System and Method for Managing Security Testing

US 20100154066A1
Filed: 02/25/2010
Published: 06/17/2010
Est. Priority Date: 09/09/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for managing computer security testing using data from plural sources, comprising the steps of:

(a) providing a database of computer security information, said database adapted to receive sets of data from plural computer security data sources;

(b) providing a computer-readable medium containing software for;

(1) receiving a first set of data from a first one of said plural sources, said first set of data containing information from at least one of a security task performed by said first source and a report of results from performing said security task by said first source;

(2) receiving a second set of data from a second one of said plural sources, said second set of data containing information from at least one of a security task performed by said second source and a report of results from performing said security task by said second source;

(3) preventing access, by a one of said plural sources, of data received in said security database from another of said plural sources;

(c) initiating a computer security test on a technology platform;

(d) receiving said first and second set of data;

(e) displaying information on a display device wherein said information is derived in part from at least one of said first and second sets of data; and

(f) managing the security vulnerability of the technology platform as a function of said information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.

12 Citations

View as Search Results

50 Claims

1. A method for managing computer security testing using data from plural sources, comprising the steps of:
- (a) providing a database of computer security information, said database adapted to receive sets of data from plural computer security data sources;
  
  (b) providing a computer-readable medium containing software for;
  
  (1) receiving a first set of data from a first one of said plural sources, said first set of data containing information from at least one of a security task performed by said first source and a report of results from performing said security task by said first source;
  
  (2) receiving a second set of data from a second one of said plural sources, said second set of data containing information from at least one of a security task performed by said second source and a report of results from performing said security task by said second source;
  
  (3) preventing access, by a one of said plural sources, of data received in said security database from another of said plural sources;
  
  (c) initiating a computer security test on a technology platform;
  
  (d) receiving said first and second set of data;
  
  (e) displaying information on a display device wherein said information is derived in part from at least one of said first and second sets of data; and
  
  (f) managing the security vulnerability of the technology platform as a function of said information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The method of claim 1 wherein said first source is a public data source.
  - 3. The method of claim 2 wherein said second source is a public data source.
  - 4. The method of claim 2 wherein said first source is the Open Source Vulnerability Database (“
    - OSVDB”
      
      ).
  - 5. The method of claim 2 wherein said first source is selected from the group consisting of Nessus, Common Vulnerability Exposures (“
    - CVE”
      
      ), AppScan, Burp Proxy, Nmap, Nikto, WebInspect, and WebScanner.
  - 6. The method of claim 1 wherein said database of security information includes data from the TSL Knowledgebase.
  - 7. The method of claim 1 wherein said technology platform is selected from the group consisting of:
    - computer, network, operating system, and software application.
  - 8. The method of claim 1 wherein said first set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 9. The method of claim 8 wherein said first set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 10. The method of claim 1 wherein said second set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 11. The method of claim 10 wherein said second set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 12. The method of claim 1 including the step of updating said database of computer security information with a third set of data.
  - 13. The method of claim 1 wherein said first set of data is obtained via a first network.
  - 14. The method of claim 13 wherein said first network is the internet.
  - 15. The method of claim 13 wherein said second set of data is obtained via a second network.
  - 16. The method of claim 15 wherein said second network is the internet.
  - 17. The method of claim 1 wherein said information includes a statistical analysis based in part on said first set of data.
  - 18. The method of claim 1 wherein said information includes a trend analysis based in part on said first set of data.
  - 19. The method of claim 1 wherein said information includes a comparative risk rating.
  - 20. The method of claim 1 wherein said information includes a risk comparison chart.
  - 21. The method of claim 1 wherein said information includes a security vulnerability frequency chart.
  - 22. The method of claim 1 wherein said information includes a list of most common security vulnerabilities.
  - 23. The method of claim 1 wherein said information includes a list of weighted security vulnerability impact chart.
  - 24. The method of claim 1 wherein said first set of data is obtained by said first source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.
  - 25. The method of claim 1 wherein said second set of data is obtained by said second source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.

26. An apparatus for managing computer security testing using data from plural sources, comprising:
- a database of computer security information, said database adapted to receive sets of data from plural computer security data sources;
  
  a processor programmed with instructions for;
  
  (1) receiving a first set of data from a first one of said plural sources, said first set of data containing information from at least one of a security task performed by said first source and a report of results from performing said security task by said first source;
  
  (2) receiving a second set of data from a second one of said plural sources, said second set of data containing information from at least one of a security task performed by said second source and a report of results from performing said security task by said second source;
  
  (3) preventing access, by a one of said plural sources, of data received in said security database from another of said plural sources;
  
  (4) initiating a computer security test on a technology platform upon receipt of a command from a user;
  
  (5) receiving said first and second set of data;
  
  (6) providing information that is derived in part from at least one of said first and second sets of data;
  
  a display device for displaying said information; and
  
  means for managing the security vulnerability of the technology platform as a function of said information.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 27. The apparatus of claim 26 wherein said first source is a public data source.
  - 28. The apparatus of claim 27 wherein said second source is a public data source.
  - 29. The apparatus of claim 27 wherein said first source is the Open Source Vulnerability Database (“
    - OSVDB”
      
      ).
  - 30. The apparatus of claim 27 wherein said first source is selected from the group consisting of:
    - Nessus, Common Vulnerability Exposures (“
      
      CVE”
      
      ), AppScan, Burp Proxy, Nmap, Nikto, WebInspect, and WebScanner.
  - 31. The apparatus of claim 26 wherein said database of security information includes data from the TSL Knowledgebase.
  - 32. The apparatus of claim 26 wherein said technology platform is selected from the group consisting of:
    - computer, network, operating system, and software application.
  - 33. The apparatus of claim 26 wherein said first set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 34. The apparatus of claim 33 wherein said first set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 35. The apparatus of claim 26 wherein said second set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 36. The apparatus of claim 35 wherein said second set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 37. The apparatus of claim 26 including means for updating said database of computer security information with a third set of data.
  - 38. The apparatus of claim 26 wherein said first set of data is obtained via a first network.
  - 39. The apparatus of claim 38 wherein said first network is the Internet.
  - 40. The apparatus of claim 38 wherein said second set of data is obtained via a second network.
  - 41. The apparatus of claim 40 wherein said second network is the internet.
  - 42. The apparatus of claim 26 wherein said information includes a statistical analysis based in part on said first set of data.
  - 43. The apparatus of claim 26 wherein said information includes a trend analysis based in part on said first set of data.
  - 44. The apparatus of claim 26 wherein said information includes a comparative risk rating.
  - 45. The apparatus of claim 26 wherein said information includes a risk comparison chart.
  - 46. The apparatus of claim 26 wherein said information includes a security vulnerability frequency chart.
  - 47. The apparatus of claim 26 wherein said information includes a list of most common security vulnerabilities.
  - 48. The apparatus of claim 26 wherein said information includes a list of weighted security vulnerability impact chart.
  - 49. The apparatus of claim 26 wherein said first set of data is obtained by said first source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, web application security test, and system security configuration assessment.
  - 50. The apparatus of claim 26 wherein said second set of data is obtained by said second source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tekmark Global Solutions LLC
Original Assignee
Tekmark Global Solutions LLC
Inventors
Sahlberg, Jeremiah J.D., Brock, David W., Hammes, Peter C., McNeal, Robert A.

Application Number

US12/712,663
Publication Number

US 20100154066A1
Time in Patent Office

Days
Field of Search
US Class Current

726/30
CPC Class Codes

G06F 21/31   User authentication

G06F 21/577   Assessing vulnerabilities a...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

System and Method for Managing Security Testing

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

12 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Managing Security Testing

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links