Prioritizing security findings in a SAST tool based on historical security analysis

US 9,544,327 B1
Filed: 11/20/2015
Issued: 01/10/2017
Est. Priority Date: 11/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), comprising:

receiving, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities;

receiving, at a second time, a static scan of a second set of source code from the application;

based on the static scans, identifying one or more APIs as being in common use in the application;

with respect to at least common use API so identified, identifying at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and

based on identifying the at least one API that has been updated, prioritizing processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based static analysis security tool accessible by a set of application development environments is augmented to provide for anonymous knowledge sharing to facilitate reducing security vulnerabilities. To the end, a crowdsourcing platform and social network are associated with the application development environments. Access to the social network platform by users of the application development environments is enabled. The anonymous access enables users to post messages without exposing sensitive data associated with a particular application development environment. As the static analysis security tool is used, a knowledgebase of information regarding identified security findings, fix priorities, and so forth, is continuously updated. Social network content (e.g., in the form of analytics, workflow recommendations, and the like) is then published from the knowledgebase to provide users with security knowledge generated by the tool from the set of application development environments. The approach provides for secure and anonymous cross-organization information sharing based, for example, on analytics generated by an analytics platform.

36 Citations

View as Search Results

24 Claims

1. A method to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), comprising:
- receiving, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities;
  
  receiving, at a second time, a static scan of a second set of source code from the application;
  
  based on the static scans, identifying one or more APIs as being in common use in the application;
  
  with respect to at least common use API so identified, identifying at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and
  
  based on identifying the at least one API that has been updated, prioritizing processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1 wherein the static scan of the first set of source code is received from a first application development environment and the static scan of the second set of source code is received from a second application development environment.
  - 3. The method as described in claim 2 wherein the first and second application development environments are associated with different organizations.
  - 4. The method as described in claim 1 further including classifying the application according to a set of categories.
  - 5. The method as described in claim 4 further including training a machine learning algorithm using a classification of the application and one or more security findings from the application to produce a trained machine learning algorithm.
  - 6. The method as described in claim 5 further including applying the trained machine learning algorithm to a set of new security findings to prioritize the new set of security findings.
  - 7. The method as described in claim 1 further including providing a feedback assessment identifying one or more characteristics associated with an identified vulnerability.
  - 8. The method as described in claim 7 wherein the characteristics include one of:
    - an identity of a developer, and a vulnerability type.

9. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by one or more processors to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), the computer program instructions operative to;
  
  receive, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities;
  
  receive, at a second time, a static scan of a second set of source code from the application;
  
  based on the static scans, identify one or more APIs as being in common use in the application;
  
  with respect to at least common use API so identified, identify at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and
  
  based on identifying the at least one API that has been updated, prioritize processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as described in claim 9 wherein the static scan of the first set of source code is received from a first application development environment and the static scan of the second set of source code is received from a second application development environment.
  - 11. The apparatus as described in claim 10 wherein the first and second application development environments are associated with different organizations.
  - 12. The apparatus as described in claim 9 wherein the computer program instructions also classify the application according to a set of categories.
  - 13. The apparatus as described in claim 12 wherein the computer program instructions train a machine learning algorithm using a classification of the application and one or more security findings from the application to produce a trained machine learning algorithm.
  - 14. The apparatus as described in claim 13 wherein the computer program instructions apply the trained machine learning algorithm to a set of new security findings to prioritize the new set of security findings.
  - 15. The apparatus as described in claim 9 further the computer program instructions also provide a feedback assessment identifying one or more characteristics associated with an identified vulnerability.
  - 16. The apparatus as described in claim 15 wherein the characteristics include one of:
    - an identity of a developer, and a vulnerability type.

17. A computer program product in a non-transitory computer readable medium for use in one or more data processing systems, the computer program product holding computer program instructions executed by the one or more data processing systems to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), the computer program instructions operative to:
- receive, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities;
  
  receive, at a second time, a static scan of a second set of source code from the application;
  
  based on the static scans, identify one or more APIs as being in common use in the application;
  
  with respect to at least common use API so identified, identify at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and
  
  prioritize processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product as described in claim 17 wherein the static scan of the first set of source code is received from a first application development environment and the static scan of the second set of source code is received from a second application development environment.
  - 19. The computer program product as described in claim 18 wherein the first and second application development environments are associated with different organizations.
  - 20. The computer program product as described in claim 17 wherein the computer program instructions also classify the application according to a set of categories.
  - 21. The computer program product as described in claim 20 wherein the computer program instructions train a machine learning algorithm using a classification of the application and one or more security findings from the application to produce a trained machine learning algorithm.
  - 22. The computer program product as described in claim 21 wherein the computer program instructions apply the trained machine learning algorithm to a set of new security findings to prioritize the new set of security findings.
  - 23. The computer program product as described in claim 17 further the computer program instructions also provide a feedback assessment identifying one or more characteristics associated with an identified vulnerability.
  - 24. The computer program product as described in claim 23 wherein the characteristics include one of:
    - an identity of a developer, and a vulnerability type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (FIG LLC (d/b/a Fortress Investment Group LLC))
Original Assignee
International Business Machines Corporation
Inventors
Wang, Shu, Xiao, Hua, Sharma, Babita, Duer, Kristofer Alyn, Goldberg, Richard Myer, Teilhet, Stephen Darwin, Turnham, Jeffrey Charles
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/946,858
Time in Patent Office

417 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06N 20/00   Machine learning

H04L 63/0421   Anonymous communication, i....

H04L 63/1433   Vulnerability analysis

Prioritizing security findings in a SAST tool based on historical security analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Prioritizing security findings in a SAST tool based on historical security analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links