Device and method for remediating vulnerabilities

US 9,256,746 B2
Filed: 12/14/2012
Issued: 02/09/2016
Est. Priority Date: 12/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a computer, data describing a first software component used by a software product;

receiving, by the computer, vulnerability data describing first and second vulnerabilities in the first software component;

calculating, by the computer, a vulnerability score for the software product, based upon the vulnerability data for the first software component;

receiving, by the computer, an updated status of the first and second vulnerabilities in the first software component, wherein receiving the updated status includes receiving an approved waiver of the first vulnerability in the first software component and wherein the updated status reflects that the second vulnerability has been remediated by patching or revising the software component or the software product;

receiving, by the computer, an update indicating that a second software component is no longer used by the software product;

recalculating, by the computer, the vulnerability score for the software product based upon the updated status of the first and second vulnerabilities and based upon the update that the second software component is no longer used by the software product; and

presenting, by the computer, the recalculated vulnerability score for the software product to a display device to a user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary methods, apparatuses, and systems receive data describing a first software component used by a software product and vulnerability data describing a vulnerability in the first software component. A vulnerability score is calculated for the software product based upon the vulnerability data for the first software component. The vulnerability score is recalculated for the software product based upon receiving an updated status of the vulnerability in the first software component from bug tracking software, a waiver of the vulnerability of a software component, the addition of another software component, or another update to the software product or component(s). The task of remediation of the vulnerability in the first software component can be assigned to a user and tracked. A user interface is provided to enable users to monitor the vulnerabilities of software products or components.

Citations

16 Claims

1. A computer-implemented method, comprising:
- receiving, by a computer, data describing a first software component used by a software product;
  
  receiving, by the computer, vulnerability data describing first and second vulnerabilities in the first software component;
  
  calculating, by the computer, a vulnerability score for the software product, based upon the vulnerability data for the first software component;
  
  receiving, by the computer, an updated status of the first and second vulnerabilities in the first software component, wherein receiving the updated status includes receiving an approved waiver of the first vulnerability in the first software component and wherein the updated status reflects that the second vulnerability has been remediated by patching or revising the software component or the software product;
  
  receiving, by the computer, an update indicating that a second software component is no longer used by the software product;
  
  recalculating, by the computer, the vulnerability score for the software product based upon the updated status of the first and second vulnerabilities and based upon the update that the second software component is no longer used by the software product; and
  
  presenting, by the computer, the recalculated vulnerability score for the software product to a display device to a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - assigning, by the computer, a task of remediation of the second vulnerability in the first software component to a user; and
      
      tracking a status of the assigned remediation.
  - 3. The computer-implemented method of claim 1, further comprising:
    - associating, by the computer, the first or second vulnerability in the first software component with a bug in the bug tracking software.
  - 4. The computer-implemented method of claim 1, further comprising:
    - mapping, by the computer, the first vulnerability in the first software component to a vulnerability identifier, the vulnerability identifier being part of the vulnerability data.
  - 5. The computer-implemented method of claim 1, further comprising:
    - presenting, by the computer, a recommended alternative to the first software component based upon the vulnerability data describing the first and second vulnerabilities in the first software component.
  - 6. The computer-implemented method of claim 1, further comprising:
    - generating, by the computer, a notification if the vulnerability score for the software product exceeds a threshold value.
  - 7. The computer-implemented method of claim 1, further comprising:
    - receiving, by the computer, input from the user to follow the software product; and
      
      presenting, by the computer, data for the software product to the user, including the vulnerability score for the software product, in response to a request from the user to view software products followed by the user.

8. A non-transitory computer-readable medium storing instructions, which when executed by a processing device, cause the processing device to perform method comprising:
- receiving, by a computer, data describing a first software component used by a software product;
  
  receiving, by the computer, vulnerability data describing first and second vulnerabilities in the first software component;
  
  calculating, by the computer, a vulnerability score for the software product, based upon the vulnerability data for the first software component;
  
  receiving, by the computer, an updated status of the first and second vulnerabilities in the first software component, wherein receiving the updated status includes receiving an approved waiver of the first vulnerability in the first software component and wherein the updated status reflects that the second vulnerability has been remediated by patching or revising the software component or the software product;
  
  receiving, by the computer, an update indicating that a second software component is no longer used by the software product;
  
  recalculating, by the computer, the vulnerability score for the software product based upon the updated status of the first and second vulnerabilities and based upon the update that the second software component is no longer used by the software product; and
  
  presenting, by the computer, the recalculated vulnerability score for the software product to a display device to a user.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, the method further comprising:
    - assigning a task of remediation of the second vulnerability in the first software component to a user; and
      
      tracking a status of the assigned remediation.
  - 10. The non-transitory computer-readable medium of claim 8, the method further comprising:
    - associating the first or second vulnerability in the first software component with a bug in the bug tracking software.
  - 11. The non-transitory computer-readable medium of claim 9, the method further comprising:
    - mapping the first vulnerability in the first software component to a vulnerability identifier, the vulnerability identifier being part of the vulnerability data.
  - 12. The non-transitory computer-readable medium of claim 9, the method further comprising:
    - presenting a recommended alternative to the first software component based upon the vulnerability data describing the vulnerability in the first software component.
  - 13. The non-transitory computer-readable medium of claim 9, the method further comprising:
    - generating a notification if the vulnerability score for the software product exceeds a threshold value.
  - 14. The non-transitory computer-readable medium of claim 9, the method further comprising:
    - receiving input from the user to follow the software product; and
      
      presenting data for the software product to the user, including the vulnerability score for the software product, in response to a request from the user to view software products followed by the user.

15. An apparatus comprising:
- a processing device; and
  
  a memory coupled to the processing device, the memory storing instructions which, when executed by the processing device, cause the apparatus to;
  
  receive data describing a software component used by a software product;
  
  receive vulnerability data describing first and second vulnerabilities in the software component;
  
  calculate a vulnerability score for the software product based upon the vulnerability data for the software component;
  
  receive an updated status of the first and second vulnerabilities in the first software component, wherein receiving the updated status includes receiving an approved waiver of the first vulnerability in the first software component and wherein the updated status reflects that the second vulnerability has been remediated by patching or revising the software component or the software product;
  
  receive an update indicating that a second software component is no longer used by the software product;
  
  recalculate the vulnerability score for the software product based upon the updated status of the first and second vulnerabilities and based upon the update that the second software component is no longer used by the software product; and
  
  present the recalculated vulnerability score for the software product to a display device to a user.
- View Dependent Claims (16)
- - 16. The apparatus of claim 15, wherein the execution of the instructions by the processing device further causes the apparatus to:
    - assign a task of remediation of the second vulnerability in the first software component to a user; and
      
      track a status of the assigned remediation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Toback, Michael Ira, Ferguson, David, Hernandez-Villavicencio, Maria del Carmen, Liu, Wenfeng, Ijzerman, Monty
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US13/716,038
Publication Number

US 20140173737A1
Time in Patent Office

1,152 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

G06F 21/577 Assessing vulnerabilities a...

Device and method for remediating vulnerabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Device and method for remediating vulnerabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links