Assessment and analysis of software security flaws

US 9,069,967 B2
Filed: 09/17/2010
Issued: 06/30/2015
Est. Priority Date: 02/16/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing access to security data related to a software application, the method comprising:

creating a programmatic association between the software application and results of one or more security analysis tests performed against the software application wherein the results comprise references to flaws identified in source code of the software application;

storing the results for subsequent electronic access on a data storage server comprising a security-threat database;

providing access to the software application and instructions to access limited portions of the results stored in a central database using a unique key associated with an owner of the software application and the software application such that the results, including the source code, may be reviewed on demand by a user authenticated to use the unique key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports.

45 Citations

View as Search Results

19 Claims

1. A computer-implemented method for providing access to security data related to a software application, the method comprising:
- creating a programmatic association between the software application and results of one or more security analysis tests performed against the software application wherein the results comprise references to flaws identified in source code of the software application;
  
  storing the results for subsequent electronic access on a data storage server comprising a security-threat database;
  
  providing access to the software application and instructions to access limited portions of the results stored in a central database using a unique key associated with an owner of the software application and the software application such that the results, including the source code, may be reviewed on demand by a user authenticated to use the unique key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the software application comprises executable object code distributed over a network.
  - 3. The method of claim 2 wherein the results are distributed with the executable object code.
  - 4. The method of claim 3 wherein the software application comprises an application package and the results are included in the application package.
  - 5. The method of claim 1 wherein the software application comprises a web-based service accessible over a network.
  - 6. The method of claim 1 wherein the software application comprises a collection of unrelated computing functions available over the Internet.
  - 7. The method of claim 1 further comprising displaying the limited portion of the results to the user in response to a query submitted to the database.
  - 8. The method of claim 1 further comprising transmitting the limited portion of the results to the user in response to a query submitted to the database.
  - 9. The method of claim 8 further comprising encrypting portions of the results prior to transmission.
  - 10. The method of claim 1 further comprising:
    - (i) computing a hash of at least a portion of the software application;
      
      (ii) including the hash with a report comprising the results; and
      
      (iii) receiving a request from the user to view the results, the request including the hash such that the hash is used to identify and access the results.
  - 11. The method of claim 1 wherein the instructions to access a report comprising the results comprise a URL directing the user to the report.
  - 12. The method of claim 1 wherein a report comprising the results comprises an XML document, the XML document further comprising predefined tags.

13. A system for providing access to security data related to a plurality of software applications, the system comprising:
- at least one testing engine for performing a plurality of vulnerability tests on the software applications and associating results of the tests with the respective software application wherein the results comprise references to source code of the software application;
  
  a database for storing the results; and
  
  a communications server for receiving a request from a user of one of the software applications, the request including a unique key associated with an owner of the software application and the user, to access the results associated with the software application, and, based on the received request, provide the results, including the source code, associated with the software application to the user authenticated to use the unique key.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13 wherein the communications server further displays the results to the users.
  - 15. The system of claim 13 wherein the software application comprises executable object code distributed over a network.
  - 16. The system of claim 13 wherein the software application comprises an application package and the results are included in the application package.
  - 17. The system of claim 13 wherein the software application comprises a web-based service accessible over a network.
  - 18. The system of claim 13 wherein the software application comprises a collection of unrelated computing functions available over the Internet.
  - 19. The system of claim 13 wherein the testing engine is further configured to compute a hash of at least a portion of the software application, and the communications server is further configured to include the hash with a report comprising the results and wherein the request includes the hash such that the hash is used to identify and access the results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veracode Incorporated (Broadcom, Inc.)
Original Assignee
Veracode Incorporated (Broadcom, Inc.)
Inventors
Wysopal, Christopher J., Eng, Christopher J., Moynahan, Matthew P.
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US12/884,544
Publication Number

US 20110173693A1
Time in Patent Office

1,747 Days
Field of Search

726/17
US Class Current

1/1
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Assessment and analysis of software security flaws

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Assessment and analysis of software security flaws

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links