Methods and systems for providing feedback and suggested programming methods
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-009/44
G06F-011/36
출원번호
US-0770487
(2013-02-19)
등록번호
US-9286063
(2016-03-15)
발명자
/ 주소
Kriegsman, Mark
Black, Brian
출원인 / 주소
Veracode, Inc.
대리인 / 주소
Goodwin Procter LLP
인용정보
피인용 횟수 :
0인용 특허 :
101
초록▼
The techniques and supporting systems described herein provide a comprehensive and customizable approach to identifying the use of best practices during the design and development of software applications, as well as recommending additional enhancements or courses of action that may be implemented t
The techniques and supporting systems described herein provide a comprehensive and customizable approach to identifying the use of best practices during the design and development of software applications, as well as recommending additional enhancements or courses of action that may be implemented to further improve the application. Target software application code is received specific application security best practices applicable to the target software application are identified. Locations in the code where the various best practices ought to be implemented are then identified, and a determination is made whether the relevant best practices are implemented for each location. Finally, positive feedback is provided to the developers for what appears to be their correct implementation of best practices.
대표청구항▼
1. A software security assessment platform, comprising: a communications server, which in operation, receives technical characteristics of a target software application and business context information relating to the target software application;an analysis engine, which in operation:examines code o
1. A software security assessment platform, comprising: a communications server, which in operation, receives technical characteristics of a target software application and business context information relating to the target software application;an analysis engine, which in operation:examines code of the target software application received and generates a model of the software application, the model containing control-flow and data-flow graphs of the software application;identifies specific application security best practices that are applicable to the target software application;identifies locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented, anddetermines for each of the locations whether the code segments according to the relevant best practices appear to have been implemented;determines at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; andprovides mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented. 2. The platform of claim 1 further comprising a dynamic analysis engine that executes the target software application in a manner that mirrors or emulates the runtime environment in which it operates. 3. The platform of claim 1 further comprising a static analysis engine that receives a binary or bytecode version of the target software application as input and creates a high-level semantic model of the application containing control-flow and data-flow graphs of the application for analysis. 4. The platform of claim 1 further comprising a pen testing engine that performs penetration testing of the target software application. 5. The platform of claim 1 further comprising a manual code review module that receives input from manual review processes including a human operator visually reviewing the code of the target software application to determine if proper coding form and standards have been followed, and looking for “extra” functions often left in the application. 6. The platform of claim 1 further comprising a benchmarking and reporting module that compares assessment results among applications, developers, teams and/or organizations. 7. The platform of claim 1 further comprising a digital rights management engine that applies a digital rights management process against application assessment input data, thereby limiting distribution and use of the vulnerability test results to specified users. 8. The platform of claim 1 wherein the analysis engine provides mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation is incomplete or incorrect. 9. The platform of claim 1 wherein the analysis engine examines the target software application through parsing of one or more of the source code, the compiled bytecode, and binary executable code of the target software application. 10. The platform of claim 1 wherein the analysis engine maps the best practices that are applicable to the target software application as a series of IF-THEN rules, wherein the rules are applied in a “forward-chaining” approach, a hierarchical approach, or a multi-path approach such that the applicability of certain rules is dependent upon the evaluation of other higher-order rules. 11. The platform of claim 1 wherein the analysis engine identifies locations in the code of the target application where the identified best practices ought to be implemented by using a series of pattern-matching rules. 12. The platform of claim 1 wherein the analysis engine determines at each of the locations whether the relevant best practices appear to have been implemented by scanning the code of the target software application for the presence of cleanser functions. 13. The platform of claim 1 wherein the analysis engine determines at each of the locations to what extent the relevant best practices have been implemented incompletely or incorrectly by scanning the code of the target software application for common errors of correctness or completeness. 14. The platform of claim 1 wherein the analysis engine provides positive feedback to developers of the target software application by flagging the implementation of the best practices based on whether or not implementation errors are detected. 15. The platform of claim 1 wherein the analysis engine provides mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation of the best practice is either incomplete or incorrect. 16. The platform of claim 1 wherein the analysis engine does not provide positive feedback in situations where there is no need for implementation of a “best practice”. 17. The platform of claim 1 wherein the analysis engine does not provide any feedback if there is no actual security threat in a particular area of the code regardless of what the developer has implemented. 