Solution-Centric Reporting of Security Warnings
First Claim
1. A method of automated analysis on source files of a software system, comprising:
- receiving sets of trace data each representing a potential security flaw in the software system, the trace data comprising a set of trace nodes;
analyzing the sets of trace data to identify overlapping trace nodes;
processing the overlapping trace nodes to identify a reduced set of common nodes representing one or more potential fix points for a security flaw; and
outputting a report identifying the one or more potential fix points for the security flaw, together with a recommendation for addressing the security flaw.
2 Assignments
0 Petitions
Accused Products
Abstract
A new paradigm for security analysis is provided by transitioning code analysis reporting from the problem space (the warnings themselves), to a solution space (potential solutions to the identified problems). Thus, instead of reporting raw findings to the user, the automated system as described here outputs proposed solutions to eliminate the defects identified in the security analysis. A consequence of this approach is that the report generated by the analysis tool is much more consumable, and thus much more actionable. Preferably, the report provides the user with one or more candidate location(s) at which to apply a fix to an identified security problem. These locations preferably are identified by processing overlapping nodes to identify one or more solution groupings that represent an API for a sanitization fix. The report also includes one or more recommendations for the fix, and preferably the report is generated on a per-vulnerability type basis.
15 Citations
24 Claims
-
1. A method of automated analysis on source files of a software system, comprising:
-
receiving sets of trace data each representing a potential security flaw in the software system, the trace data comprising a set of trace nodes; analyzing the sets of trace data to identify overlapping trace nodes; processing the overlapping trace nodes to identify a reduced set of common nodes representing one or more potential fix points for a security flaw; and outputting a report identifying the one or more potential fix points for the security flaw, together with a recommendation for addressing the security flaw. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. Apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by the processor to perform automated analysis on source files of a software system, the computer program instructions operative to; receive sets of trace data each representing a potential security flaw in the software system, the trace data comprising a set of trace nodes; analyze the sets of trace data to identify overlapping trace nodes; process the overlapping trace nodes to identify a reduced set of common nodes representing one or more potential fix points for a security flaw; and output a report identifying the one or more potential fix points for the security flaw, together with a recommendation for addressing the security flaw. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to perform automated analysis on source files of a software system, the computer program instructions operative to:
-
receive sets of trace data each representing a potential security flaw in the software system, the pathway data comprising a set of trace nodes; analyze the sets of trace data to identify overlapping trace nodes; process the overlapping trace nodes to identify a reduced set of common nodes representing one or more potential fix points for a security flaw; and output a report identifying the one or more potential fix points for the security flaw, together with a recommendation for addressing the security flaw. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification