Apparatuses, methods and systems of an application security management platform

US 8,495,746 B2
Filed: 12/18/2009
Issued: 07/23/2013
Est. Priority Date: 12/18/2009
Status: Active Grant

First Claim

Patent Images

1. A processor-enabled method, comprising:

obtaining application security data from a plurality of data sources;

identifying at least one intake question form based on the at least one application;

associating the obtained data with at least one application;

generating via a processor a risk factor matrix for the at least one application based on the obtained data and the at least one intake question form, wherein the at least one intake question form is a risk factor intake form and the generating comprises;

retrieving the risk factor intake form from a database, the risk factor intake form comprising a plurality of risk factor questions,obtaining an answer, based on the obtained data, associated with each of the plurality of risk factor questions,converting the answer associated with each of the plurality of risk factor questions to a numerical score, andgenerating an entry of the risk factor matrix based on the risk factor question and the associated numerical score; and

evaluating the at least one application based on the generated risk factor matrix.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure details the implementation of apparatuses, methods and systems of an application security management platform (hereinafter, “ASMP”). ASMP systems may, in one embodiment, implement a live platform on a computerized system, whereby the platform may receive security data associated with a running application from multiple security tacking systems, evaluate the security performance of the application, generate an application security summary report for review and manage review processes for security professionals.

107 Citations

21 Claims

1. A processor-enabled method, comprising:
- obtaining application security data from a plurality of data sources;
  
  identifying at least one intake question form based on the at least one application;
  
  associating the obtained data with at least one application;
  
  generating via a processor a risk factor matrix for the at least one application based on the obtained data and the at least one intake question form, wherein the at least one intake question form is a risk factor intake form and the generating comprises;
  
  retrieving the risk factor intake form from a database, the risk factor intake form comprising a plurality of risk factor questions,obtaining an answer, based on the obtained data, associated with each of the plurality of risk factor questions,converting the answer associated with each of the plurality of risk factor questions to a numerical score, andgenerating an entry of the risk factor matrix based on the risk factor question and the associated numerical score; and
  
  evaluating the at least one application based on the generated risk factor matrix.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the plurality of data sources comprise an asset security tracking system.
  - 3. The method of claim 1, wherein the application security data comprises application information, application security information and application trustee information.
  - 4. The method of claim 1, wherein obtaining application security data from a plurality of data sources comprises:
    - sending an access request to the plurality of data sources;
      
      if at least one of the plurality of data sources is available, receiving application security data from the at least one of the plurality of data sources, and updating a local cached copy of application security data in a database; and
      
      for those of the plurality of data sources that are not available to respond to the access request, retrieving the local cached copy of application security data corresponding to unavailable data sources from the database.
  - 5. The method of claim 4 further comprising periodically synchronizing the local cached copy of application security data in the database with the plurality of data sources, wherein the period may be predefined by a user.
  - 6. The method of claim 1, wherein associating the obtained data with at least one application further comprises automatic cross-check of overlapped data from different data sources via a processor.
  - 7. The method of claim 6, wherein the cross-check comprises:
    - retrieving at least one agreement rule from a database;
      
      applying the at least one agreement rule to the overlapped data from different data sources; and
      
      determining values of the overlapped data based on one of the different data sources.
  - 8. The method of claim 7, wherein the at least one agreement rule is predefined.
  - 9. The method of claim 1, wherein generating a risk factor matrix for the at least one application based on the obtained data further comprises:
    - displaying the plurality of risk factor questions via a user interface to at least one user; and
      
      receiving the answer to each of the plurality of risk factor questions from the at least one user.
  - 10. The method of claim 9 further comprising generating a risk factor intake form for the at least one application if there does not exist a stored risk factor intake form associated with the at least one application.
  - 11. The method of claim 10, wherein generating a risk factor intake form comprises:
    - assessing a plurality of components of the at least one application;
      
      determining a plurality of security evaluation criteria associated with the at least one application based on the assessment;
      
      determining a weighing factor associated with each security evaluation criterion;
      
      generating a risk factor intake form containing a plurality of risk factor questions based on the determined plurality of security evaluation criteria; and
      
      associating the generated risk factor intake form with a type of the at least one application.
  - 12. The method of claim 10 further comprising:
    - receiving assessment data of the at least one application via a user interface from a user; and
      
      receiving a plurality of security evaluation criteria associated with the at least one application via a user interface from a user.
  - 13. The method of claim 1, wherein identifying at least one intake question form based on the at least one application further comprises:
    - identifying an application type based on the at least one application; and
      
      identifying the at least one intake question form based on the application type.

