Web application security frame
First Claim
1. A method implemented with a computing system that includes a processor and memory storing instructions which, when executed by the processor, implement the method for incorporating security engineering expertise into one or more development engineering activities related to a development life cycle of a web-based application, by generating a web application security frame that identifies and categorizes security expertise specific to a context of the web-based application, the security expertise for use in the one or more development engineering activities for development of the web-based application, the one or more development engineering activities including executing a threat modeling activity for the web-based application, the method comprising:
- determining a context of the web-based application, the context identifying environment information corresponding to the web-based application, including environment information corresponding to at least one of a web-based application type, a web-based application scenario, a web-based application project type or a web-based application life cycle type;
identifying engineering expertise relevant to the one or more development engineering activities, including the threat modeling activity, for the web-based application based at least in part upon the context, the engineering expertise identifying one or more categories that identify areas where security issues arise when developing web-based applications corresponding to the context of the web-based application, each category corresponding to;
engineering expertise identifying one or more vulnerabilities corresponding to the category;
engineering expertise identifying one or more threats or attacks against the vulnerabilities; and
engineering expertise identifying one or more countermeasures against the threats or attacks;
generating, at the computing system, a web application security frame based on the identified engineering expertise that identifies and categorizes security expertise specific to the context of the web-based application, the web application security frame employing the one or more categories to organize the corresponding vulnerabilities, threats or attacks, and countermeasures;
identifying the one or more development engineering activities related to the development life cycle of the web-based application, including identifying the threat modeling activity;
executing, on the computing system, the threat modeling activity for the web-based application based at least in part upon the web application security frame, including the identified engineering expertise specific to the context of the web-based application; and
receiving results from the threat modeling activity, and incorporating the results into the one or more development engineering activities into the development life cycle of the web-based application.
2 Assignments
0 Petitions
Accused Products
Abstract
A web application security frame (e.g., schema) that can incorporate expertise into an engineering activity, for example, a threat modeling activity, is provided. The novel web application security frame component can be applied to a threat modeling component to converge knowledge into the activity by identifying categories, vulnerabilities, threats, attacks and countermeasures. The novel schema can create a common framework that converges knowledge with respect to any application engineering activity (e.g., threat modeling, performance modeling). Additionally, a context precision mechanism can be employed to automatically and/or dynamically determine a context of a web application environment. This context can be used to automatically generate an appropriate web application security frame component.
149 Citations
13 Claims
-
1. A method implemented with a computing system that includes a processor and memory storing instructions which, when executed by the processor, implement the method for incorporating security engineering expertise into one or more development engineering activities related to a development life cycle of a web-based application, by generating a web application security frame that identifies and categorizes security expertise specific to a context of the web-based application, the security expertise for use in the one or more development engineering activities for development of the web-based application, the one or more development engineering activities including executing a threat modeling activity for the web-based application, the method comprising:
-
determining a context of the web-based application, the context identifying environment information corresponding to the web-based application, including environment information corresponding to at least one of a web-based application type, a web-based application scenario, a web-based application project type or a web-based application life cycle type; identifying engineering expertise relevant to the one or more development engineering activities, including the threat modeling activity, for the web-based application based at least in part upon the context, the engineering expertise identifying one or more categories that identify areas where security issues arise when developing web-based applications corresponding to the context of the web-based application, each category corresponding to; engineering expertise identifying one or more vulnerabilities corresponding to the category; engineering expertise identifying one or more threats or attacks against the vulnerabilities; and engineering expertise identifying one or more countermeasures against the threats or attacks; generating, at the computing system, a web application security frame based on the identified engineering expertise that identifies and categorizes security expertise specific to the context of the web-based application, the web application security frame employing the one or more categories to organize the corresponding vulnerabilities, threats or attacks, and countermeasures; identifying the one or more development engineering activities related to the development life cycle of the web-based application, including identifying the threat modeling activity; executing, on the computing system, the threat modeling activity for the web-based application based at least in part upon the web application security frame, including the identified engineering expertise specific to the context of the web-based application; and receiving results from the threat modeling activity, and incorporating the results into the one or more development engineering activities into the development life cycle of the web-based application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification