SYSTEM AND METHOD FOR PROVIDING APPLICATION SECURITY IN A CLOUD COMPUTING ENVIRONMENT
First Claim
1. A system for providing application deployment security in a cloud computing or other environment, comprising:
- one or more computers, including a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment;
a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and
an application compiler, whichreceives a user application to be deployed to the environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determines, for the API usages, one or more matching hot-spot configurations and associated policies and actions, andinjects the user application during compilation to create an application runtime including a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors the method invocations and values that are invoked, for use in granting or denying access.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with an embodiment, described herein is a system and method for providing application security in a cloud computing or other environment. A plurality of hot-spot configurations define API usages which, for security reasons, are of interest to be monitored at runtime, such as invocations of particular methods that are likely to be used to attempt unauthorized access. Upon a user application being received for deployment to the cloud environment, an application compiler determines, for API usages expressed as method invocations within the source code of the application, one or more hot-spot configurations and associated policies or actions. The application compiler can then inject the user application to provide a security manager that, during runtime, monitors the methods and values invoked, and communicates with one or more security extensions to grant or deny access.
10 Citations
18 Claims
-
1. A system for providing application deployment security in a cloud computing or other environment, comprising:
-
one or more computers, including a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment; a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and an application compiler, which receives a user application to be deployed to the environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application, determines, for the API usages, one or more matching hot-spot configurations and associated policies and actions, and injects the user application during compilation to create an application runtime including a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors the method invocations and values that are invoked, for use in granting or denying access. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of providing application deployment security in a cloud computing or other environment, comprising:
-
providing one or more computers, including a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment; providing a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and compiling a user application, to be deployed to the environment, including receiving the user application to be deployed to the environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application, determining, for the API usages, one or more matching hot-spot configurations and associated policies and actions, and injecting the user application during compilation to create an application runtime including a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors the method invocations and values that are invoked, for use in granting or denying access. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer readable storage medium, including instructions stored thereon which when read and executed by one or more computers cause the one or more computers to perform the steps comprising:
-
providing, at one or more computers, a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment; providing a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and compiling a user application, to be deployed to the environment, including receiving the user application, wherein the user application includes one or more API usages expressed as method invocations within the source code of the user application, determining, for the API usages expressed as method invocations within the source code, one or more matching hot-spot configurations and associated policies and actions, and injecting the user application during compilation to create an application runtime which includes a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors methods and values that are invoked, and grants or denies access. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification