METHOD AND SYSTEM FOR IMPROVING SECURITY AND RELIABILITY IN A NETWORKED APPLICATION ENVIRONMENT

US 20130276089A1
Filed: 04/12/2012
Published: 10/17/2013
Est. Priority Date: 04/12/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing a distributed computing architecture, the method comprising:

discovering a resource within the distributed computing architecture;

determining a classification for the resource based on one or more classification criteria;

determining whether the classification corresponds to a record within a database; and

if the classification corresponds to a record within the database, then incrementing a counter associated with the record;

orif the classification does not correspond to a record within the database, theninitializing another record within the database that corresponds to the classification; and

initializing another counter associated with the another record.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security application manages security and reliability of networked applications executing collection of interacting computing elements within a distributed computing architecture. The security application monitors various classes of resources utilized by the collection of nodes within the distributed computing architecture and determine whether utilization of a class of resources is approaching a pre-determined maximum limit. The security application performs a vulnerability scan of a networked application to determine whether the networked application is prone to a risk of intentional or inadvertent breach by an external application. The security application scans a distributed computing architecture for the existence of access control lists (ACLs), and stores ACL configurations and configuration changes in a database. The security application scans a distributed computing architecture for the existence of security certificates, places newly discovered security certificates in a database, and deletes outdated security certificates. Advantageously, security and reliability are improved in a distributed computing architecture.

Citations

25 Claims

1. A computer-implemented method for managing a distributed computing architecture, the method comprising:
- discovering a resource within the distributed computing architecture;
  
  determining a classification for the resource based on one or more classification criteria;
  
  determining whether the classification corresponds to a record within a database; and
  
  if the classification corresponds to a record within the database, then incrementing a counter associated with the record;
  
  orif the classification does not correspond to a record within the database, theninitializing another record within the database that corresponds to the classification; and
  
  initializing another counter associated with the another record.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the resource comprises an instance of a software application executing within the distributed computing architecture.
  - 3. The method of claim 1, further comprising notifying a system administrator when the classification does not correspond to a record within the database.
  - 4. The method of claim 1, further comprising retrieving a threshold value associated with the record;
    - and notifying a user when the first counter exceeds the threshold value.
  - 5. The method of claim 4, wherein the threshold value comprises a percentage of a maximum limit.

6. A computer-implemented method for managing a distributed computing architecture, the method comprising:
- scanning a networked application within the distributed computing architecture for a security vulnerability;
  
  in response, detecting a first security vulnerability;
  
  comparing the first security vulnerability against a database that includes a listing of previously-discovered security vulnerabilities; and
  
  if the first security vulnerability is not listed within the database, theninitializing a record within the database that corresponds to the first security vulnerability;
  
  orif the first security vulnerability is listed within the database, thenupdating the record within the database that corresponds to the first security vulnerability to indicate that the first security vulnerability was detected.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein the database includes an issue tracking system that is configured to track whether or not one or more security vulnerabilities have been resolved.
  - 8. The method of claim 6, further comprising notifying a system administrator when the record corresponding to the first security vulnerability is initialized.
  - 9. The method of claim 6, wherein updating the record within the database further comprises determining that the vulnerability is marked as being resolved;
    - and notifying a system administrator that the first security vulnerability was detected.
  - 10. The method of claim 6, wherein scanning the networked application further comprises notifying a system administrator that the distributed computing architecture is being scanned for security vulnerabilities.

11. A computer-implemented method for managing a distributed computing architecture, the method comprising:
- discovering an access control list (ACL) within the distributed computing architecture;
  
  determining whether the ACL corresponds to a first record within a database; and
  
  if the ACL corresponds to a record within the database, thendetermining that a configuration of the ACL differs from a configuration of the record; and
  
  initializing another record within the database that corresponds to the record and has the configuration of the ACL;
  
  orif the ACL does not correspond to a first record within the database, theninitializing another record within the database that corresponds to the ACL and has the configuration of the ACL.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein the ACL comprises a security group that includes one or more source objects, one or more ports, and one or more destination objects.
  - 13. The method of claim 12, wherein the one or more source objects are identifiable via an internet protocol (IP) address.
  - 14. The method of claim 12, wherein the one or more source objects are identifiable based on the one or more source objects being members of the ACL.
  - 15. The method of claim 12, further comprising computing an exposure metric for the ACL based on a quantity of source objects, a quantity of ports, and a quantity of destination objects associated with the ACL.
  - 16. The method of claim 11, further comprising computing the number of instances of a software application that execute within the ACL.

17. A computer-implemented method for managing a distributed computing architecture, the method comprising:
- discovering a first security certificate within the distributed computing architecture that includes a first identifying label and an expiration date;
  
  comparing the first security certificate with a plurality of security certificates that resides within a storage repository;
  
  determining that the first security certificate corresponds to a second security certificate that resides within the storage repository;
  
  deleting the second security certificate from the storage repository; and
  
  storing the first security certificate within the storage repository.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17, wherein the first security certificate complies with a secure sockets layer (SSL) cryptographic protocol.
  - 19. The method of claim 17, wherein determining that the first security certificate corresponds to a second security certificate comprises determining that an identifying label associated with the first security certificate is equivalent to an identifying label associated with the second security certificate.
  - 20. The method of claim 17, wherein discovering a first security certificate comprises accessing a network addresses on a port utilizing hypertext transfer protocol secure (HTTPS);
    - and receiving a security certificate from the network address.
  - 21. The method of claim 20, wherein the one or more network addresses are associated with an elastic load balancing system configured to distribute network traffic related to a software application across multiple instances of the software application.
  - 22. The method of claim 17, wherein discovering a first security certificate comprises scanning a file folder including one or more security certificates, and wherein the one or more security certificates are associated with one or more versions of a software application within a source code control system.
  - 23. The method of claim 17, wherein discovering a first security certificate comprises scanning the contents of one or more web pages, and wherein a security certificate a corresponding to the one or more web pages is received from a server.
  - 24. The method of claim 17, further comprising scanning the plurality of security certificates residing within the storage repository, and notifying a system administrator with respect to each security certificate that has an expiration date on or before a threshold date.
  - 25. The method of claim 17, further comprising scanning the plurality of security certificates residing within the storage repository, and deleting any security certificate that has not been updated within a predetermined amount of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netflix, Inc.
Original Assignee
Netflix, Inc.
Inventors
Tseitlin, Ariel, Rapoport, Roy, Chan, Jason

Granted Patent

US 9,027,141 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

G06F 11/302   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 16/285   Clustering or classification

G06F 21/00   Security arrangements for p...

G06F 21/45   Structures or tools for the...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/604   Tools and structures for ma...

G06F 2209/504   Resource capping

G06F 2221/034   Test or assess a computer o...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/50   Allocation of resources, e....

H04L 2463/121   Timestamp

H04L 41/12   Discovery or management of ...

H04L 43/16   Threshold monitoring

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 67/10   in which an application is ...

H04L 9/3268   using certificate validatio...

Y02D 10/00 : Energy efficient computing,...

View All

METHOD AND SYSTEM FOR IMPROVING SECURITY AND RELIABILITY IN A NETWORKED APPLICATION ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR IMPROVING SECURITY AND RELIABILITY IN A NETWORKED APPLICATION ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links