Methods and systems for providing feedback and suggested programming methods
First Claim
1. A software security assessment platform, comprising:
- a communications server, which in operation, receives technical characteristics of a target software application and business context information relating to the target software application;
an analysis engine, which in operation;
examines code of the target software application received and generates a model of the software application, the model containing control-flow and data-flow graphs of the software application;
identifies specific application security best practices that are applicable to the target software application;
identifies locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented, anddetermines for each of the locations whether the code segments according to the relevant best practices appear to have been implemented;
determines at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; and
provides mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented.
5 Assignments
0 Petitions
Accused Products
Abstract
The techniques and supporting systems described herein provide a comprehensive and customizable approach to identifying the use of best practices during the design and development of software applications, as well as recommending additional enhancements or courses of action that may be implemented to further improve the application. Target software application code is received specific application security best practices applicable to the target software application are identified. Locations in the code where the various best practices ought to be implemented are then identified, and a determination is made whether the relevant best practices are implemented for each location. Finally, positive feedback is provided to the developers for what appears to be their correct implementation of best practices.
130 Citations
34 Claims
-
1. A software security assessment platform, comprising:
-
a communications server, which in operation, receives technical characteristics of a target software application and business context information relating to the target software application; an analysis engine, which in operation; examines code of the target software application received and generates a model of the software application, the model containing control-flow and data-flow graphs of the software application; identifies specific application security best practices that are applicable to the target software application; identifies locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented, and determines for each of the locations whether the code segments according to the relevant best practices appear to have been implemented; determines at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; and provides mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for software security assessment, comprising:
-
receiving technical characteristics of a target software application and business context information relating to the target software application; examining code of the target software application received and generating a model of the software application, the model containing control-flow and data-flow graphs of the software application; identifying locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented and determining for each of the locations whether the code segment according to the relevant best practices appear to have been implemented; determining at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; and providing mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification