Method and System for Generating an Enforceable Security Policy Based on Application Sitemap

US 20120102541A1
Filed: 10/25/2010
Published: 04/26/2012
Est. Priority Date: 10/25/2010
Status: Active Grant

First Claim

Patent Images

1. A system for generating a security policy for protecting an application-layer entity, comprising:

a security sitemap generator for generating a security sitemap of a protected application-layer entity, the security sitemap is stored in a first repository connected to the security sitemap generator; and

a policy builder for generating a security policy for the application-layer entity based on the security sitemap, the security policy is stored in a second repository connected to the policy builder, wherein the security policy includes a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for generating a security policy for protecting an application-layer entity. The system comprises a security sitemap generator for generating a security sitemap of a protected application-layer entity, the security sitemap is stored in a first repository connected to the security sitemap generator; and a policy builder for generating a security policy for the application-layer entity based on the security sitemap, the security policy is stored in a second repository connected to the policy builder, wherein the security policy includes a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity.

Citations

38 Claims

1. A system for generating a security policy for protecting an application-layer entity, comprising:
- a security sitemap generator for generating a security sitemap of a protected application-layer entity, the security sitemap is stored in a first repository connected to the security sitemap generator; and
  
  a policy builder for generating a security policy for the application-layer entity based on the security sitemap, the security policy is stored in a second repository connected to the policy builder, wherein the security policy includes a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein the first repository is connected to the policy builder.
  - 3. The system of claim 2, wherein the second repository is connected to an application-level security system for enforcing the security policy.
  - 4. The system of claim 3, wherein the application-layer entity is at least one of:
    - a web application, a web service, and a service oriented architecture (SOA).
  - 5. The system of claim 1, wherein the security sitemap comprises at least a list of folders and their structure, resources, client-side input parameters and allowable client-side input parameters'"'"' values of the application-layer entity, mapping between the resources and the application folders, and mapping between the resources and the allowable client-side input parameters'"'"' values, wherein a client-side input parameter includes at least a form field, a query parameter, a path parameter, and a cookie.
  - 6. The system of claim 5, wherein contents of the security sitemap is generated for any one of:
    - different types of clients, different types of application users, different application roles, and different time durations.
  - 7. The system of claim 6, wherein the security sitemap generator comprises:
    - a crawler for generating and sending requests to a server executing the application-layer entity, the crawler further processes responses received from the server to generate subsequent requests responsive of the received responses;
      
      an analyzer for processing the requests provided by the crawler to produce the security sitemap; and
      
      the first repository for storing the security sitemap.
  - 8. The system of claim 7, wherein the crawler simulates requests for any one of:
    - different types of clients, different types of application users, different application roles, and different time durations.
  - 9. The system of claim 7, wherein the analyzer processes responses provided by the crawler to detect existence of a predefined rule matching content.
  - 10. The system of claim 7, wherein the analyzer processes the requests to determine at least:
    - a list of the application folders and their structure;
      
      mapping between application'"'"'s resources and the application folders;
      
      a list of allowable HTTP methods and resources associated with the HTTP methods; and
      
      the client-side input parameters and allowable client-side input parameters'"'"' values.
  - 11. The system of claim 10, wherein the crawler further generates multiple requests, each request includes a different value of a client-side input parameter having an unknown value.
  - 12. The system of claim 6, wherein the security sitemap generator comprises:
    - a sniffer for intercepting traffic flows between a crawler and a server executing the application-layer entity;
      
      an analyzer for processing requests in the intercepted traffic flows for producing the security sitemap; and
      
      the first repository for storing the security sitemap.
  - 13. The system of claim 12, wherein the crawler processes responses received from the server to generate subsequent requests responsive of the received responses.
  - 14. The system of claim 13, wherein the analyzer processes the requests to determine at least:
    - a list of the application folders and their structure;
      
      mapping between application'"'"'s resources and folders;
      
      a list of allowable HTTP methods and resources associated with the HTTP methods;
      
      client-side input parameters and allowable client-side input parameters'"'"' values; and
      
      the analyzer processes responses provided by the crawler to detect existence of a predefined rule matching content.
  - 15. The system of claim 6, wherein the security sitemap generator comprises:
    - a parser for parsing a log file of a server executing the application-layer entity, wherein the log file includes an entry for each client request processed by the server;
      
      an analyzer for processing the parsed information for producing the security sitemap; and
      
      the first repository for storing the security sitemap.
  - 16. The system of claim 6, wherein the security sitemap generator comprises:
    - a file system crawler having access to the application files, wherein the application files reside in the server executing the application-layer entity, wherein the file system crawler provides at least a list of resources of the application-layer entity, client-side input parameters and allowable client-side input parameters'"'"' values of the application-layer entity, mapping between the resources and the application folders, and mapping between the resources and the allowable client-side input parameters'"'"' values, wherein a client-side input parameter includes at least a form field, a query parameter, a path parameter, and a cookie;
      
      a parser for parsing the list of resources provided by the file system crawler;
      
      an analyzer for processing the parsed information for producing the security sitemap; and
      
      the first repository for storing the security sitemap.
  - 17. The system of claim 1, wherein the policy builder further comprises:
    - a parser for parsing the security sitemap to determine resources contain therein;
      
      a policy analyzer for processing the parsed information to define the plurality of enforcement rules; and
      
      a rule builder for generating for each defined rule a rule in format compliance with an application layer security system.
  - 18. The system of claim 17, wherein the plurality of enforcement rules are defined for any one of:
    - different types of clients, different types of application users, different application roles, and different time durations.

19. A method for generating a security policy for protecting an application-layer entity, comprising:
- generating a security sitemap of a protected application-layer entity;
  
  storing the security sitemap in a first repository;
  
  generating a security policy for the application-layer entity based on the security sitemap, the security policy includes, in part, a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity; and
  
  providing the security policy to an application layer security system for enforcement of the security policy.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 37)
- - 20. The method of claim 19, wherein the application-layer entity is at least one of:
    - a web application, a web service, and a service oriented architecture (SOA).
  - 21. The method of claim 19, wherein the security sitemap comprises at least a list of folders and their structure, resources, client-side input parameters, and allowable client-side input parameters'"'"' values of the application-layer entity, mapping between the resources to the folders, mapping between the resources and the allowable client-side input parameters'"'"' values, wherein a client-side input parameter includes at least one of a form field, a query parameter, a path parameter, and a cookie.
  - 22. The method of claim 21, further comprises:
    - generating the security policy for any one of;
      
      different types of clients, different types of application users, different user roles, and different time durations.
  - 23. The method of claim 22, wherein generating the security sitemap further comprises:
    - sending requests to a server executing the application-layer entity;
      
      processing responses received from the server to generate subsequent requests responsive of the received response; and
      
      processing the requests to produce the security sitemap.
  - 24. The method of claim 23, further comprises simulating requests for any one of:
    - different types of clients, different types of application users, different application roles, different time durations, and different values for client-side input parameters having unknown values.
  - 25. The method of claim 23, wherein processing the requests further comprising:
    - analyzing the requests to determine at least;
      
      a list of the application folders and their structure;
      
      mapping between an application'"'"'s resources and the application folders;
      
      a list of allowable HTTP methods and resources associated with such methods; and
      
      the input parameters and allowable input parameters'"'"' values.
  - 26. The method of claim 25, further comprises intercepting traffic flows from and to the server.
  - 27. The method of claim 25, further comprises:
    - parsing a log file of a server executing the application-layer entity, wherein the log file includes an entry for each client request processed by the server.
  - 28. The method of claim 25, further comprises:
    - crawling a file system of the server to populate at least a list of resources of the application-layer entity.
  - 29. The method of claim 19, wherein generating the security policy further comprises:
    - parsing the security sitemap to determine resources contain therein;
      
      processing the parsed information to define the plurality of enforcement rules; and
      
      generating for each defined rule a rule in format compliance with the application layer security system.
  - 30. The method of claim 29, wherein the plurality of compliance rules are defined for any one of:
    - different types of clients, different types of application users, different application roles, and different time durations.
  - 31. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the method according to claim 19.
  - 37. The system of claim 26, wherein the crawler is a file system crawler installed in the server executing the application-layer entity, wherein the file system crawler provides at least a list of resources of the application-layer entity.

32. A system for generating a security sitemap of an application-layer entity comprising:
- a crawler for generating and sending requests to a server executing the application-layer entity, the crawler further processes responses received from the server to generate subsequent requests responsive of the received responses;
  
  an analyzer for processing the requests to produce the security sitemap; and
  
  a first repository for storing the security sitemap.
- View Dependent Claims (33, 34, 35, 36)
- - 33. The system of claim 32, wherein the crawler simulates requests for any one of:
    - different types of clients, different types of application users, different application roles, and different time durations, and different values of a client-side input parameter having an unknown value.
  - 34. The system of claim 32, wherein the analyzer processes responses provided by the crawler to detect existence of a predefined rule matching content.
  - 35. The system of claim 32, wherein the analyzer processes the requests to determine at least:
    - a list of the application folders and their structure;
      
      mapping between application'"'"'s resources and the application folders;
      
      a list of allowable HTTP methods and resources associated with HTTP methods; and
      
      the client-side input parameters and allowable input parameters'"'"' values.
  - 36. The system of claim 32, wherein the crawler communicates with the server through a network and traffic flows between the crawler and the server are intercepted by a sniffer.

38. A system for generating a security sitemap of an application-layer entity comprising:
- a file system crawler installed in a server executing the application-layer entity, wherein the file system crawler parses file system files and provides at least one of a list of resources, client-side input parameters, and allowable client-side input parameters'"'"' values of the application-layer entity;
  
  a parser for parsing the list of resources provided by the file system crawler;
  
  an analyzer for processing the parsed information for producing the security sitemap; and
  
  a first repository for storing the security sitemap.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
Zisapel, Roy, Groskop, Michael

Granted Patent

US 9,336,396 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/1433   Vulnerability analysis

Method and System for Generating an Enforceable Security Policy Based on Application Sitemap

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Generating an Enforceable Security Policy Based on Application Sitemap

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links