Crowd-sourced security analysis

US 9,531,745 B1
Filed: 11/20/2015
Issued: 12/27/2016
Est. Priority Date: 11/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method to reduce security vulnerability in association with a cloud-based static analysis security tool that is accessible by a set of application development environments, comprising:

associating a social networking platform with the application development environments;

enabling anonymous access to the social networking platform by users of the application development environments, the anonymous access enabling users to upload messages for posting to a forum;

prior to posting, filtering a message and, responsive to the filtering, automatically obfuscating sensitive data associated with a particular application development environment and any application code included in the message;

receiving security findings generated as users of the application development environments use the cloud-based static analysis security tool;

processing the received security findings using machine learning, and storing the processed security findings into a knowledgebase; and

providing social network content associated with the processed security findings from the knowledgebase as crowdsourced security knowledge generated from use of the cloud-based static analysis security tool by users of the application development environments.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based static analysis security tool that is accessible by a set of application development environments is augmented to provide for anonymous knowledge sharing to facilitate reducing security vulnerabilities. To the end, a crowdsourcing platform and social network are associated with the application development environments. Access to the social network platform by users of the application development environments is enabled. The anonymous access enables users to post messages without exposing sensitive data associated with a particular application development environment. As the static analysis security tool is used, a knowledgebase of information regarding identified security findings, fix priorities, and so forth, is continuously updated. Social network content (e.g., in the form of analytics, workflow recommendations, and the like) is then published from the knowledgebase to provide users with security knowledge generated by the tool from the set of application development environments. The approach provides for secure and anonymous cross-organization information sharing.

37 Citations

View as Search Results

21 Claims

1. A method to reduce security vulnerability in association with a cloud-based static analysis security tool that is accessible by a set of application development environments, comprising:
- associating a social networking platform with the application development environments;
  
  enabling anonymous access to the social networking platform by users of the application development environments, the anonymous access enabling users to upload messages for posting to a forum;
  
  prior to posting, filtering a message and, responsive to the filtering, automatically obfuscating sensitive data associated with a particular application development environment and any application code included in the message;
  
  receiving security findings generated as users of the application development environments use the cloud-based static analysis security tool;
  
  processing the received security findings using machine learning, and storing the processed security findings into a knowledgebase; and
  
  providing social network content associated with the processed security findings from the knowledgebase as crowdsourced security knowledge generated from use of the cloud-based static analysis security tool by users of the application development environments.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein enabling anonymous access includes:
    - receiving a message from a first user for posting to the forum;
      
      parsing the message for information from which an identity of an organization to which the first user is associated is obtainable; and
      
      modifying the message to obscure the identity.
  - 3. The method as described in claim 1 wherein the social network content includes analytics generated from execution of the static security analysis tool in association with the set of application development environments.
  - 4. The method as described in claim 3 wherein the analytics includes an analysis of security findings from a project associated with two or more of the application development environments, and recommendations regarding security findings.
  - 5. The method as described in claim 1 further including:
    - collecting information about use of the social networking platform; and
      
      modifying at least one function or characteristic of the social networking platform based on the collected information.
  - 6. The method as described in claim 1 wherein the social network content includes information identifying a third party that is available to provide assistance to a user to facilitate a remediation identified by the static security analysis tool.
  - 7. The method as described in claim 1 wherein at least first and second of the application development environments are associated with different organizations.

8. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by one or more processors to reduce security vulnerability in association with a cloud-based static analysis security tool that is accessible by a set of application development environments, the computer program instructions operative to;
  
  associate a social networking platform with the application development environments;
  
  enable anonymous access to the social networking platform by users of the application development environments, the anonymous access enabling users to upload messages for posting to a forum;
  
  prior to posting, filter a message and, responsive to the filtering, automatically obfuscate sensitive data associated with a particular application development environment and any application code included in the message;
  
  receive security findings generated as users of the application development environments use the cloud-based static analysis security tool;
  
  process the received security findings using machine learning, and store the processed security findings into a knowledgebase; and
  
  provide social network content associated with the processed security findings from the knowledgebase as crowdsourced security knowledge generated from use of the cloud-based static analysis security tool by users of the application development environments.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the computer program instructions operative to enable anonymous access includes computer program instructions to:
    - receive a message from a first user for posting to the forum;
      
      parse the message for information from which an identity of an organization to which the first user is associated is obtainable; and
      
      modify the message to obscure the identity.
  - 10. The apparatus as described in claim 8 wherein the social network content includes analytics generated from execution of the static security analysis tool in association with the set of application development environments.
  - 11. The apparatus as described in claim 10 wherein the analytics includes an analysis of security findings from a project associated with two or more of the application development environments, and recommendations regarding security findings.
  - 12. The apparatus as described in claim 8 wherein the computer program instructions further include computer program instructions to:
    - collect information about use of the social networking platform; and
      
      modify at least one function or characteristic of the social networking platform based on the collected information.
  - 13. The apparatus as described in claim 8 wherein the social network content includes information identifying a third party that is available to provide assistance to a user to facilitate a remediation identified by the static security analysis tool.
  - 14. The apparatus as described in claim 8 wherein at least first and second of the application development environments are associated with different organizations.

15. A computer program product in a non-transitory computer readable medium for use in one or more data processing systems, the computer program product holding computer program instructions executed by the one or more data processing systems to reduce security vulnerability in association with a cloud-based static analysis security tool that is accessible by a set of application development environments, the computer program instructions operative to:
- associate a social networking platform with the application development environments;
  
  enable anonymous access to the social networking platform by users of the application development environments, the anonymous access enabling users to upload messages for posting to a forum;
  
  prior to posting, filter a message and, responsive to the filtering, automatically obfuscate sensitive data associated with a particular application development environment and any application code included in the message;
  
  receive security findings generated as users of the application development environments use the cloud-based static analysis security tool;
  
  process the received security findings using machine learning, and store the processed security findings into a knowledgebase; and
  
  provide social network content associated with the processed security findings from the knowledgebase as crowdsourced security knowledge generated from use of the cloud-based static analysis security tool by users of the application development environments.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 wherein the computer program instructions operative to enable anonymous access includes computer program instructions to:
    - receive a message from a first user for posting to the forum;
      
      parse the message for information from which an identity of an organization to which the first user is associated is obtainable; and
      
      modify the message to obscure the identity.
  - 17. The computer program product as described in claim 15 wherein the social network content includes analytics generated from execution of the static security analysis tool in association with the set of application development environments.
  - 18. The computer program product as described in claim 17 wherein the analytics includes an analysis of security findings from a project associated with two or more of the application development environments, and recommendations regarding security findings.
  - 19. The computer program product as described in claim 15 wherein the computer program instructions further include computer program instructions to:
    - collect information about use of the social networking platform; and
      
      modify at least one function or characteristic of the social networking platform based on the collected information.
  - 20. The computer program product as described in claim 15 wherein the social network content includes information identifying a third party that is available to provide assistance to a user to facilitate a remediation identified by the static security analysis tool.
  - 21. The computer program product as described in claim 15 wherein at least first and second of the application development environments are associated with different organizations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sharma, Babita, Goldberg, Richard Myer, Turnham, Jeffrey Charles
Primary Examiner(s)
AVERY, JEREMIAH L

Application Number

US14/946,810
Time in Patent Office

403 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 40/205   Parsing

H04L 63/0421   Anonymous communication, i....

H04L 63/1433   Vulnerability analysis

Crowd-sourced security analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Crowd-sourced security analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others