METHODS AND SYSTEMS FOR MULTI-TOOL ORCHESTRATION

US 20200134176A1
Filed: 12/18/2019
Published: 04/30/2020
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A system for performing code security scan, comprising:

one or more processors;

a graphical user interface (GUI); and

memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;

receive code to be scanned;

analyze the code to be scanned with two or more software security analysis tools, each of the two or more software security analysis tools selected from a different category, the different category being selected from one or more of;

a first software security analysis tool of a first category for performing Static Application Security Testing (SAST),a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST), anda third software security analysis tool of a third category for performing Open Source Analysis (OSA);

display, in the GUI, status information of the analysis from each of the two or more software security analysis tools, the status information comprising a selectable button to configure each of the two or more software security analysis tools;

receive a result from each of the two or more software security analysis tools;

aggregate the result from each of the two or more software security analysis tools; and

display, on the GUI, (i) the aggregation from each of the two or more software security analysis tools, and (ii) a confidence score for each of the two or more software security analysis tools.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for performing code security scan includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores a plurality of identifiers each identifying a software security analysis tool of one of several categories, including SAST, DAST and OSA tools. The processor receives an identification of code to be scanned. The processor selects at least two identifiers from the plurality of identifiers. The at least two identifiers identify at least two select software security analysis tools for execution on the identified code. The processor receives an execution result from each select software security analysis tool after performing execution on the identified code. The processor aggregates the execution result from each select software security analysis tool. A user interface displays an aggregation of the execution result from each select software security analysis tool.

Citations

20 Claims

1. A system for performing code security scan, comprising:
- one or more processors;
  
  a graphical user interface (GUI); and
  
  memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive code to be scanned;
  
  analyze the code to be scanned with two or more software security analysis tools, each of the two or more software security analysis tools selected from a different category, the different category being selected from one or more of;
  
  a first software security analysis tool of a first category for performing Static Application Security Testing (SAST),a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST), anda third software security analysis tool of a third category for performing Open Source Analysis (OSA);
  
  display, in the GUI, status information of the analysis from each of the two or more software security analysis tools, the status information comprising a selectable button to configure each of the two or more software security analysis tools;
  
  receive a result from each of the two or more software security analysis tools;
  
  aggregate the result from each of the two or more software security analysis tools; and
  
  display, on the GUI, (i) the aggregation from each of the two or more software security analysis tools, and (ii) a confidence score for each of the two or more software security analysis tools.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the processor is further configured to:
    - determine that a license status is expired for at least one of the two or more software security analysis tools;
      
      generate a license renewal request for the at least one software security analysis tool;
      
      send, to a licensor of the at least one software security analysis tool, the license renewal request;
      
      receive, from the licensor, a license renewal for the at least one software security analysis tool; and
      
      update the license status for the at least one software security analysis tool to a renewed license status.
  - 3. The system of claim 2, wherein the status information further comprises the license status, the licensor, and the renewed license status.
  - 4. The system of claim 1, wherein the processor is further configured to:
    - display a request on the GUI comprising the first category, the second category, and the third category; and
      
      receive a selection of the two or more software security analysis tools for execution on the code.
  - 5. The system of claim 1, wherein the aggregation of the result from each of the two or more software security analysis tools displayed in the GUI comprises a severity, a category, and a name of the result.
  - 6. The system of claim 1, wherein the processor is further configured to:
    - identify at least one false positive result; and
      
      instruct an additional software security analysis tool from each category to perform a security scan on the code associated with the false positive result.
  - 7. The system of claim 1, wherein the aggregation of the result from each software security analysis tool displayed in the GUI further comprises:
    - a first score for a combined static analysis result;
      
      a second score for open source license analysis; and
      
      a third score for open source known vulnerabilities.
  - 8. The system of claim 1, wherein the memory further comprises:
    - a scan database storing information of historical scan activity performed by each category of software security analysis tools.
  - 9. The system of claim 8, wherein the instructions further cause the one or more processors to:
    - receive a request for historical scan activity corresponding to one software security analysis tool from the two or more software security analysis tools; and
      
      provide, on the GUI, the historical scan activity.
  - 10. The system of claim 1, wherein the status information comprises an execution progress for each of the two or more software security analysis tools, the execution progress comprising one or more of:
    - completed, in progress, and queued.

11. A multi-tool orchestration system comprising:
- one or more processors;
  
  a graphical user interface (GUI); and
  
  memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive, from a host server, an analysis request comprising software code to be scanned and two or more software security analysis tools to perform the scan, each of the two or more software security analysis tools selected from a different category, the different category being selected from one or more of;
  
  a first software security analysis tool of a first category for performing Static Application Security Testing (SAST),a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST), anda third software security analysis tool of a third category for performing Open Source Analysis (OSA);
  
  analyze, with the two or more software security analysis tools, the software code;
  
  display, on the GUI, status information of the analysis from each of the two or more software security analysis tools, the status information comprising a selectable button to configure each of the two or more software security analysis tools;
  
  aggregate the analysis from each of the two or more software security analysis tools to create an aggregate result;
  
  provide, to the host server, the aggregate result for a presentation on a multi-tool security analysis website;
  
  display, on the GUI, (i) the aggregate result and (ii) a confidence score for each of the two or more software security analysis tools;
  
  receive, from the GUI, an indication of at least one false positive result in the aggregate result; and
  
  instruct an additional software security analysis tool from each category to perform an additional security scan on the software code.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the instructions further cause the system to:
    - determine that a license status is expired for at least one of the two or more software security analysis tools;
      
      generate a license renewal request for the at least one software security analysis tool;
      
      send, to a licensor of the at least one software security analysis tool, the license renewal request;
      
      receive, from the licensor, a license renewal for the at least one software security analysis tool; and
      
      update the license status for the at least one software security analysis tool to a renewed license status.
  - 13. The system of claim 12, wherein the status information further comprises the license status, the licensor, and the renewed license status.
  - 14. The system of claim 11, wherein the aggregation of the analysis from each software security analysis tool displayed on the GUI further comprises:
    - a first score for a combined static analysis result;
      
      a second score for open source license analysis; and
      
      a third score for open source known vulnerabilities.
  - 15. The system of claim 11, wherein the memory further comprises:
    - a scan database storing historical scan activity performed by each category of software security analysis tools.
  - 16. The system of claim 15, wherein the instructions further cause the one or more processors to:
    - receive a request for historical scan activity corresponding to one software security analysis tool from the two or more software security analysis tools; and
      
      provide, on the GUI, the historical scan activity.
  - 17. The system of claim 11, wherein the instructions further cause the one or more processors to:
    - receive, from the host server, user configuration settings corresponding to at least one of the two or more software security analysis tools; and
      
      configure the at least one software security analysis tool based on the user configuration settings.

18. A multi-tool security analysis system comprising:
- one or more processors;
  
  a graphical user interface (GUI); and
  
  memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  receive an analysis request comprising software code to be scanned and two or more software security analysis tools, each of the two or more software security analysis tools being selected from different categories, the different categories being selected from one or more of;
  
  a first software security analysis tool of a first category for performing Static Application Security Testing (SAST),a second software security analysis tool of a second category for performing Dynamic Application Security Testing (DAST), anda third software security analysis tool of a third category for performing Open Source Analysis (OSA);
  
  analyze, with the two or more software security analysis tools, the software code;
  
  display, in the GUI, status information of the analysis from each of the two or more software security analysis tools, the status information comprising a selectable button to configure each of the two or more software security analysis tools;
  
  receive, from the GUI, user configuration settings corresponding to at least one of the two or more software security analysis tools;
  
  configure the at least one of the two or more software security analysis tools based on the user configuration settings;
  
  aggregate a vendor-specific output from each of the two or more software security analysis tools to create an aggregate result;
  
  send the aggregate result to a multi-tool security analysis website for presentation;
  
  display, on the GUI, (i) the aggregate result and (ii) a confidence score for each of the two or more software security analysis tools;
  
  receive, from the GUI, an indication of at least one false positive result in the aggregate result; and
  
  instruct an additional software security analysis tool from each category to perform an additional security scan on the software code.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the instructions further cause the system to:
    - determine that a license status is expired at least one of the two or more software security analysis tools;
      
      generate a license renewal request for the at least one software security analysis tool;
      
      send, to a licensor of the at least one software security analysis tool, the license renewal request;
      
      receive, from the licensor, a license renewal for the at least one software security analysis tool; and
      
      update the license status for the at least one software security analysis tool to a renewed license status.
  - 20. The system of claim 18, wherein the instructions further cause the one or more processors to:
    - receive a request for historical scan activity corresponding to one software security analysis tool of the two or more software security analysis tools; and
      
      provide, on the GUI, the historical scan activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Youngberg, Adam James

Granted Patent

US 11,328,058 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 21/105   Arrangements for software l...

G06F 21/554   involving event detection a...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 9/44536   Selecting among different v...

G06F 9/52   Program synchronisation; Mu...

METHODS AND SYSTEMS FOR MULTI-TOOL ORCHESTRATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR MULTI-TOOL ORCHESTRATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links