, a .NET protocol, and a Java Database Connectivity (JDBC) Application Programming Interface (API) protocol.

12. A method of detecting security vulnerabilities in a computing platform, said computing platform comprising one or more front end components which provide services to other applications or users, and one or more back end components which supply required information to said one or more front end components to fulfill said services, said method comprising:
- connecting to said one or more front end components using one or more front end communication protocol connections;
  
  connecting to said one or more back end components using one or more application-specific protocol connections for communicating with an application;
  
  communicating data with said one or more front end components;
  
  monitoring activities of said one or more front end components while communicating said data;
  
  monitoring activities of said one or more back end components;
  
  extracting activity information from said one or more front end components and from said one or more back end components; and
  
  storing said activity information.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein said communicating step comprises receiving pushed output data from said one or more first components.
  - 14. The method of claim 12, wherein said communicating step comprises sending data requests to and receiving responses from said one or more front end components.
  - 15. The method of claim 12, wherein said communicating step is implemented by one or more scanners communicatively linked to the one or more front end components.
  - 16. The method of claim 12, wherein said communicating step is implemented via a Hypertext Transfer Protocol (HTTP) connection and wherein the step of monitoring activities of said one or more front end components is implemented via one or more separate protocol connections.
  - 17. The method of claim 16, wherein said one or more separate protocol connections comprise one or more of a File System Access connection and a Network File System (NFS) connection.
  - 18. The method of claim 12, wherein said one or more application-specific protocol connections comprise one or more of an Open Database Connectivity (ODBC) connection, a .NET connection, and a Java Database Connectivity (JDBC) Application Programming Interface (API) connection.

19. A computer readable medium having recorded thereon statements and instructions for execution by a computer for detecting security vulnerabilities in a computing platform, the computing platform comprising one or more front end components which provide services to other applications or users, and one or more back end components which supply required information to the one or more front end components to fulfill the services, by carrying out the steps of:
- connecting to said one or more front end components;
  
  connecting to said one or more back end components;
  
  communicating data with said one or more front end components;
  
  monitoring activities of said one or more front end components while communicating data therewith;
  
  monitoring activities of said one or more back end components;
  
  extracting activity information from said one or more front end components and from said one or more back end components; and
  
  storing said activity information.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The computer-readable medium of claim 19, wherein said communicating step is implemented by one or more scanners communicatively linked to the one or more front end components.
  - 21. The computer-readable medium of claim 19, wherein said communicating step is implemented via a Hypertext Transfer Protocol (HTTP) connection and wherein the step of monitoring activities of said one or more front end components is implemented via a separate protocol connection.
  - 22. The computer-readable medium of claim 19, wherein the step of monitoring activities of said one or more front end components is implemented via one or more of a File System Access protocol connection and a Network File System (NFS) protocol connection.
  - 23. The computer-readable medium of claim 19, wherein the step of monitoring activities of said one or more back end component is implemented via one or more application-specific protocol connections comprising one or more of an Open Database Connectivity (ODBC) connection, a .NET connection, and a Java Database Connectivity (JDBC) Application Programming Interface (API) connection.
  - 24. The computer-readable medium of claim 19, wherein said communicating step comprises receiving pushed output data from said one or more first components.
  - 25. The computer-readable medium of claim 19, wherein said communicating step comprises sending data requests to and receiving responses from said one or more front end components.

26. An apparatus for detecting security vulnerabilities in a computing platform, said computing platform comprising one or more front end components which provide services to other applications or users, and one or more back end components which supply required information to said one or more front end components to fulfill said services, said apparatus comprising:
- means for connecting to said one or more front end components;
  
  means for connecting to said one or more back end components;
  
  means for communicating data with said one or more front end components;
  
  means for monitoring activities of said one or more front end components while communicating therewith;
  
  means for monitoring activities of said one or more back end components;
  
  means for extracting activity information from said one or more front end components and from said one or more back end components; and
  
  means for storing said activity information.
- View Dependent Claims (27, 28)
- - 27. The apparatus of claim 26, wherein said communicating means comprises means for receiving pushed output data from said one or more first components.
  - 28. The apparatus of claim 26, wherein said communicating means comprises means sending data requests to and receiving responses from said one or more front end components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Podjarny, Guy

Granted Patent

US 8,650,651 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

Method and Apparatus for Security Assessment of a Computing Platform

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Security Assessment of a Computing Platform

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links