Prioritizing security findings in a SAST tool based on historical security analysis
First Claim
1. A method to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), comprising:
- receiving, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities;
receiving, at a second time, a static scan of a second set of source code from the application;
based on the static scans, identifying one or more APIs as being in common use in the application;
with respect to at least common use API so identified, identifying at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and
based on identifying the at least one API that has been updated, prioritizing processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API.
2 Assignments
0 Petitions
Accused Products
Abstract
A cloud-based static analysis security tool accessible by a set of application development environments is augmented to provide for anonymous knowledge sharing to facilitate reducing security vulnerabilities. To the end, a crowdsourcing platform and social network are associated with the application development environments. Access to the social network platform by users of the application development environments is enabled. The anonymous access enables users to post messages without exposing sensitive data associated with a particular application development environment. As the static analysis security tool is used, a knowledgebase of information regarding identified security findings, fix priorities, and so forth, is continuously updated. Social network content (e.g., in the form of analytics, workflow recommendations, and the like) is then published from the knowledgebase to provide users with security knowledge generated by the tool from the set of application development environments. The approach provides for secure and anonymous cross-organization information sharing based, for example, on analytics generated by an analytics platform.
-
Citations
24 Claims
-
1. A method to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), comprising:
-
receiving, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities; receiving, at a second time, a static scan of a second set of source code from the application; based on the static scans, identifying one or more APIs as being in common use in the application; with respect to at least common use API so identified, identifying at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and based on identifying the at least one API that has been updated, prioritizing processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. Apparatus, comprising:
-
a processor; computer memory holding computer program instructions executed by one or more processors to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), the computer program instructions operative to; receive, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities; receive, at a second time, a static scan of a second set of source code from the application; based on the static scans, identify one or more APIs as being in common use in the application; with respect to at least common use API so identified, identify at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and based on identifying the at least one API that has been updated, prioritize processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product in a non-transitory computer readable medium for use in one or more data processing systems, the computer program product holding computer program instructions executed by the one or more data processing systems to reduce security vulnerabilities associated with development of an application across multiple application development environments, the application having a set of application programming interfaces (APIs), the computer program instructions operative to:
-
receive, at a first time, a static scan of a first set of source code from the application, the static scan including one or more identified vulnerabilities; receive, at a second time, a static scan of a second set of source code from the application; based on the static scans, identify one or more APIs as being in common use in the application; with respect to at least common use API so identified, identify at least one API in the second set of source code that, with respect to the first set of source code, has been updated between the first time and the second time to address a vulnerability; and prioritize processing of one or more of the identified vulnerabilities in an API associated with the first set of source code over vulnerabilities identified in at least one other API. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification