Security risk evaluation
US-2018121657-A1 · May 3, 2018 · US
Automated secure software development management, risk assessment, and risk remediation
US10740469B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10740469-B2 |
| Application number | US-201715856618-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 28, 2017 |
| Priority date | Dec 28, 2017 |
| Publication date | Aug 11, 2020 |
| Grant date | Aug 11, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and apparatuses are described for automated secure software development management, risk assessment and risk remediation. A server generates security requirements for a software application under development based upon a plurality of technical attributes and a threat model. The server creates a first set of development tasks based upon the generated security requirements. The server scans source code to identify one or more security vulnerabilities and creates a second set of development tasks based upon the identified vulnerabilities. The server generates a security risk score based upon the generated security requirements and the identified vulnerabilities. The server deploys the software application under development to a production computing system upon determining that the security risk score satisfies a criterion. The server generates security findings based upon operation of the software application after being deployed to the production computing system, and creates a third set of development tasks based upon the findings.
First claim
Opening claim text (preview).
What is claimed is: 1. A system for automated secure software development management, risk assessment, and risk remediation, the system comprising a server computing device that: generates security requirements for a software application under development based upon a plurality of technical attributes of the software application under development and a threat model associated with the software application under development, including: generating the threat model for the software application under development based upon the plurality of technical attributes, the threat model comprising one or more security threats existing in the software application under development, determining an initial set of one or more security requirements for the software application under development based upon the plurality of technical attributes, each security requirement associated with a mitigation plan that, when implemented in the software application under development, resolves a security threat, correlating the initial set of security requirements to one or more of the security threats in the threat model to determine which of the security threats are mitigated by the mitigation plan, and generating a final set of security requirements based upon the security threats left unmitigated; creates a first set of development tasks in a software development issue tracking platform based upon the generated security requirements; scans source code associated with the software application under development to identify one or more security vulnerabilities associated with the source code; creates a second set of development tasks in the software development issue tracking platform based upon the identified security vulnerabilities; generates a security risk score for the software application under development based upon the generated security requirements and the identified security vulnerabilities; deploys the software application under development to a production computing system upon determining that the security risk score satisfies a predetermined criterion; generates one or more security findings based upon operation of the software application after being deployed to the production computing system; and creates a third set of development tasks in the software development issue tracking system based upon the security findings. 2. The system of claim 1 , wherein creating the first set of development tasks in the software development issue tracking platform comprises: identifying the mitigation plan corresponding to the security requirements in the final set of security requirements; converting each mitigation plan into one or more development tasks; and transmitting the one or more development tasks to the software development issue tracking platform to create the first set of development tasks. 3. The system of claim 1 , wherein scanning source code associated with the software application under development to identify one or more security vulnerabilities associated with the source code comprises: parsing lines of code in one or more source code modules to identify a first set of security vulnerabilities; analyzing one or more open source libraries associated with the software application under development to identify a second set of security vulnerabilities; testing one or more external interface components associated with the software application under development to identify a third set of security vulnerabilities; and aggregating the first set of security vulnerabilities, the second set of security vulnerabilities, and the third set of security vulnerabilities into a final set of security vulnerabilities. 4. The system of claim 3 , wherein the server computing device recognizes one or more of the final set of security vulnerabilities as critical vulnerabilities; and prevents a build of the software application under development based upon the critical vulnerabilities. 5. The system of claim 1 , wherein deploying the software application under development to a production computing system further comprises deploying the software application under development to the production computing system upon determining that the development tasks in the first set of development tasks have been completed in the software development issue tracking platform. 6. The system of claim 1 , wherein the server computing device captures security training data associated with one or more developers working on the software application under development; determines a training gap based upon the security training data; and creates a development task in the software development issue tracking platform based upon the training gap. 7. A computerized method of automated secure software development management, risk assessment, and risk remediation, the method comprising: generating, by a server computing device, security requirements for a software application under development based upon a plurality of technical attributes of the software application under development and a threat model associated with the software application under development, including: generating, by the server computing device, the threat model for the software application under development based upon the plurality of technical attributes, the threat model comprising one or more security threats existing in the software application under development, determining, by the server computing device, an initial set of one or more security requirements for the software application under development based upon the plurality of technical attributes, each security requirement associated with a mitigation plan that, when implemented in the software application under development, resolves a security threat, correlating, by the server computing device, the initial set of security requirements to one or more of the security threats in the threat model to determine which of the security threats are mitigated by the mitigation plan, and generating, by the server computing device, a final set of security requirements based upon the security threats left unmitigated; creating, by the server computing device, a first set of development tasks in a software development issue tracking platform based upon the generated security requirements; scanning, by the server computing device, source code associated with the software application under development to identify one or more security vulnerabilities associated with the source code; creating, by the server computing device, a second set of development tasks in the software development issue tracking platform based upon the identified security vulnerabilities; generating, by the server computing device, a security risk score for the software application under development based upon the generated security requirements and the identified security vulnerabilities; deploying, by the server computing device, the software application under development to a production computing system upon determining that the security risk score satisfies a predetermined criterion; generating, by the server computing device, one or more security findings based upon operation of the software application after being deployed to the production computing system; and creating, by the server computing device, a third set of development tasks in the software development issue tracking system based upon the security findings. 8. The method of claim 7 , wherein creating the first set of development tasks in the software development issue tracking platform comprises: identifying, by the server computing device, the mitigation plans corresponding to the security requirements in the final set of security requirements; converting, by the server computing device, each mitigation plan into one or
Assignees
Inventors
Classifications
- G06F8/60Primary
Software deployment · CPC title
Risk analysis of enterprise or organisation activities · CPC title
- G06F21/577Primary
Assessing vulnerabilities and evaluating computer system security · CPC title
Software maintenance or management · CPC title
Parsing · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10740469B2 cover?
- Methods and apparatuses are described for automated secure software development management, risk assessment and risk remediation. A server generates security requirements for a software application under development based upon a plurality of technical attributes and a threat model. The server creates a first set of development tasks based upon the generated security requirements. The server sca…
- Who is the assignee on this patent?
- Fmr Llc
- What technology area does this patent fall under?
- Primary CPC classification G06F8/60. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 11 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).