Methods and systems for providing feedback and suggested programming methods

US 9,286,063 B2
Filed: 02/19/2013
Issued: 03/15/2016
Est. Priority Date: 02/22/2012
Status: Active Grant

First Claim

Patent Images

1. A software security assessment platform, comprising:

a communications server, which in operation, receives technical characteristics of a target software application and business context information relating to the target software application;

an analysis engine, which in operation;

examines code of the target software application received and generates a model of the software application, the model containing control-flow and data-flow graphs of the software application;

identifies specific application security best practices that are applicable to the target software application;

identifies locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented, anddetermines for each of the locations whether the code segments according to the relevant best practices appear to have been implemented;

determines at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; and

provides mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The techniques and supporting systems described herein provide a comprehensive and customizable approach to identifying the use of best practices during the design and development of software applications, as well as recommending additional enhancements or courses of action that may be implemented to further improve the application. Target software application code is received specific application security best practices applicable to the target software application are identified. Locations in the code where the various best practices ought to be implemented are then identified, and a determination is made whether the relevant best practices are implemented for each location. Finally, positive feedback is provided to the developers for what appears to be their correct implementation of best practices.

130 Citations

34 Claims

1. A software security assessment platform, comprising:
- a communications server, which in operation, receives technical characteristics of a target software application and business context information relating to the target software application;
  
  an analysis engine, which in operation;
  
  examines code of the target software application received and generates a model of the software application, the model containing control-flow and data-flow graphs of the software application;
  
  identifies specific application security best practices that are applicable to the target software application;
  
  identifies locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented, anddetermines for each of the locations whether the code segments according to the relevant best practices appear to have been implemented;
  
  determines at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; and
  
  provides mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The platform of claim 1 further comprising a dynamic analysis engine that executes the target software application in a manner that mirrors or emulates the runtime environment in which it operates.
  - 3. The platform of claim 1 further comprising a static analysis engine that receives a binary or bytecode version of the target software application as input and creates a high-level semantic model of the application containing control-flow and data-flow graphs of the application for analysis.
  - 4. The platform of claim 1 further comprising a pen testing engine that performs penetration testing of the target software application.
  - 5. The platform of claim 1 further comprising a manual code review module that receives input from manual review processes including a human operator visually reviewing the code of the target software application to determine if proper coding form and standards have been followed, and looking for “
    - extra”
      
      functions often left in the application.
  - 6. The platform of claim 1 further comprising a benchmarking and reporting module that compares assessment results among applications, developers, teams and/or organizations.
  - 7. The platform of claim 1 further comprising a digital rights management engine that applies a digital rights management process against application assessment input data, thereby limiting distribution and use of the vulnerability test results to specified users.
  - 8. The platform of claim 1 wherein the analysis engine provides mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation is incomplete or incorrect.
  - 9. The platform of claim 1 wherein the analysis engine examines the target software application through parsing of one or more of the source code, the compiled bytecode, and binary executable code of the target software application.
  - 10. The platform of claim 1 wherein the analysis engine maps the best practices that are applicable to the target software application as a series of IF-THEN rules, wherein the rules are applied in a “
    - forward-chaining”
      
      approach, a hierarchical approach, or a multi-path approach such that the applicability of certain rules is dependent upon the evaluation of other higher-order rules.
  - 11. The platform of claim 1 wherein the analysis engine identifies locations in the code of the target application where the identified best practices ought to be implemented by using a series of pattern-matching rules.
  - 12. The platform of claim 1 wherein the analysis engine determines at each of the locations whether the relevant best practices appear to have been implemented by scanning the code of the target software application for the presence of cleanser functions.
  - 13. The platform of claim 1 wherein the analysis engine determines at each of the locations to what extent the relevant best practices have been implemented incompletely or incorrectly by scanning the code of the target software application for common errors of correctness or completeness.
  - 14. The platform of claim 1 wherein the analysis engine provides positive feedback to developers of the target software application by flagging the implementation of the best practices based on whether or not implementation errors are detected.
  - 15. The platform of claim 1 wherein the analysis engine provides mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation of the best practice is either incomplete or incorrect.
  - 16. The platform of claim 1 wherein the analysis engine does not provide positive feedback in situations where there is no need for implementation of a “
    - best practice”
      
      .
  - 17. The platform of claim 1 wherein the analysis engine does not provide any feedback if there is no actual security threat in a particular area of the code regardless of what the developer has implemented.

18. A method for software security assessment, comprising:
- receiving technical characteristics of a target software application and business context information relating to the target software application;
  
  examining code of the target software application received and generating a model of the software application, the model containing control-flow and data-flow graphs of the software application;
  
  identifying locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented anddetermining for each of the locations whether the code segment according to the relevant best practices appear to have been implemented;
  
  determining at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; and
  
  providing mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The method of claim 18 further comprising executing the target software application in a manner that mirrors or emulates the runtime environment in which it operates.
  - 20. The method of claim 18 further comprising receiving a binary or bytecode version of the target software application as input and creating a high-level semantic model of the application containing control-flow and data-flow graphs of the application for analysis.
  - 21. The method of claim 18 further comprising performing penetration testing of the target software application.
  - 22. The method of claim 18 further comprising receiving input from manual review processes including a human operator visually reviewing the code of the target software application to determine if proper coding form and standards have been followed, and looking for “
    - extra”
      
      functions often left in the application.
  - 23. The method of claim 18 further comprising comparing assessment results among applications, developers, teams and/or organizations.
  - 24. The method of claim 18 further comprising applying a digital rights management process against application assessment input data, thereby limiting distribution and use of the vulnerability test results to specified users.
  - 25. The method of claim 18 further comprising providing mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation is incomplete or incorrect.
  - 26. The method of claim 18 further comprising examining the target software application through parsing of one or more of the source code, the compiled bytecode, and binary executable code of the target software application.
  - 27. The method of claim 18 further comprising mapping the best practices that are applicable to the target software application as a series of IF-THEN rules, wherein the rules are applied in a “
    - forward-chaining”
      
      approach, a hierarchical approach, or a multi-path approach such that the applicability of certain rules is dependent upon the evaluation of other higher-order rules.
  - 28. The method of claim 18 further comprising identifying locations in the code of the target application where the identified best practices ought to be implemented by using a series of pattern-matching rules.
  - 29. The method of claim 18 further comprising determining at each of the locations whether the relevant best practices appear to have been implemented by scanning the code of the target software application for the presence of cleanser functions.
  - 30. The method of claim 18 further comprising determining at each of the locations to what extent the relevant best practices have been implemented incompletely or incorrectly by scanning the code of the target software application for common errors of correctness or completeness.
  - 31. The method of claim 18 further comprising providing positive feedback to developers of the target software application by flagging the implementation of the best practices based on whether or not implementation errors are detected.
  - 32. The method of claim 18 further comprising providing mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation of the best practice is either incomplete or incorrect.
  - 33. The method of claim 18 further comprising not providing positive feedback in situations where there is no need for implementation of a “
    - best practice”
      
      .
  - 34. The method of claim 18 further comprising not providing any feedback if there is no actual security threat in a particular area of the code regardless of what the developer has implemented.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veracode Incorporated (Broadcom, Inc.)
Original Assignee
Veracode Incorporated (Broadcom, Inc.)
Inventors
Kriegsman, Mark, Black, Brian
Primary Examiner(s)
Zhen, Wei
Assistant Examiner(s)
MORSHED, HOSSAIN M

Application Number

US13/770,487
Publication Number

US 20130227516A1
Time in Patent Office

1,120 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 11/3668   Software testing software t...

G06F 8/75   Structural analysis for pro...

G06F 8/77   Software metrics

Methods and systems for providing feedback and suggested programming methods

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

130 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for providing feedback and suggested programming methods

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

130 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links