System and method for identifying potential security risks in controls
First Claim
Patent Images
1. A computer-implemented method for tracking and verifying that controls associated with a software program of interest have been tested for security concerns, comprising:
- extracting as security risk information, information about controls associated with the interested software program to be installed that are installed on a computer system each time after the interested software program having software objects has been installed or updated on the computer system, the controls being a subset of the software objects;
wherein the extraction of information identifies a list of potential controls based on whether the controls present a security risk when executed;
wherein the list of potential controls does not include any controls that are associated with a different software program;
wherein the security risk information includes information associated with the controls of interest, which are identified as controls that pose a potential security risk;
wherein the identification of a list of potential controls is based on includes installing all components of the interested software program, identifying all executable files, and calling each identified executable file to locate controls hidden in all installed components of the interested software program;
identifying controls of interest from the list of potential controls;
storing the security risk information and the identified controls of interest in a database;
retrieving the security risk information upon request;
displaying the security risk information, along with additional information and the identified controls of interest, in a browser, the additional information providing a mechanism for tracking and verifying that the identified controls of interest have been tested for security concerns;
updating the additional information through the browser; and
updating the security risk information stored in the database based on the additional information updated through the browser.
3 Assignments
0 Petitions
Accused Products
Abstract
Controls of interest are indentified by determining which installed software objects associated with the application of interest exhibit certain characteristics, such as being publicly creatable, being designated as safe, and providing a security-related interface. Once the controls of interest are identified from the installed software objects, information associated with each control is obtained and stored. Each time the software program of interest is modified and re-installed, the information is updated to reflect the modifications. Additional information is also stored with the information. The information and the additional information may be provided to a browser for display and may be modified by a user to describe a present state associated with the control of interest (i.e., tested, untested).
-
Citations
17 Claims
-
1. A computer-implemented method for tracking and verifying that controls associated with a software program of interest have been tested for security concerns, comprising:
-
extracting as security risk information, information about controls associated with the interested software program to be installed that are installed on a computer system each time after the interested software program having software objects has been installed or updated on the computer system, the controls being a subset of the software objects;
wherein the extraction of information identifies a list of potential controls based on whether the controls present a security risk when executed;
wherein the list of potential controls does not include any controls that are associated with a different software program;
wherein the security risk information includes information associated with the controls of interest, which are identified as controls that pose a potential security risk;
wherein the identification of a list of potential controls is based on includes installing all components of the interested software program, identifying all executable files, and calling each identified executable file to locate controls hidden in all installed components of the interested software program;identifying controls of interest from the list of potential controls; storing the security risk information and the identified controls of interest in a database; retrieving the security risk information upon request; displaying the security risk information, along with additional information and the identified controls of interest, in a browser, the additional information providing a mechanism for tracking and verifying that the identified controls of interest have been tested for security concerns; updating the additional information through the browser; and updating the security risk information stored in the database based on the additional information updated through the browser. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for tracking and verifying that controls associated with an application of interest have been tested for security concerns, comprising:
-
a client computer configured to determine a list of controls of interest associated with the interested application to be installed;
identify as potential controls, controls that are not associated with another application;
identify controls of interest from the potential controls and generate security risk information associated with the controls of interest, the controls of interest being identified from installed software objects and identified at least in part from a determination of whether the controls of interest are safe;
wherein the determination of whether the controls of interest are safe depends on whether the controls of interest are a security risk when executed;
wherein the generated security risk information includes information associated with the identified controls of interest, which are controls that pose a potential security risk;
wherein identification of the potential controls is based on installing all components of the application, identifying all executable files, and calling each identified executable file to locate controls hidden in all installed components of the interested application;a server computer configured to receive the generated security risk information from the client computer and to store the generated security risk information in a database; and user computers configured to submit requests for security risk information of the interested application to the server computer and in response to the request to receive a rich set of security risk information about the controls that is displayed in a browser executing on the user computer, the rich set of security risk information providing a listing of controls of interest and allowing changes in the controls of interest from the identified controls of interest to be tracked and verified. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for tracking and verifying that controls associated with a software program of interest have been tested for security concerns, comprising:
-
a client computer that is configured to perform actions, including; installing a control that is associated with the interested software program; determining whether the control is potentially unsafe based on whether the control presents a security risk when executed; extracting as security risk information, information about controls installed on the client computer;
wherein the information is extracted each time the interested software program on the client computer are modified; and
wherein the information provides a mechanism for tracking changes and verifying testing of the controls;
wherein the extraction of security risk information identifies a list of potential controls that does not include any controls that are also associated with a different software program;
wherein the security risk information includes information associated with controls of interest and responsive to the determining whether the control is potentially unsafe based on whether the control presents a security risk when executed such that the controls of interest are identified as controls that pose a potential security risk;
wherein the identification of a list of potential controls includes installing all components of the interested software program, identifying all executable files, and calling each identified executable file to locate controls hidden in all installed components of the interested software program;sending from the client computer the security risk information about the controls of interest; and a server that is configured to perform actions, including; receiving at the server from the client computer the security risk information about the identified controls of interest; storing the security risk information about the identified controls of interest; and sending from the server the security risk information to a requesting computer that is configured to display a list of controls of interest from the identified controls of interest. - View Dependent Claims (15, 16, 17)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsLandauer, Lawrence G., Akhtar, Imran, Gallagher, Thomas P.
-
Primary Examiner(s)Dam; Tuan Q
-
Assistant Examiner(s)DAO, THUY CHAN
-
Application NumberUS10/155,354Publication NumberTime in Patent Office2,645 DaysField of Search717/178, 717/126, 717/171, 726/24, 710/36US Class Current717/126CPC Class CodesG06F 21/51 at application loading time...G06F 21/577 Assessing vulnerabilities a...
