System and method for managing security testing

US 20070061885A1
Filed: 03/31/2006
Published: 03/15/2007
Est. Priority Date: 09/09/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of maintaining a database of computer security data comprising the steps of:

(a) providing a security database containing sets of data each with a unique database identifier, wherein ones of the data sets relate to different computer security vulnerabilities;

(b) obtaining a first set of data having a first identifier from a first source, wherein said first source contains first data sets each with a first unique identifier, and wherein ones of the first data sets relate to different computer security vulnerabilities;

(c) obtaining a second set of data having a second identifier from a second source, wherein said second source contains second data sets each with a second unique identifier, and wherein ones of the second data sets relate to different computer security vulnerabilities;

(d) providing a cross-reference database comprising a list of finding identifiers correlated with said first unique identifiers from said first source and said second unique identifiers from said second source, wherein said correlated identifiers each refer to a similar security vulnerability;

(e) determining if said first and said second identifiers correlate to the same finding identifier in said cross-reference database; and

(f) if a correlation exists, entering into said security database said first set of data and assigning said first set of data a unique database identifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.

73 Citations

View as Search Results

106 Claims

1. A method of maintaining a database of computer security data comprising the steps of:
- (a) providing a security database containing sets of data each with a unique database identifier, wherein ones of the data sets relate to different computer security vulnerabilities;
  
  (b) obtaining a first set of data having a first identifier from a first source, wherein said first source contains first data sets each with a first unique identifier, and wherein ones of the first data sets relate to different computer security vulnerabilities;
  
  (c) obtaining a second set of data having a second identifier from a second source, wherein said second source contains second data sets each with a second unique identifier, and wherein ones of the second data sets relate to different computer security vulnerabilities;
  
  (d) providing a cross-reference database comprising a list of finding identifiers correlated with said first unique identifiers from said first source and said second unique identifiers from said second source, wherein said correlated identifiers each refer to a similar security vulnerability;
  
  (e) determining if said first and said second identifiers correlate to the same finding identifier in said cross-reference database; and
  
  (f) if a correlation exists, entering into said security database said first set of data and assigning said first set of data a unique database identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1 wherein said first source is a public data source.
  - 3. The method of claim 2 wherein said second source is a public data source.
  - 4. The method of claim 3 wherein said first source is the Open Source Vulnerability Database (“
    - OSVDB”
      
      ).
  - 5. The method of claim 2 wherein said first source is selected from the group consisting of:
    - Nessus, Common Vulnerability Exposures (“
      
      CVE”
      
      ), AppScan, Burp Proxy, Nmap, Nikto, WebInspect, and WebScanner.
  - 6. The method of claim 1 wherein said security database is the TSL Knowledgebase.
  - 7. The method of claim 1 wherein ones of the data sets in the security database comprise at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 8. The method of claim 7 wherein said ones of the data sets in the security database further comprise at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 9. The method of claim 8 wherein the technology platform is selected from the group consisting of:
    - computer, network, operating system, and software application.
  - 10. The method of claim 1 wherein ones of the first data sets of the first source comprise at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 11. The method of claim 10 wherein said ones of the first data sets of the first source further comprise at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the type of technology affected by the security vulnerability.
  - 12. The method of claim 1 further comprising the step of updating said cross-reference database with the assigned unique database identifier and said first identifier.
  - 13. The method of claim 1 further comprising the step of entering into said security database said second set of data and assigning said second set of data a unique database identifier, if a correlation exists.
  - 14. The method of claim 13 further comprising the step of updating said cross-reference database with the assigned unique database identifier and said second identifier.
  - 15. The method of claim 1 including the step of entering into said security database a third set of data and assigning said third set of data a unique database identifier.
  - 16. The method of claim 15 further comprising the step of updating said cross-reference database with the assigned unique database identifier.
  - 17. The method of claim 1 wherein said first set of data is obtained via a first network.
  - 18. The method of claim 17 wherein said first network is the internet.
  - 19. The method of claim 17 wherein said second set of data is obtained via a second network.
  - 20. The method of claim 19 wherein said second network is the internet.
  - 21. The method of claim 1 wherein said first set of data is obtained by said first source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, web application security test, and system security configuration assessment.
  - 22. The method of claim 1 wherein said second set of data is obtained by said second source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, web application security test, and system security configuration assessment.
  - 23. The method of claim 1 wherein said first set of data further comprises a first cross-reference identifier and said second set of data further comprises a second-cross-reference identifier.
  - 24. The method of claim 23 wherein said first cross-reference identifier includes a first and a second secondary source identifier and said second cross-reference identifier includes a third and a fourth secondary source identifier.
  - 25. The method of claim 23 including the steps of:
    - if a correlation using the first and second unique identifiers does not exist, determining if said first and second cross-reference identifiers correlate to the same finding identifier in said cross-reference database; and
      
      if a correlation using the first and second-cross-reference identifiers does exist, entering into said security database said first set of data and assigning said first set of data a unique database identifier.
  - 26. The method of claim 23 including the steps of:
    - if a correlation using the first and second unique identifiers does not exist, determining if said first and second cross-reference identifiers correlate to the same finding identifier in said cross-reference database; and
      
      if a correlation using the first and second-cross-reference identifiers does exist, entering into said security database said second set of data and assigning said second set of data a unique database identifier.
  - 27. The method of claim 23 including the steps of:
    - if a correlation using the first and second unique identifiers does not exist, determining if said first and second cross-reference identifiers correlate to the same finding identifier in said cross-reference database; and
      
      if a correlation using the first and second-cross-reference identifiers does exist, entering into said security database said first and second set of data and assigning said first and second set of data a unique database identifier.
  - 28. The method of claim 23 wherein said step of determining if said first and said second unique identifiers correlate to the same finding identifier further comprises comparing the first cross-reference identifier to the second unique identifier.

29. A method for managing computer security testing using data from plural sources, comprising the steps of:
- (a) providing a database of computer security information, said database adapted to receive sets of data from plural computer security data sources;
  
  (b) providing a computer-readable medium containing software for;
  
  (1) receiving a first set of data from a first one of said plural sources, said first set of data containing information from at least one of a security task performed by said first source and a report of results from performing said security task by said first source;
  
  (2) receiving a second set of data from a second one of said plural sources, said second set of data containing information from at least one of a security task performed by said second source and a report of results from performing said security task by said second source;
  
  (3) preventing access, by a one of said plural sources, of data received in said security database from another of said plural sources;
  
  (c) initiating a computer security test on a technology platform;
  
  (d) receiving said first and second set of data;
  
  (e) displaying information on a display device wherein said information is derived in part from at least one of said first and second sets of data; and
  
  (f) managing the security vulnerability of the technology platform as a function of said information.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 30. The method of claim 29 wherein said first source is a public data source.
  - 31. The method of claim 30 wherein said second source is a public data source.
  - 32. The method of claim 30 wherein said first source is the Open Source Vulnerability Database (“
    - OSVDB”
      
      ).
  - 33. The method of claim 30 wherein said first source is selected from the group consisting of:
    - Nessus, Common Vulnerability Exposures (“
      
      CVE”
      
      ), AppScan, Burp Proxy, Nmap, Nikto, WebInspect, and WebScanner.
  - 34. The method of claim 29 wherein said database of security information includes data from the TSL Knowledgebase.
  - 35. The method of claim 29 wherein said technology platform is selected from the group consisting of:
    - computer, network, operating system, and software application.
  - 36. The method of claim 29 wherein said first set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 37. The method of claim 36 wherein said first set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 38. The method of claim 29 wherein said second set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 39. The method of claim 38 wherein said second set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 40. The method of claim 29 including the step of updating said database of computer security information with a third set of data.
  - 41. The method of claim 29 wherein said first set of data is obtained via a first network.
  - 42. The method of claim 41 wherein said first network is the internet.
  - 43. The method of claim 41 wherein said second set of data is obtained via a second network.
  - 44. The method of claim 43 wherein said second network is the internet.
  - 45. The method of claim 29 wherein said information includes a statistical analysis based in part on said first set of data.
  - 46. The method of claim 29 wherein said information includes a trend analysis based in part on said first set of data.
  - 47. The method of claim 29 wherein said information includes a comparative risk rating.
  - 48. The method of claim 29 wherein said information includes a risk comparison chart.
  - 49. The method of claim 29 wherein said information includes a security vulnerability frequency chart.
  - 50. The method of claim 29 wherein said information includes a list of most common security vulnerabilities.
  - 51. The method of claim 29 wherein said information includes a list of weighted security vulnerability impact chart.
  - 52. The method of claim 29 wherein said first set of data is obtained by said first source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.
  - 53. The method of claim 29 wherein said second set of data is obtained by said second source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.

