Adapting a security tool for performing security analysis on a software application

US 9,507,940 B2
Filed: 08/10/2010
Issued: 11/29/2016
Est. Priority Date: 08/10/2010
Status: Active Grant

First Claim

Patent Images

1. A method for adapting a security tool for performing security analysis on a software application, the method comprising:

maintaining a registry of security tools comprising a plurality of registry entries, wherein each of the plurality of registry entries is associated with a particular security tool and with software component criteria;

receiving code for a software application;

comparing component criteria for each security tool against each component of the software application, wherein the component criteria for each respective security tool indicate which components of the software application the respective security tool is designed to analyze for security vulnerabilities;

receiving a questionnaire associated with the software application, wherein the questionnaire includes one or more queries regarding security-related tasks previously performed by the user and security vulnerabilities identified by the;

generating a risk score based on the questionnaire;

generating a tool-specific package for each component of the software application based on the components of the software application, the questionnaire, and the risk score, wherein the tool-specific package comprises one or more security tools that are designed to analyze the respective component of the software application for security vulnerabilities;

processing the tool-specific package for each component of the software application to analyze the software application to identify one or more security vulnerabilities using the tool-specific package; and

notifying a user of the identified one or more security vulnerabilities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for adapting a security tool for performing security analysis on a software application. In one embodiment, a method includes maintaining a registry of security tools; receiving code for a software application; and comparing component criteria for each security tool against each component of the software application, wherein the component criteria for each respective security tool indicate which components the respective security tool is designed to analyze for security vulnerabilities. The method also includes generating a tool-specific package for each component of the software application, wherein the tool-specific package comprises one or more security tools that are designed to analyze the respective component for security vulnerabilities.

152 Citations

14 Claims

1. A method for adapting a security tool for performing security analysis on a software application, the method comprising:
- maintaining a registry of security tools comprising a plurality of registry entries, wherein each of the plurality of registry entries is associated with a particular security tool and with software component criteria;
  
  receiving code for a software application;
  
  comparing component criteria for each security tool against each component of the software application, wherein the component criteria for each respective security tool indicate which components of the software application the respective security tool is designed to analyze for security vulnerabilities;
  
  receiving a questionnaire associated with the software application, wherein the questionnaire includes one or more queries regarding security-related tasks previously performed by the user and security vulnerabilities identified by the;
  
  generating a risk score based on the questionnaire;
  
  generating a tool-specific package for each component of the software application based on the components of the software application, the questionnaire, and the risk score, wherein the tool-specific package comprises one or more security tools that are designed to analyze the respective component of the software application for security vulnerabilities;
  
  processing the tool-specific package for each component of the software application to analyze the software application to identify one or more security vulnerabilities using the tool-specific package; and
  
  notifying a user of the identified one or more security vulnerabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the component criteria for a particular security tool include a listing of components that the particular security tool is designed to analyze for security vulnerabilities.
  - 3. The method of claim 1, further comprising processing the tool-specific package, wherein the processing comprises configuration of one or more security tools.
  - 4. The method of claim 1, further comprising notifying a user so that the user can address the security vulnerabilities.
  - 5. The method of claim 1, wherein generating the risk score includes assigning a weight value to each question of the questionnaire, wherein each weight value is associated with relative risk factors.
  - 6. The method of claim 1, further including generating and sending the questionnaire to the user via electronic mail.
  - 7. The method of claim 1, wherein the questionnaire includes dependencies and generates follow-up questions based on how questions are answered.

8. A non-transitory computer-readable storage medium having one or more instructions thereon for adapting a security tool for performing security analysis on a software application, the instructions when executed by a processor causing the processor to:
- maintain a registry of security tools comprising a plurality of registry entries, wherein each of the plurality of registry entries is associated with a particular security tool and with software component criteria;
  
  receive code for a software application;
  
  compare component criteria for each security tool against each component of the software application, wherein the component criteria for each respective security tool indicate which components of the software application the respective security tool is designed to analyze for security vulnerabilities;
  
  receiving a questionnaire associated with the software application, wherein the questionnaire includes one or more queries regarding security-related tasks previously performed by the user and security vulnerabilities identified by the user;
  
  generate a risk score based on the questionnaire accessed security history information;
  
  generate a tool-specific package for each component of the software application based on the components of the software application, the questionnaire, and the risk score, wherein the tool-specific package comprises one or more security tools that are designed to analyze the respective component of the software application for security vulnerabilities;
  
  process the tool-specific package for each component of the software application to analyze the software application to identify one or more security vulnerabilities using the tool-specific package; and
  
  notify a user of the identified one or more security vulnerabilities.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the component criteria for a particular security tool include a listing of components that the particular security tool is designed to analyze for security vulnerabilities.
  - 10. The non-transitory computer-readable storage medium of claim 8, wherein the instructions further cause the processor to process the tool-specific package, and wherein the processing comprises configuration of one or more security tools.
  - 11. The non-transitory computer-readable storage medium of claim 8, wherein the instructions further cause the processor to notify a user so that the user can address the security vulnerabilities.
  - 12. The non-transitory computer-readable storage medium of claim 8, the instructions, when executed by a processor, further causing the processor to:
    - compare component criteria for each security tool against each component of the software application, utilizing automated searches for programming method calls known to perform certain behaviors.
  - 13. The non-transitory computer-readable storage medium of claim 8, the instructions, when executed by a processor, further causing the processor to:
    - compare a component of the software application, the component written in a particular programming language, to each security tool to match the component to one or more security tools designed to analyze code in the particular programming language.
  - 14. The non-transitory computer-readable storage medium of claim 8, the instructions, when executed by a processor, further causing the processor to:
    - compare a component of the software application, the component comprising a particular size, to each security tool to match the component to one or more security tools designed to efficiently analyze code of the particular size.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Greene, Collin, Fly, Robert
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US12/854,102
Publication Number

US 20120042383A1
Time in Patent Office

2,303 Days
Field of Search

726/11, 726/22, 726/25
US Class Current

1/1
CPC Class Codes

G06F 11/3688   for test execution, e.g. sc...

G06F 21/57   Certifying or maintaining t...

G06F 2221/033   Test or assess software

Adapting a security tool for performing security analysis on a software application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

152 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Adapting a security tool for performing security analysis on a software application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

152 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links