Web application security frame
First Claim
1. A method implemented with a computing system that includes a processor and memory storing instructions which, when executed by the processor, implement the method for incorporating security engineering expertise into one or more development engineering activities related to a development life cycle of a web-based application, by generating a web application security frame that identifies and categorizes security expertise specific to a context of the web-based application, the security expertise for use in the one or more development engineering activities for development of the web-based application, the one or more development engineering activities including executing a threat modeling activity for the web-based application, the method comprising:
- determining a context of the web-based application, the context identifying environment information corresponding to the web-based application, including environment information corresponding to at least one of a web-based application type, a web-based application scenario, a web-based application project type or a web-based application life cycle type;
identifying engineering expertise relevant to the one or more development engineering activities, including the threat modeling activity, for the web-based application based at least in part upon the context, the engineering expertise identifying one or more categories that identify areas where security issues arise when developing web-based applications corresponding to the context of the web-based application, each category corresponding to;
engineering expertise identifying one or more vulnerabilities corresponding to the category;
engineering expertise identifying one or more threats or attacks against the vulnerabilities; and
engineering expertise identifying one or more countermeasures against the threats or attacks;
generating, at the computing system, a web application security frame based on the identified engineering expertise that identifies and categorizes security expertise specific to the context of the web-based application, the web application security frame employing the one or more categories to organize the corresponding vulnerabilities, threats or attacks, and countermeasures;
identifying the one or more development engineering activities related to the development life cycle of the web-based application, including identifying the threat modeling activity;
executing, on the computing system, the threat modeling activity for the web-based application based at least in part upon the web application security frame, including the identified engineering expertise specific to the context of the web-based application; and
receiving results from the threat modeling activity, and incorporating the results into the one or more development engineering activities into the development life cycle of the web-based application.
2 Assignments
0 Petitions
Accused Products
Abstract
A web application security frame (e.g., schema) that can incorporate expertise into an engineering activity, for example, a threat modeling activity, is provided. The novel web application security frame component can be applied to a threat modeling component to converge knowledge into the activity by identifying categories, vulnerabilities, threats, attacks and countermeasures. The novel schema can create a common framework that converges knowledge with respect to any application engineering activity (e.g., threat modeling, performance modeling). Additionally, a context precision mechanism can be employed to automatically and/or dynamically determine a context of a web application environment. This context can be used to automatically generate an appropriate web application security frame component.
149 Citations
13 Claims
-
1. A method implemented with a computing system that includes a processor and memory storing instructions which, when executed by the processor, implement the method for incorporating security engineering expertise into one or more development engineering activities related to a development life cycle of a web-based application, by generating a web application security frame that identifies and categorizes security expertise specific to a context of the web-based application, the security expertise for use in the one or more development engineering activities for development of the web-based application, the one or more development engineering activities including executing a threat modeling activity for the web-based application, the method comprising:
-
determining a context of the web-based application, the context identifying environment information corresponding to the web-based application, including environment information corresponding to at least one of a web-based application type, a web-based application scenario, a web-based application project type or a web-based application life cycle type; identifying engineering expertise relevant to the one or more development engineering activities, including the threat modeling activity, for the web-based application based at least in part upon the context, the engineering expertise identifying one or more categories that identify areas where security issues arise when developing web-based applications corresponding to the context of the web-based application, each category corresponding to; engineering expertise identifying one or more vulnerabilities corresponding to the category; engineering expertise identifying one or more threats or attacks against the vulnerabilities; and engineering expertise identifying one or more countermeasures against the threats or attacks; generating, at the computing system, a web application security frame based on the identified engineering expertise that identifies and categorizes security expertise specific to the context of the web-based application, the web application security frame employing the one or more categories to organize the corresponding vulnerabilities, threats or attacks, and countermeasures; identifying the one or more development engineering activities related to the development life cycle of the web-based application, including identifying the threat modeling activity; executing, on the computing system, the threat modeling activity for the web-based application based at least in part upon the web application security frame, including the identified engineering expertise specific to the context of the web-based application; and receiving results from the threat modeling activity, and incorporating the results into the one or more development engineering activities into the development life cycle of the web-based application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification
-
- Resources
-
Current AssigneeMicrosoft Technology Licensing LLC (Microsoft Corporation)
-
Original AssigneeMicrosoft Corporation
-
InventorsMeier, John D.
-
Primary Examiner(s)Bui; Kieu Oanh
-
Assistant Examiner(s)ANDERSON, MICHAEL D
-
Application NumberUS11/353,821Publication NumberTime in Patent Office1,708 DaysField of Search726/18, 726/23, 726/25, 726/26US Class Current726/4CPC Class CodesG06F 21/577 Assessing vulnerabilities a...G06F 2221/2105 Dual mode as a secondary as...H04L 63/14 for detecting or protecting...H04L 67/02 based on web technology, e....