54. An apparatus for maintaining a database of computer security data comprising:
- a security database containing sets of data each with a unique database identifier, wherein ones of the data sets relate to different computer security vulnerabilities;
  
  means for obtaining a first set of data having a first identifier from a first source, wherein said first source contains first data sets each with a first unique identifier, and wherein ones of the first data sets relate to different computer security vulnerabilities;
  
  means for obtaining a second set of data having a second identifier from a second source, wherein said second source contains second data sets each with a second unique identifier, and wherein ones of the second data sets relate to different computer security vulnerabilities;
  
  means for providing a cross-reference database comprising a list of finding identifiers correlated with said first unique identifiers from said first source and said second unique identifiers from said second source, wherein said correlated identifiers each refer to a similar security vulnerability;
  
  means for determining if said first and said second identifiers correlate to the same finding identifier in said cross-reference database; and
  
  means for entering into said security database said first set of data and assigning said first set of data a unique database identifier, if a correlation exists.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81)
- - 55. The apparatus of claim 54 wherein said first source is a public data source.
  - 56. The apparatus of claim 55 wherein said second source is a public data source.
  - 57. The apparatus of claim 55 wherein said first source is the Open Source Vulnerability Database (“
    - OSVDB”
      
      ).
  - 58. The apparatus of claim 55 wherein said first source is selected from the group consisting of:
    - Nessus, Common Vulnerability Exposures (“
      
      CVE”
      
      ), AppScan, Burp Proxy, Nmap, Nikto, WebInspect, and WebScanner.
  - 59. The apparatus of claim 54 wherein said security database is the TSL Knowledgebase.
  - 60. The apparatus of claim 54 wherein ones of the data sets in the security database comprise at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 61. The apparatus of claim 60 wherein said ones of the data sets in the security database further comprise at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 62. The apparatus of claim 61 wherein the technology platform is selected from the group consisting of:
    - computer, network, operating system, and software application.
  - 63. The apparatus of claim 54 wherein ones of the first data sets of the first source comprise at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 64. The apparatus of claim 63 wherein said ones of the first data sets of the first source further comprise at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the type of technology affected by the security vulnerability.
  - 65. The apparatus of claim 54 further comprising means for updating said cross-reference database with the assigned unique database identifier and said first identifier.
  - 66. The apparatus of claim 54 further comprising means for entering into said security database said second set of data and assigning said second set of data a unique database identifier, if a correlation does not exist.
  - 67. The apparatus of claim 66 further comprising means for updating said cross-reference database with the assigned unique database identifier and said second identifier.
  - 68. The apparatus of claim 54 including means for entering into said security database a third set of data and assigning said third set of data a unique database identifier.
  - 69. The apparatus of claim 68 further comprising means for updating said cross-reference database with the assigned unique database identifier.
  - 70. The apparatus of claim 54 wherein said first set of data is obtained via a first network.
  - 71. The apparatus of claim 70 wherein said first network is the internet.
  - 72. The apparatus of claim 70 wherein said second set of data is obtained via a second network.
  - 73. The apparatus of claim 72 wherein said second network is the internet.
  - 74. The apparatus of claim 54 wherein said first set of data is obtained by said first source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.
  - 75. The apparatus of claim 54 wherein said second set of data is obtained by said second source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.
  - 76. The apparatus of claim 54 wherein said first set of data further comprises a first cross-reference identifier and said second set of data further comprises a second-cross-reference identifier.
  - 77. The apparatus of claim 76 wherein said first cross-reference identifier includes a first and a second secondary source identifier and said second cross-reference identifier includes a third and a fourth secondary source identifier.
  - 78. The apparatus of claim 76 further comprising:
    - means for determining if said first and second cross-reference identifiers correlate to the same finding identifier in said cross-reference database if a correlation using the first and second unique identifiers does not exist; and
      
      means for entering into said security database said first set of data and assigning said first set of data a unique database identifier if a correlation using the first and second-cross-reference identifiers exists.
  - 79. The apparatus of claim 76 further comprising:
    - means for determining if said first and second cross-reference identifiers correlate to the same finding identifier in said cross-reference database if a correlation using the first and second unique identifiers does not exist; and
      
      means for entering into said security database said second set of data and assigning said second set of data a unique database identifier if a correlation using the first and second-cross-reference identifiers exists.
  - 80. The apparatus of claim 76 further comprising:
    - means for determining if said first and second cross-reference identifiers correlate to the same finding identifier in said cross-reference database if a correlation using the first and second unique identifiers does not exist; and
      
      means for entering into said security database said first and second set of data and assigning said first and second set of data a unique database identifier if a correlation using the first and second-cross-reference identifiers exists.
  - 81. The apparatus of claim 76 wherein said means for determining if said first and said second unique identifiers correlate to the same finding identifier further comprises means for comparing the first cross-reference identifier to the second unique identifier.

