Method and device for evaluating security assessment of an application

US 9,781,146 B2
Filed: 07/31/2015
Issued: 10/03/2017
Est. Priority Date: 06/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method for evaluating security assessment of an application, comprising:

receiving, by a security assessment computing device, application entry data associated with a plurality of entry points of the application;

identifying, by the security assessment computing device, at least one security threat entry point based on the application entry data, byanalyzing the application entry data based on results of a static application security testing (SAST), a dynamic application security testing (DAST), a functionality test cases testing, and a web services testing to obtain security information, wherein the application data entry comprises at least one of data of one or more technologies used for building the application, architecture data of the application, or data pertaining to interface of the application, andidentifying the at least one security threat entry point based on the security information, wherein entry points, from amongst the plurality of entry points, which are to be tested are the security threat entry points,wherein the application entry data is received through a graphical user interface of the security assessment computing device from a user of the application;

computing, by the security assessment computing device, a coverage index value based on the application entry data and the at least one security threat entry point, wherein the coverage index value is computed by performing arithmetic division of a number of the at least one security threat entry point by a total number of the entry points in the plurality of entry points of the application; and

generating, by the security assessment computing device, a recommendation report indicating security coverage of the application based on the coverage index value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure disclose a method and a device for evaluating security assessment of an application. The method comprises receiving application entry data associated with a plurality of entry points of the application. Also, the method comprises identifying at least one security threat entry point based on the application entry data. Further, the method comprises computing a coverage index value based on the application entry data and the at least one security threat entry point and generating a recommendation report indicating security coverage of the application based on the coverage index value.

31 Citations

View as Search Results

16 Claims

1. A method for evaluating security assessment of an application, comprising:
- receiving, by a security assessment computing device, application entry data associated with a plurality of entry points of the application;
  
  identifying, by the security assessment computing device, at least one security threat entry point based on the application entry data, byanalyzing the application entry data based on results of a static application security testing (SAST), a dynamic application security testing (DAST), a functionality test cases testing, and a web services testing to obtain security information, wherein the application data entry comprises at least one of data of one or more technologies used for building the application, architecture data of the application, or data pertaining to interface of the application, andidentifying the at least one security threat entry point based on the security information, wherein entry points, from amongst the plurality of entry points, which are to be tested are the security threat entry points,wherein the application entry data is received through a graphical user interface of the security assessment computing device from a user of the application;
  
  computing, by the security assessment computing device, a coverage index value based on the application entry data and the at least one security threat entry point, wherein the coverage index value is computed by performing arithmetic division of a number of the at least one security threat entry point by a total number of the entry points in the plurality of entry points of the application; and
  
  generating, by the security assessment computing device, a recommendation report indicating security coverage of the application based on the coverage index value.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as claimed in claim 1, wherein the application entry data comprises at least one of data associated with one or more technologies used for building the application, architecture data of the application, or data pertaining to interface of the application.
  - 3. The method as claimed in claim 1, wherein receiving the application entry data further comprises receiving results of the SAST, DAST, the functionality test cases testing, and the web services testing.
  - 4. The method as claimed in claim 1, wherein the plurality of entry points is at least one of a build web interface, a database, or one or more web services.
  - 5. The method as claimed in claim 1, wherein the recommendation report comprises application entry data associated with a plurality of entry points of the application, the coverage index value, and one or more security threat entry points to be secured.

6. A security assessment computing device for evaluating security assessment of an application, comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, wherein the memory stores processor-executable instructions, which, on execution, cause the processor to;
  
  receive application entry data associated with a plurality of entry points of the application;
  
  identify at least one security threat entry point based on the application entry data by;
  
  analyzing the application entry data based on results of a static application security testing (SAST), a dynamic application security testing (DAST), a functionality test cases testing, and a web services testing to obtain security information, wherein the application data entry comprises at least one of data of one or more technologies used for building the application, architecture data of the application, or data pertaining to interface of the application, andidentifying the at least one security threat entry point based on the security information, wherein entry points, from amongst the plurality of entry points, which are to be tested are the security threat entry points,wherein the application entry data is received through a graphical user interface of the security assessment computing device from a user of the application;
  
  compute a coverage index value based on the identify of at least one security threat entry point based on the application entry data, wherein the coverage index value is computed by performing arithmetic division of a number of the at least one security threat entry point by a total number of the entry points in the plurality of entry points of the application; and
  
  generate a recommendation report indicating security coverage of the application based on the coverage index value.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The device as claimed in claim 6, wherein the application entry data comprises at least one of data associated with one or more technologies used for building the application, architecture data of the application, or data pertaining to interface of the application.
  - 8. The device as claimed in claim 6, wherein the processor is configured to receive the application entry data by receiving results of the SAST, the DAST, the functionality test cases testing, and the web services testing.
  - 9. The device as claimed in claim 6, wherein the plurality of entry points is at least one of a build web interface, a database, or one or more web services.
  - 10. The device as claimed in claim 6, wherein the recommendation report comprises application entry data associated with a plurality of entry points of the application, the coverage index value, and one or more security threat entry points to be secured.
  - 11. The device as claimed in claim 6, wherein the processor is further configured to generate a security assessment report based on at least one of the data associated with entry points of the application, the coverage index value, or the recommendation.

12. A non-transitory computer readable medium including instructions stored thereon that when processed by at least one processor cause a system to perform operations comprising:
- receiving application entry data associated with a plurality of entry points of the application;
  
  identifying at least one security threat entry point based on the application entry data, byanalyzing the application entry data based on results of a static application security testing (SAST), a dynamic application security testing (DAST), a functionality test cases testing, and a web services testing to obtain security information, wherein the application data entry comprises at least one of data of one or more technologies used for building the application, architecture data of the application, or data pertaining to interface of the application, andidentifying the at least one security threat entry point based on the security information, wherein entry points, from amongst the plurality of entry points, which are to be tested are the security threat entry points,wherein the application entry data is received through a graphical user interface of the security assessment computing device from a user of the application;
  
  computing a coverage index value based on the application entry data and the at least one security threat entry point, wherein the coverage index value is computed by performing arithmetic division of a number of the at least one security threat entry point by a total number of the entry points in the plurality of entry points of the application; and
  
  generating, by the security assessment computing device, a recommendation report indicating security coverage of the application based on the coverage index value.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The medium as claimed in claim 12, wherein receiving the application entry data comprises receiving results of the SAST, the DAST, the functionality test cases testing, and the web services testing.
  - 14. The medium as claimed in claim 12, wherein the operations further comprise generating the recommendation report comprising application entry data associated with a plurality of entry points of the application, the coverage index value, and one or more security threat entry points to be secured.
  - 15. The medium as claimed in claim 12, wherein the plurality of entry points is at least one of a build web interface, a database, or one or more web services.
  - 16. The medium as claimed in claim 12, wherein the operations further comprise generating a security assessment report based on at least one of the data associated with entry points of the application, the coverage index value, or the recommendation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wipro Limited
Original Assignee
Wipro Limited
Inventors
Sridhar, Kavitha
Primary Examiner(s)
TURCHEN, JAMES R

Application Number

US14/814,912
Publication Number

US 20160373480A1
Time in Patent Office

795 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Method and device for evaluating security assessment of an application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for evaluating security assessment of an application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links