18. A method for software security assessment, comprising: receiving technical characteristics of a target software application and business context information relating to the target software application;examining code of the target software application received and generating a model of the software application, the model containing control-flow and data-flow graphs of the software application;identifying locations in the code of the target application, the locations being based on, at least in part, the control and data flow of the code contained in the model, and the locations indicating where code segments according to the identified best practices ought to be implemented anddetermining for each of the locations whether the code segment according to the relevant best practices appear to have been implemented;determining at each of the locations whether the relevant best practices appear to have been implemented correctly and to what extent they have been implemented incompletely or incorrectly; andproviding mixed positive and negative feedback to a developer for locations where it appears that the developer attempted to implement a certain best practice, and the implementation is correct, incomplete, or incorrect, excluding at least one location where a best practice is attempted but need not be implemented. 19. The method of claim 18 further comprising executing the target software application in a manner that mirrors or emulates the runtime environment in which it operates. 20. The method of claim 18 further comprising receiving a binary or bytecode version of the target software application as input and creating a high-level semantic model of the application containing control-flow and data-flow graphs of the application for analysis. 21. The method of claim 18 further comprising performing penetration testing of the target software application. 22. The method of claim 18 further comprising receiving input from manual review processes including a human operator visually reviewing the code of the target software application to determine if proper coding form and standards have been followed, and looking for “extra” functions often left in the application. 23. The method of claim 18 further comprising comparing assessment results among applications, developers, teams and/or organizations. 24. The method of claim 18 further comprising applying a digital rights management process against application assessment input data, thereby limiting distribution and use of the vulnerability test results to specified users. 25. The method of claim 18 further comprising providing mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation is incomplete or incorrect. 26. The method of claim 18 further comprising examining the target software application through parsing of one or more of the source code, the compiled bytecode, and binary executable code of the target software application. 27. The method of claim 18 further comprising mapping the best practices that are applicable to the target software application as a series of IF-THEN rules, wherein the rules are applied in a “forward-chaining” approach, a hierarchical approach, or a multi-path approach such that the applicability of certain rules is dependent upon the evaluation of other higher-order rules. 28. The method of claim 18 further comprising identifying locations in the code of the target application where the identified best practices ought to be implemented by using a series of pattern-matching rules. 29. The method of claim 18 further comprising determining at each of the locations whether the relevant best practices appear to have been implemented by scanning the code of the target software application for the presence of cleanser functions. 30. The method of claim 18 further comprising determining at each of the locations to what extent the relevant best practices have been implemented incompletely or incorrectly by scanning the code of the target software application for common errors of correctness or completeness. 31. The method of claim 18 further comprising providing positive feedback to developers of the target software application by flagging the implementation of the best practices based on whether or not implementation errors are detected. 32. The method of claim 18 further comprising providing mixed positive and negative feedback to the developers for locations where it appears that the developers attempted to implement a certain best practice, but the implementation of the best practice is either incomplete or incorrect. 33. The method of claim 18 further comprising not providing positive feedback in situations where there is no need for implementation of a “best practice”. 34. The method of claim 18 further comprising not providing any feedback if there is no actual security threat in a particular area of the code regardless of what the developer has implemented.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (101)
Townsend, Timothy J., Adaptive countermeasure selection method and apparatus.
Haley Matthew A. ; Pincus Jonathan D. ; Bush William R., Analysis of the effect of program execution of calling components with data variable checkpointing and resource allocation analysis.
Ju Dz-ching ; Gillies David Mitford ; Sastry A. V. S., Apparatus and method for incrementally update static single assignment form for cloned variable name definitions.
Gregory Brent ; Chatterjee Trinanjan ; Lin Jing C. ; Raghvendra Srinivas ; Girczyc Emil ; Estrada Paul ; Seawright Andrew, Architecture and methods for a hardware description language source level analysis and debugging system.
Ian Carmichael CA; Derek B. Inglis CA; Michael Karasick ; Vincent J. Kruskal ; Harold L. Ossher ; David J. Streeter CA, Compiler for supporting multiple runtime data representations.
McKeeman William M. (Hollis NH) Aki Shota (Weare NH), Compiler using clean lines table with entries indicating unchanged text lines for incrementally compiling only changed s.
Levy Jacob Y. ; Lim Swee Boon ; Kretsch Donald J. ; Mitchell Wesley E. ; Lerner Benjamin, Compiler with generic front end and dynamically loadable back ends.
Furgerson Donald F. (Murrysville PA), Computer monitored or controlled system which may be modified and de-bugged on-line by one not skilled in computer progr.
Franssen Frank,BEX ; van Swaaij Michael,BEX ; Nachtergaele Lode,BEX ; Samsom Hans,BEX ; Catthoor Francky,BEX ; De Man Hugo,BEX, Control flow and memory management optimization.
Frieder Gideon (Williamsville NY) Hughes David T. (Amherst NY) Kline Mark H. (Williamsville NY) Liebel ; Jr. John T. (Williamsville NY) Meier David P. (Orchard Park NY) Wolff Edward A. (Tonawanda NY), Data processing system.
Hammes,Jeffrey; Poznanovic,Daniel; Gliem,Lonnie, Debugging and performance profiling using control-dataflow graph representations with reconfigurable hardware emulation.