82. An apparatus for managing computer security testing using data from plural sources, comprising:
- a database of computer security information, said database adapted to receive sets of data from plural computer security data sources;
  
  a processor programmed with instructions for;
  
  (1) receiving a first set of data from a first one of said plural sources, said first set of data containing information from at least one of a security task performed by said first source and a report of results from performing said security task by said first source;
  
  (2) receiving a second set of data from a second one of said plural sources, said second set of data containing information from at least one of a security task performed by said second source and a report of results from performing said security task by said second source;
  
  (3) preventing access, by a one of said plural sources, of data received in said security database from another of said plural sources;
  
  (4) initiating a computer security test on a technology platform upon receipt of a command from a user;
  
  (5) receiving said first and second set of data;
  
  (6) providing information that is derived in part from at least one of said first and second sets of data;
  
  a display device for displaying said information; and
  
  means for managing the security vulnerability of the technology platform as a function of said information.
- View Dependent Claims (83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106)
- - 83. The apparatus of claim 82 wherein said first source is a public data source.
  - 84. The apparatus of claim 83 wherein said second source is a public data source.
  - 85. The apparatus of claim 83 wherein said first source is the Open Source Vulnerability Database (“
    - OSVDB”
      
      ).
  - 86. The apparatus of claim 83 wherein said first source is selected from the group consisting of:
    - Nessus, Common Vulnerability Exposures (“
      
      CVE”
      
      ), AppScan, Burp Proxy, Nmap, Nikto, WebInspect, and WebScanner.
  - 87. The apparatus of claim 82 wherein said database of security information includes data from the TSL Knowledgebase.
  - 88. The apparatus of claim 82 wherein said technology platform is selected from the group consisting of:
    - computer, network, operating system, and software application.
  - 89. The apparatus of claim 82 wherein said first set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 90. The apparatus of claim 89 wherein said first set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 91. The apparatus of claim 82 wherein said second set of data comprises at least one of the following fields of information:
    - a name of a security vulnerability, a description of the security vulnerability, and a recommendation for correcting the security vulnerability.
  - 92. The apparatus of claim 91 wherein said second set of data comprises at least one of the following fields of information:
    - an assigned priority level for the security vulnerability and a categorization of the technology platform affected by the security vulnerability.
  - 93. The apparatus of claim 82 including means for updating said database of computer security information with a third set of data.
  - 94. The apparatus of claim 82 wherein said first set of data is obtained via a first network.
  - 95. The apparatus of claim 94 wherein said first network is the internet.
  - 96. The apparatus of claim 94 wherein said second set of data is obtained via a second network.
  - 97. The apparatus of claim 96 wherein said second network is the internet.
  - 98. The apparatus of claim 82 wherein said information includes a statistical analysis based in part on said first set of data.
  - 99. The apparatus of claim 82 wherein said information includes a trend analysis based in part on said first set of data.
  - 100. The apparatus of claim 82 wherein said information includes a comparative risk rating.
  - 101. The apparatus of claim 82 wherein said information includes a risk comparison chart.
  - 102. The apparatus of claim 82 wherein said information includes a security vulnerability frequency chart.
  - 103. The apparatus of claim 82 wherein said information includes a list of most common security vulnerabilities.
  - 104. The apparatus of claim 82 wherein said information includes a list of weighted security vulnerability impact chart.
  - 105. The apparatus of claim 82 wherein said first set of data is obtained by said first source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, web application security test, and system security configuration assessment.
  - 106. The apparatus of claim 82 wherein said second set of data is obtained by said second source after performance of an operation selected from the group consisting of:
    - vulnerability scan, ethical hack, and web application security test.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tekmark Global Solutions LLC
Original Assignee
Tekmark Global Solutions LLC
Inventors
Brock, David, Sahlberg, Jeremiah, Hammes, Peter, McNeal, Robert

Application Number

US11/394,223
Publication Number

US 20070061885A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/31   User authentication

G06F 21/577   Assessing vulnerabilities a...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

System and method for managing security testing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

106 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing security testing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

106 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links