System and method for providing application security in a cloud computing environment
First Claim
1. A system for providing application deployment security in a cloud computing or other environment, comprising:
- one or more computers, including a computing environment which enables compilation and deployment of software applications to run within the computing environment;
a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage;
one or more security extensions that are registered with an application compiler framework, for selective binding to user applications at runtime; and
an application compiler provided as part of the application compiler framework, which receives a user application to be deployed to the computing environment,wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determines, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, andinjects the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages;
whereupon deployment of the application runtime to the computing environment,the user application is bound to at least one security extension registered with the application compiler framework,for use by the security manager in calling the at least one security extension, for use with the user application.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with an embodiment, described herein is a system and method for providing application security in a cloud computing or other environment. A plurality of hot-spot configurations define API usages which, for security reasons, are of interest to be monitored at runtime, such as invocations of particular methods that are likely to be used to attempt unauthorized access. Upon a user application being received for deployment to the cloud environment, an application compiler determines, for API usages expressed as method invocations within the source code of the application, one or more hot-spot configurations and associated policies or actions. The application compiler can then inject the user application to provide a security manager that, during runtime, monitors the methods and values invoked, and communicates with one or more security extensions to grant or deny access.
-
Citations
20 Claims
-
1. A system for providing application deployment security in a cloud computing or other environment, comprising:
-
one or more computers, including a computing environment which enables compilation and deployment of software applications to run within the computing environment; a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage; one or more security extensions that are registered with an application compiler framework, for selective binding to user applications at runtime; and an application compiler provided as part of the application compiler framework, which receives a user application to be deployed to the computing environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application, determines, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, and injects the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages; whereupon deployment of the application runtime to the computing environment, the user application is bound to at least one security extension registered with the application compiler framework, for use by the security manager in calling the at least one security extension, for use with the user application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of providing application deployment security in a cloud computing or other environment, comprising:
-
providing one or more computers, including a computing environment which enables compilation and deployment of software applications to run within the computing environment; providing a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage; registering one or more security extensions with an application compiler framework, for selective binding to user applications at runtime; and compiling a user application, to be deployed to the computing environment, including receiving the user application to be deployed to the computing environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application, determining, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, and injecting the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages; whereupon deployment of the application runtime to the computing environment, the user application is bound to at least one security extension registered with the application compiler framework, for use by the security manager in calling the at least one security extension, for use with the user application. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable storage medium, including instructions stored thereon which when read and executed by one or more computers cause the one or more computers to perform the steps comprising:
-
providing, at one or more computers, a computing environment which enables compilation and deployment of software applications to run within the computing environment; providing a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage; registering one or more security extensions with an application compiler framework, for selective binding to user applications at runtime; and compiling a user application, to be deployed to the computing environment, including receiving the user application to be deployed to the computing environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application, determining, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, and injecting the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages; whereupon deployment of the application runtime to the computing environment, the user application is bound to at least one security extension registered with the application compiler framework, for use by the security manager in calling the at least one security extension, for use with the user application. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification