Enforcing alignment of approved changes and deployed changes in the software change life-cycle

US 8,234,713 B2
Filed: 12/17/2009
Issued: 07/31/2012
Est. Priority Date: 02/02/2006
Status: Active Grant

First Claim

Patent Images

1. A method to be executed by a processor, comprising:

intercepting a host content change request indicating a change to a persistent object on a host computer;

determining whether the change is authorized, as indicated by a set of change authorization policies;

allowing the change to take effect when the change is authorized;

blocking the change from taking effect when the change is not authorized;

logging information about the host content change request;

obtaining a log representing a set of host content change requests;

comparing the log to a set of approved change orders for any one or more of a plurality of persistent objects on the host computer;

identifying at least one correlation between the set of host content change requests and the set of approved change orders; and

providing user-readable data representing the at least one correlation,wherein the set of change authorization policies is configurable to define whether the persistent object can be changed.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

On a host, host content change requests are intercepted in real-time. In a tracking mode, the change requests are logged and allowed to take effect on the host. In an enforcement mode, the change requests are logged and additionally compared against authorized change policies and a determination is made whether to allow the change to take effect or to block the changes, thereby enforcing the authorized change policies on the host. Tracking and enforcement can be done in real-time. In either mode and at any time, the logged changes can be reconciled against a set of approved change orders in order to identify classes of changes, including changes that were deployed but not approved and changes that were approved but not deployed.

Citations

34 Claims

1. A method to be executed by a processor, comprising:
- intercepting a host content change request indicating a change to a persistent object on a host computer;
  
  determining whether the change is authorized, as indicated by a set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  blocking the change from taking effect when the change is not authorized;
  
  logging information about the host content change request;
  
  obtaining a log representing a set of host content change requests;
  
  comparing the log to a set of approved change orders for any one or more of a plurality of persistent objects on the host computer;
  
  identifying at least one correlation between the set of host content change requests and the set of approved change orders; and
  
  providing user-readable data representing the at least one correlation,wherein the set of change authorization policies is configurable to define whether the persistent object can be changed.
- View Dependent Claims (2, 3, 4, 5, 33, 34)
- - 2. The method of claim 1, wherein at least one policy of the set of change authorization policies is selected from the group consisting of:
    - a set of persistent objects that can be changed without restriction;
      
      a set of users, programs or entities that can make changes to a specified set of persistent objects; and
      
      a set of users, programs or entities that can make changes to the specified set of persistent objects during one or more specified time windows.
  - 3. The method of claim 1, wherein the determining, the allowing and the blocking are performed in real-time.
  - 4. The method of claim 1, further comprising:
    - filtering the host content change request to prevent logging the host content change request if the host content change request is non-material.
  - 5. The method of claim 4, wherein the host content change request is non-material if the host content change request includes one or more of:
    - creation of specified registry entries;
      
      modification of specified registry entries; and
      
      creation, deletion, or modification of temporary objects.
  - 33. The method of claim 1, further comprising:
    - selecting a specified set of log entries from the log according to one or more criteria, wherein the comparing the log to a set of approved change orders includes comparing only the specified set of log entries to the set of approved change orders.
  - 34. The method of claim 33, wherein the one or more criteria are selected from a group of criteria comprising a specified set of host computers, a specified set of software, and a specified time window.

6. Logic encoded in one or more non-transitory computer readable media having computer-executable instructions and when executed by a processor is operable to perform operations comprising:
- intercepting a host content change request indicating a change to a persistent object on a host;
  
  determining whether the change is authorized, as indicated by a set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  blocking the change from taking effect when the change is not authorized;
  
  logging information about the host content change request;
  
  obtaining a log representing a set of host content change requests;
  
  comparing the log to a set of approved change orders for any one or more of a plurality of persistent objects on the host;
  
  identifying at least one correlation between the set of host content change requests and the set of approved change orders; and
  
  providing user-readable data representing the at least one correlation,wherein the set of change authorization policies is configurable to define whether the persistent object can be changed.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The logic of claim 6, wherein at least one policy of the set of change authorization policies is selected from the group consisting of:
    - a set of persistent objects that can be changed without restriction;
      
      a set of users, programs or entities that can make changes to a specified set of persistent objects; and
      
      a set of users, programs or entities that can make changes to the specified set of persistent objects during one or more specified time windows.
  - 8. The logic of claim 6, wherein the determining, the allowing and the blocking are performed in real-time.
  - 9. The logic of claim 6, wherein the operations further comprise:
    - filtering the host content change request to prevent logging the host content change request if the host content change request is non-material.
  - 10. The logic of claim 9, wherein the host content change request is non-material if the host content change request includes one or more of:
    - creation of specified registry entries;
      
      modification of specified registry entries; and
      
      creation, deletion, or modification of temporary objects.

11. A host, comprising:
- a memory element for storing a set of change authorization policies; and
  
  a processor operable to execute instructions associated with a management module, including;
  
  intercepting a host content change request indicating a change to a persistent object on the host;
  
  determining whether the change is authorized, as indicated by the set of change authorization policies;
  
  allowing the change to take effect when the change is authorized; and
  
  blocking the change from taking effect when the change is not authorizedlogging information about the host content change request;
  
  obtaining a log representing a set of host content change requests;
  
  comparing the log to a set of approved change orders for any one or more of a plurality of persistent objects on the host;
  
  identifying at least one correlation between the set of host content change requests and the set of approved change orders; and
  
  providing user-readable data representing the at least one correlation,wherein the set of change authorization policies is configurable to define whether the persistent object can be changed.
- View Dependent Claims (12, 13, 14)
- - 12. The host of claim 11, wherein at least one policy of the set of change authorization policies is selected from the group consisting of:
    - a set of persistent objects that can be changed without restriction;
      
      a set of users, programs or entities that can make changes to a specified set of persistent objects; and
      
      a set of users, programs or entities that can make changes to the specified set of persistent objects during one or more specified time windows.
  - 13. The host of claim 11, wherein the instructions associated with the management module further include:
    - filtering the host content change request to prevent logging the host content change request if the host content change request is non-material.
  - 14. The host of claim 13, wherein the host content change request is non-material if the host content change request includes one or more of:
    - creation of specified registry entries;
      
      modification of specified registry entries; and
      
      creation, deletion, or modification of temporary objects.

15. A method to be executed by a processor, comprising:
- intercepting a host content change request indicating a change to a persistent object on a host computer;
  
  determining whether the change is authorized, as indicated by a set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  logging information about the host content change request;
  
  obtaining a log representing a set of change requests for at least one persistent object of a plurality of persistent objects on the host computer;
  
  comparing the log to a set of approved change orders for any one or more of the plurality of persistent objects;
  
  identifying one or more discrepancies between the set of change requests and the set of approved change orders; and
  
  providing user-readable data representing the one or more discrepancies.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The method of claim 15, wherein at least one of the one or more discrepancies is selected from a group of discrepancies, the group consisting of:
    - a change request that does not correspond to any approved change orders; and
      
      an approved change order that does not correspond to any change requests.
  - 17. The method of claim 15, wherein at least one change request was blocked in response to a set of authorization policies indicating that the at least one change request was not authorized.
  - 18. The method of claim 15, wherein at least one change request was executed resulting in a deployed change to the at least one persistent object, wherein the execution occurred in response to a set of authorization policies indicating that the at least one change request was authorized.
  - 19. The method of claim 15, wherein the user-readable data indicates whether the one or more discrepancies include a change request that was executed resulting in a deployed change to one of the persistent objects.
  - 20. The method of claim 15, wherein the user-readable data is a display generated on a display device.
  - 21. The method of claim 15, further comprising:
    - selecting a specified set of log entries from the log according to one or more criteria, wherein the comparing the log to a set of approved change orders includes comparing only the specified set of log entries to the set of approved change orders.
  - 22. The method of claim 21, wherein the one or more criteria are selected from a group of criteria comprising a specified set of host computers, a specified set of software, and a specified time window.

23. Logic encoded in one or more non-transitory computer readable media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- intercepting a host content change request indicating a change to a persistent object on a host;
  
  determining whether the change is authorized, as indicated by a set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  logging information about the host content change request;
  
  obtaining a log representing a set of change requests for at least one persistent object of a plurality of persistent objects on a host;
  
  comparing the log to a set of approved change orders for any one or more of the plurality of persistent objects;
  
  identifying one or more discrepancies between the set of change requests and the set of approved change orders; and
  
  providing user-readable data representing the one or more discrepancies.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The logic of claim 23, wherein at least one of the one or more discrepancies is selected from a group of discrepancies, the group consisting of:
    - a change request that does not correspond to any approved change orders; and
      
      an approved change order that does not correspond to any change requests.
  - 25. The logic of claim 23, wherein at least one change request was blocked in response to a set of change authorization policies indicating that the at least one change request was not authorized.
  - 26. The logic of claim 23, wherein at least one change request was executed resulting in a deployed change to the at least one persistent object, wherein the execution occurred in response to a set of change authorization policies indicating that the at least one change request was authorized.
  - 27. The logic of claim 23, wherein the user-readable data indicates whether the one or more discrepancies include a change request that was executed resulting in a deployed change to one of the persistent objects.

28. A host, comprising:
- a memory element configured to store a log representing a set of change requests for at least one persistent object of a plurality of persistent objects on a host; and
  
  a processor operable to execute instructions associated with a reconciliation module, including;
  
  intercepting a host content change request indicating a change to a persistent object on a host;
  
  determining whether the change is authorized, as indicated by a set of change authorization policies;
  
  allowing the change to take effect when the change is authorized;
  
  logging information about the host content change request;
  
  obtaining the log representing the set of change requests;
  
  comparing the log to a set of approved change orders for any one or more of the plurality of persistent objects;
  
  identifying one or more discrepancies between the set of change requests and the set of approved change orders; and
  
  providing user-readable data representing the one or more identified discrepancies.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The host of claim 28, wherein at least one of the one or more discrepancies is selected from a group of discrepancies, the group consisting of:
    - a change request that does not correspond to any approved change orders; and
      
      an approved change order that does not correspond to any change requests.
  - 30. The host of claim 28, wherein at least one change request was blocked in response to a set of change authorization policies indicating that the at least one change request was not authorized.
  - 31. The host of claim 28, wherein at least one change request was executed resulting in a deployed change to the at least one persistent object, wherein the execution occurred in response to a set of change authorization policies indicating that the at least one change request was authorized.
  - 32. The host of claim 28, wherein the user-readable data indicates whether the one or more discrepancies include a change request that was executed resulting in a deployed change to one of the persistent objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Roy-Chowdhury, Rahul, Sebes, E. John, Vaishnav, Jay
Primary Examiner(s)
Song, Hosuk

Application Number

US12/640,098
Publication Number

US 20100100970A1
Time in Patent Office

957 Days
Field of Search

726 1- 7, 726 26- 30, 713165-167
US Class Current

726/26
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/57   Certifying or maintaining t...

G06F 2221/2101   Auditing as a secondary aspect

G06F 8/65   Updates security arrangemen...

G06F 8/70   Software maintenance or man...

G06F 8/71   Version control security ar...

G06Q 10/06   Resources, workflows, human...

H04L 63/102   Entity profiles

H04L 67/34   involving the movement of s...

H04L 67/55   Push-based network services

Enforcing alignment of approved changes and deployed changes in the software change life-cycle

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing alignment of approved changes and deployed changes in the software change life-cycle

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links