Pattern tracking and capturing human insight in a web application security scanner

US 8,789,187 B1
Filed: 09/28/2007
Issued: 07/22/2014
Est. Priority Date: 09/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method of managing vulnerability testing of a web application, the method comprising:

running a set of one or more scripted tests against a web application using a computer processor;

recording results of the one or more scripted tests;

providing an interface for a human evaluator to review the recorded results; and

accepting from the human evaluator custom test parameters for a custom test record, wherein the custom test record includes indications of the custom test parameters for a custom test associated with the custom test record, and wherein at least some of the custom test parameters are based on observations of the recorded results, the custom test record including at least one context related to the recorded results and usable by a future tester in deciding whether to run the custom test, and also including a pattern in the web application recognized by the human evaluator and based on observations of the recorded results;

automatically running a second scripted test against the web application or another web application using a computer processor, the second scripted test including a plurality of requests for service from the web application or the other web application, wherein running the second scripted test includes communicating at least one of the requests for service to the web application or the other web application; and

comparing the at least one of request for service communicated to the web application or other web application to one or more of the custom test records previously created, wherein comparing comprises at least comparing the pattern included in the custom test parameters to determine whether or not the at least one request communicated to the web application or other web application matches the pattern of one or more of the custom tests.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method of managing vulnerability testing of a web application is provided for running a set of one or more scripted tests against a web application, recording results of the one or more scripted tests, providing an interface for a human evaluator to review the recorded results, and accepting from the human evaluator custom test parameters based on observations of the recorded results, wherein custom test parameters include at least one context usable by a future tester in deciding whether to run the custom test, and also includes at least one instruction for automatically running custom test steps of the custom test.

Citations

26 Claims

1. A method of managing vulnerability testing of a web application, the method comprising:
- running a set of one or more scripted tests against a web application using a computer processor;
  
  recording results of the one or more scripted tests;
  
  providing an interface for a human evaluator to review the recorded results; and
  
  accepting from the human evaluator custom test parameters for a custom test record, wherein the custom test record includes indications of the custom test parameters for a custom test associated with the custom test record, and wherein at least some of the custom test parameters are based on observations of the recorded results, the custom test record including at least one context related to the recorded results and usable by a future tester in deciding whether to run the custom test, and also including a pattern in the web application recognized by the human evaluator and based on observations of the recorded results;
  
  automatically running a second scripted test against the web application or another web application using a computer processor, the second scripted test including a plurality of requests for service from the web application or the other web application, wherein running the second scripted test includes communicating at least one of the requests for service to the web application or the other web application; and
  
  comparing the at least one of request for service communicated to the web application or other web application to one or more of the custom test records previously created, wherein comparing comprises at least comparing the pattern included in the custom test parameters to determine whether or not the at least one request communicated to the web application or other web application matches the pattern of one or more of the custom tests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the custom test parameters include an indication of which web applications to run the custom test against or which class of web applications to run the custom test against.
  - 3. The method of claim 1, further comprising:
    - checking previously created custom tests for relevancy; and
      
      discarding irrelevant custom tests.
  - 4. The method of claim 1, wherein at least some of the observations used by the human evaluator to decide to generate the custom test are stored in a context of the custom test.
  - 5. The method of claim 1, further comprising presenting the at least one context included in the custom test parameters to the future tester if it is determined that there is a match between the at least one request communicated to the web application or other web application and the pattern included in the custom test parameters.
  - 6. The method of claim 1, wherein the recorded results include an expression, and the custom test parameters include the same expression as the recorded results.
  - 7. The method of claim 1, further comprising running the custom test if it is determined that there is a match between the at least one request communicated to the web application or other web application and the pattern included in the custom test parameters.
  - 8. The method of claim 1, wherein the at least one context is related to indicators of potential weaknesses of the web application.
  - 9. The method of claim 1, further comprising accepting from the human evaluator a test script for the custom test.
  - 10. The method of claim 1, wherein the custom test parameters further include at least one instruction for running custom test steps of the custom test.
  - 11. The method of claim 1, wherein the pattern in the web application is recognized as leading to a potential security vulnerability that may not be readily apparent to subsequent testers.
  - 12. The method of claim 1, wherein the custom test parameters include a plurality of patterns obtained as a result of running and recording the results of a plurality of scripted tests, and the method further comprises comparing the at least one request for service communicated to the web application or other web application to the plurality of patterns to determine whether or not the at least one request communicated to the web application or other web application matches at least one of the plurality of patterns.

