VULNERABILITY ANALYSIS OF SOFTWARE COMPONENTS

US 20170169229A1
Filed: 12/10/2015
Published: 06/15/2017
Est. Priority Date: 12/10/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for monitoring security of an application, the method being executed by one or more processors and comprising:

receiving, by the one or more processors, an application developed by a first vendor;

processing, by the one or more processors, the application, by performing a byte-code analysis of the application, to;

identify a plurality of software components used by the application that were developed by vendors other than the first vendor, andprovide a list of third-party software components associated with the application, the list including each of the identified software components; and

for each software component included in the list, determining, by the one or more processors, whether the software component has a vulnerability and, if so, selectively providing code to correct the vulnerability of the software component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving an application developed by a first vendor. Processing the application, by performing a byte-code analysis of the application, to: identify a plurality of software components used by the application that were developed by vendors other than the first vendor, and provide a list of third-party software components associated with the application, the list including each of the identified software components. determining, for each software component included in the list, whether the software component has a vulnerability and, if so, selectively providing code to correct the vulnerability of the software component.

80 Citations

View as Search Results

18 Claims

1. A computer-implemented method for monitoring security of an application, the method being executed by one or more processors and comprising:
- receiving, by the one or more processors, an application developed by a first vendor;
  
  processing, by the one or more processors, the application, by performing a byte-code analysis of the application, to;
  
  identify a plurality of software components used by the application that were developed by vendors other than the first vendor, andprovide a list of third-party software components associated with the application, the list including each of the identified software components; and
  
  for each software component included in the list, determining, by the one or more processors, whether the software component has a vulnerability and, if so, selectively providing code to correct the vulnerability of the software component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, comprising providing a report indicating which of the plurality of software components in the list have vulnerabilities.
  - 3. The method of claim 1, wherein processing the application comprises:
    - identifying a first set of the plurality of software components by performing a first analysis of the application, wherein the first analysis is an analysis of byte-code of the application to identify the software components based on links to dynamic libraries; and
      
      identifying a second set of the plurality of software components by performing a second analysis of the application.
  - 4. The method of claim 3, wherein the second analysis is an analysis of the application to identify the software components based on static dependencies of the software application.
  - 5. The method of claim 3, wherein the second analysis is an analysis of source code of the application to identify the software components based on portions of the software components used by the application.
  - 6. The method of claim 3, wherein the second analysis is an analysis of the application to identify the software components based on run-time dependencies of the software application.
  - 7. The method of claim 3, wherein processing the application comprises:
    - determining that a name of a first software component identified by the first analysis is identical to a name of a second software component identified by the second analysis; and
      
      determining to include the first software component in list of third-party software components and to not include the second software component in the list of third-party software components, wherein the determination is based on characteristics of the first analysis and characteristics of the second analysis.
  - 8. The method of claim 3, wherein the first analysis is performed at a first stage of development of the application and the second analysis is performed at a second stage of development of the application.
  - 9. The method of claim 1, wherein the list of third-party software components includes characteristics associated with each of the software components.
  - 10. The method of claim 9, wherein the characteristics include one of a major version of the software component, a minor version of the software component, and origin of the software component.
  - 11. The method of claim 1, wherein determining, for each software component in the list, whether the software component has an exploitable vulnerability comprises regularly querying a server system for vulnerabilities associated with the software component.
  - 12. The method of claim 11, wherein the server system is a database listing known vulnerabilities.
  - 13. The method of claim 11, wherein the server system is a website of a third-party vendor.
  - 14. The method of claim 1, wherein determining, for each software component in the list, whether the software component has an exploitable vulnerability comprises determining a version of the software component for which the vulnerability has been corrected.
  - 15. The method of claim 1, wherein determining, for each software component in the list, whether the software component has an exploitable vulnerability comprises:
    - identifying a portion of the software component affected by the vulnerability; and
      
      determining whether the application is exposed to the portion of the software component affected by the vulnerability.
  - 16. The method of claim 15, wherein identifying the portion of the software component affected by the vulnerability comprises identifying a specific function or method of the software component that is affected by the vulnerability.
  - 17. The method of claim 15, wherein determining whether the application is exposed to the portion of the software component affected by the vulnerability comprises:
    - determining whether the application uses the portion of the software component affected by the vulnerability; and
      
      determining whether the portion of the software component affected by the vulnerability can be accessed from the application by a user.

18. A system for monitoring security of an application, the system comprising:
- one or more computers; and
  
  a computer-readable medium coupled to the one or more computers having instructions stored thereon which, when executed by the one or more computers, cause the one or more computers to perform operations, the operations comprising;
  
  receiving an application developed by a first vendor;
  
  processing the application, by performing a byte-code analysis of the application, to;
  
  identify a plurality of software components used by the application that were developed by vendors other than the first vendor, andprovide a list of third-party software components associated with the application, the list including each of the identified software components; and
  
  for each software component included in the list, determining whether a software component has a vulnerability and, if so, selectively providing code to correct the vulnerability of the software component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Brucker, Achim D., Dashevskyi, Stanislav

Granted Patent

US 10,691,808 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

VULNERABILITY ANALYSIS OF SOFTWARE COMPONENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

VULNERABILITY ANALYSIS OF SOFTWARE COMPONENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others