Tracy, Richard P.; Barrett, Hugh; Catlin, Gary M., Enhanced system, method and medium for certifying and accrediting requirements compliance utilizing continuous risk assessment.
Bettini, Anthony John; Watkins, Kevin; Guerra, Domingo J.; Price, Michael, In-line filtering of insecure or unwanted mobile device software components or communications.
Kitain Eduard ; Karaev Isaak ; Mahoney John J. ; McCarthy Mary Ellen ; Tousignant James M. ; Baird George ; Blazek Paul, Information delivery system and method including on-line entitlements.
Luc M. Burgun FR; Alain Raynaud FR, Method and apparatus for gate-level simulation of synthesized register transfer level design with source-level debugging.
Raynaud Alain,FRX ; Burgun Luc M.,FRX, Method and apparatus for gate-level simulation of synthesized register transfer level designs with source-level debugging.
Tirumalai,Partha P.; Kalogeropulos,Spiros; Song,Yonghong; Goebel,Kurt J., Method and apparatus for optimizing computer program performance using steered execution.
Dumais,Susan T.; Horvitz,Eric J.; Cutrell,Edward B.; Cadiz,Jonathan J.; Jancke,Gavin; Sarin,Raman K.; Robbins,Daniel C.; Gupta,Anoop; Robertson,George G.; Ringel,Meredith J.; Goecks,Jeremy, Method and system for usage analyzer that determines user accessed sources, indexes data subsets, and associated metadata, processing implicit queries based on potential interest to users.
Jong-Deok Choi ; Manish Gupta ; Mauricio J. Serrano ; Vugranam C. Sreedhar ; Samuel Pratt Midkiff, Method for optimizing creation and destruction of objects in computer programs.
Van Praet Johan Roland,BEX ; Lanneer Dirk,BEX ; Theresia Geurts Werner Gustaaf,BEX ; Goossens Gert Lodewijk Huibrecht,BEX, Method for processor modeling in code generation and instruction set simulation.
Van Praet Johan Roland,BEX ; Lanneer Dirk,BEX ; Geurts Werner Gustaaf Theresia,BEX ; Goossens Gert Lodewijk Huibrecht,BEX, Method of generating code for programmable processors, code generator and application thereof.
Lundeby Bruce A. (Colorado Springs CO), Method of validating a label translation configuration by parsing a real expression describing the translation configura.
Lo Raymond ; Chow Frederick, Method, system, and computer program product for extending sparse partial redundancy elimination to support speculative code motion within an optimizing compiler.
Caron Ilan G. (Redmond WA) Carter Alan W. (Bellevue WA) Canady Dennis M. (Redmond WA) Corbett Tom (Eugene OR) Kumar Rajiv (Redmond WA), Module dependency based incremental compiler and method.
Callahan, II, Charles David; Shields, Keith Arnett; Briggs, III, Preston Pengra, Parallelism performance analysis based on execution trace information.
Wright, Gregory M.; Wolczko, Mario I.; Seidl, Matthew L., Reducing the overhead involved in executing native code in a virtual machine through binary reoptimization.
Tseng Ping-Sheng ; Lin Sharon Sheau-Pyng ; Shen Quincy Kun-Hsu ; Sun Richard Yachyang ; Tsai Mike Mon Yen ; Tsay Ren-Song ; Wang Steven, Simulation/emulation system and method.
Grover, Vinod K.; Mitchell, Charles L.; Gillies, David Mitford; Roberts, Mark Leslie; Plesko, Mark Ronald; Tarditi, Jr., David Read; Edwards, Andrew James; Burger, Julian; Ayers, Andrew Edward; Sastry, Akella V. S., Software development infrastructure.
Homing, James J.; Sibert, W. Olin; Tarjan, Robert E.; Maheshwari, Umesh; Home, William G.; Wright, Andrew K.; Matheson, Lesley R.; Owicki, Susan, Software self-defense systems and methods.
Rozenberg, Boris; Gudes, Ehud; Elovici, Yuval, System and method for detecting new malicious executables, based on discovering and monitoring characteristic system call sequences.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for server-coupled malware prevention.
Nayak,Anshuman; Haldar,Malay; Choudhary,Alok; Saxena,Vikram; Banerjee,Prithviraj, System for architecture and resource specification and methods to compile the specification onto hardware.
Chow Jyh-Herng ; Fuh You-Chin (Gene) ; Mattos Nelson Mendonca ; Tran Brian T., System, method, and program for extending a SQL compiler for handling control statements packaged with SQL query statem.
Papakipos, Matthew N.; Grant, Brian K.; McGuire, Morgan S.; Demetriou, Christopher G., Systems and methods for determining compute kernels for an application in a parallel-processing computer system.
Ginter Karl L. ; Shear Victor H. ; Sibert W. Olin ; Spahn Francis J. ; Van Wie David M., Systems and methods for secure transaction management and electronic rights protection.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.