13. A computing device for managing vulnerability testing of a web application, the computing device comprising:
- a computer processor configured to read machine-readable instructions from a tangible, non-transitory computer-readable medium, the machine-readable instructions comprising;
  
  program code for running a set of one or more scripted tests against a web application;
  
  program code for recording results of the one or more scripted tests;
  
  program code for providing an interface for a human evaluator to review the recorded results; and
  
  program code for accepting from the human evaluator custom test parameters for a custom test record, wherein the custom test record includes indications of the custom test parameters for a custom test associated with the custom test record, and wherein at least some of the custom test parameters are based on observations of the recorded results, the custom test record including at least one context related to the recorded results and usable by a future tester in deciding whether to run the custom test, and also including a pattern in the web application recognized by the human evaluator and based on observations of the recorded results;
  
  program code for automatically running a second scripted test against the web application or another web application using a computer processor, the second scripted test including a plurality of requests for service from the web application or the other web application, wherein running the second scripted test includes communicating at least one of the requests for service to the web application or the other web application; and
  
  program code for comparing the at least one request for service communicated to the web application or other web application to one or more of the custom test records previously created, wherein comparing comprises at least comparing the pattern included in the custom test parameters to determine whether or not the at least one request communicated to the web application or other web application matches the pattern of one or more of the custom tests.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The computing device of claim 13, wherein the custom test parameters include an indication of which web applications to run the custom test against or which class of web applications to run the custom test against.
  - 15. The computing device of claim 13, wherein the machine-readable instructions further comprise:
    - program code for checking previously created custom tests for relevancy; and
      
      program code for discarding irrelevant custom tests.
  - 16. The computing device of claim 13, wherein at least some of the observations used by the human evaluator to decide to generate the custom test are stored in a context of the custom test.
  - 17. The computing device of claim 13, wherein the machine-readable instructions further comprise:
    - program code for presenting the at least one context included in the custom test parameters to the future tester if it is determined that there is a match between the at least one request communicated to the web application or other web application and the pattern included in the custom test parameters.
  - 18. The computing device of claim 13, wherein the recorded results include an expression, and the custom test parameters include the same expression as the recorded results.
  - 19. The computing device of claim 13, wherein the machine-readable instructions further comprise program code for running the custom test if it is determined that there is a match between the at least one request communicated to the web application or other web application and the pattern included in the custom test parameters.

20. A non-transitory computer-readable medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus having stored thereon instructions configured to manage vulnerability testing of a web application, the computer-readable medium being electronically readable, comprising:
- program code for running a set of one or more scripted tests against a web application;
  
  program code for recording results of the one or more scripted tests;
  
  program code for providing an interface for a human evaluator to review the recorded results; and
  
  program code for accepting from the human evaluator custom test parameters for a custom test record, wherein the custom test record includes indications of the custom test parameters for a custom test associated with the custom test record, and wherein at least some of the custom test parameters are based on observations of the recorded results the custom test record including at least one context related to the recorded results and usable by a future tester in deciding whether to run the custom test, and also including a pattern in the web application recognized by the human evaluator and based on observations of the recorded results;
  
  program code for automatically running a second scripted test against the web application or another web application using a computer processor, the second scripted test including a plurality of requests for service from the web application or the other web application, wherein running the second scripted test includes communicating at least one of the requests for service to the web application or the other web application; and
  
  program code for comparing the at least one request for service communicated to the web application or other web application to one or more of the custom test records previously created, wherein comparing comprises at least comparing the pattern included in the custom test parameters to determine whether or not the at least one request communicated to the web application or other web application matches the pattern of one or more of the custom tests.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The computer-readable medium of claim 20, wherein the custom test parameters include an indication of which web applications to run the custom test against or which class of web applications to run the custom test against.
  - 22. The computer-readable medium of claim 20, further comprising:
    - program code for checking previously created custom tests for relevancy; and
      
      program code for discarding irrelevant custom tests.
  - 23. The computer-readable medium of claim 20, wherein at least some of the observations used by the human evaluator to decide to generate the custom test are stored in a context of the custom test.
  - 24. The computer-readable medium of claim 20, further comprising:
    - program code for presenting the at least one context included in the custom test parameters to the future tester if it is determined that there is a match between the at least one request communicated to the web application or other web application and the pattern included in the custom test parameters.
  - 25. The computer-readable medium of claim 20, wherein the recorded results include an expression, and the custom test parameters include the same expression as the recorded results.
  - 26. The computer-readable medium of claim 20, further comprising program code for running the custom test if it is determined that there is a match between the at least one request communicated to the web application or other web application and the pattern included in the custom test parameters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Black Duck Software, Inc. (Synopsys Incorporated)
Original Assignee
Whitehat Security Incorporated (Synopsys Incorporated)
Inventors
Pennington, William, Grossman, Jeremiah, Stone, Robert, Pazirandeh, Siamak
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Branske, Hilary

Application Number

US11/864,787
Time in Patent Office

2,489 Days
Field of Search

726/22, 726/23, 726/24, 726/25, 726/26, 714/25, 714/32, 714/33, 714/45, 714/46
US Class Current

726/25
CPC Class Codes

G06F 11/263   Generation of test inputs, ...

G06F 11/3672   Test management

G06F 11/3688   for test execution, e.g. sc...

G06F 21/577   Assessing vulnerabilities a...

Pattern tracking and capturing human insight in a web application security scanner

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Pattern tracking and capturing human insight in a web application security scanner

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links