14. An apparatus, comprising:
- a processor;
  
  a memory in communication with the processor and containing program instructions;
  
  an input device and an output device both in communication with the processor and memory, said output device providing a user interface;
  
  wherein the processor executes program instructions contained in the memory and the program instructions cause the processor to;
  
  obtain application security data from a plurality of data sources;
  
  associate the obtained data with at least one application program;
  
  identify at least one intake question form based on the at least one application program;
  
  generate a risk factor matrix for the at least one application based on the obtained data and the at least one intake question form by;
  
  retrieving the risk factor intake form from a database, the risk factor intake form comprising a plurality of risk factor questions,obtaining an answer, based on the obtained data, associated with each of the plurality of risk factor questions,converting the answer associated with each of the plurality of risk factor questions to a numerical score, andgenerating an entry of the risk factor matrix based on the risk factor question and the associated numerical score;
  
  evaluate the application program based on the generated risk factor matrix; and
  
  output an application security report.

15. The apparatus of 14, wherein evaluating the at least one application based on the generated risk factor matrix comprises:
- generating a general risk score for the at least one application based on the risk factor matrix;
  
  determining a risk level associated with the at least one application based on the general risk score; and
  
  if the determined risk level is high, retrieving an action review form from a database,generating a second score of the at least one application based on the action review form,if the second score of the at least one application is lower than an action review threshold, labeling the at least one application as certified.
- View Dependent Claims (16, 17)
- - 16. The apparatus of claim 15, wherein the action review form is generated in association with the risk factor intake form.
  - 17. The apparatus of claim 15, wherein the action review threshold is predefined.

18. A non-transitory processor readable medium, comprising:
- processor readable instructions stored in the processor readable medium, wherein the processor readable instructions are executable by a processor to;
  
  obtain application security data from a plurality of data sources;
  
  associate the obtained data with at least one application program;
  
  identify at least one intake question form based on the at least one application program;
  
  generate a risk factor matrix for the application based on the obtained data and the at least one intake question form by;
  
  retrieving the risk factor intake form from a database, the risk factor intake form comprising a plurality of risk factor questions,obtaining an answer, based on the obtained data, associated with each of the plurality of risk factor questions,converting the answer associated with each of the plurality of risk factor questions to a numerical score, andgenerating an entry of the risk factor matrix based on the risk factor question and the associated numerical score; and
  
  evaluate the application program based on the generated risk factor matrix.
- View Dependent Claims (19, 20, 21)
- - 19. The medium of claim 18, wherein the processor readable instructions are further executable by the processor to:
    - generate at least one review report of the at least one application based on the risk factor matrix and the evaluation.
  - 20. The medium of claim 18, wherein the processor readable instructions are further executable by the processor to:
    - analyze a risk score trend of an application; and
      
      display the analysis to a user.
  - 21. The medium of claim 18, wherein the processor readable instructions are further executable by the processor to:
    - maintain a work queue of review tasks for a user; and
      
      display a list of review tasks in the work queue in a sequential order via a user interface to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Fissel, Michael Scott, Hurst, Scott Allen, Grantges, David R
Primary Examiner(s)
Shan, April
Assistant Examiner(s)
Pan, Joseph

Application Number

US12/642,712
Publication Number

US 20110154498A1
Time in Patent Office

1,313 Days
Field of Search

726/2, 726 23- 25, 713/152, 709/229
US Class Current

726/25
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 63/20 for managing network securi...

Apparatuses, methods and systems of an application security management platform

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatuses, methods and systems of an application security management platform

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links