公开(公告)号：US20230153459A1

公开(公告)日：2023-05-18

申请号：US17754194

申请日：2020-11-10

申请人： Veracode, Inc.

发明人： Asankhaya Sharma ,  Hao Xiao ,  Hendy Heng Lee Chua ,  Darius Tsien Wei Foo

IPC分类号： G06F21/62 ,  G06F8/40

CPC分类号： G06F21/6245 ,  G06F8/40

摘要： To preserve privacy when leveraging organization-specific remediation knowledge for flaw remediation across organizations, program code is deidentified to remove code which potentially identifies its source/origin. Deidentification operates based on structure of flaws and fixes at the level of source code constructs based on an abstract syntax tree (AST) or other structural context representation of a fix and corresponding flaw. Potentially identifying portions of a fix indicated in its AST are determined and modified (e.g., removed or obfuscated) without impacting AST structure. Deidentified remediation knowledge originating from different organizations is used to train a fix suggestion model(s) which learns structural context of fixes and corresponding flaws and, once trained, generates predictions indicating suggested fixes to flaws based on structural contexts of the flaws. Deidentification can occur before training of the fix suggestion model(s) or during prediction so potentially identifying program code is removed before suggested fixes are consumed by different organizations.

公开(公告)号：US10275601B2

公开(公告)日：2019-04-30

申请号：US15176911

申请日：2016-06-08

申请人： Veracode, Inc.

发明人： Bradford M. Smith

IPC分类号： G06Q10/06 ,  G06F11/36 ,  G06F21/57 ,  G06F21/51 ,  G06F21/52 ,  G06F8/75

摘要： In a system for attributing one or more vulnerabilities in a software application to one or more developers, information identifying the source of a vulnerability is obtained from a vulnerability report. From a repository, developer-related information associated with the identified source is obtained. One or more developers are selected from the developer-related information according to one or more specified rules, and the defect is attributed to the selected developer(s). Attribution of the defect may indicate that the developer(s) contributed to introduction of the defect or to remedying the defect.

公开(公告)号：US09824223B2

公开(公告)日：2017-11-21

申请号：US15088741

申请日：2016-04-01

申请人： Veracode, Inc.

发明人： Thomas M. Pappas

IPC分类号： G06F21/57 ,  G06F17/30 ,  G06F9/445 ,  G06F21/56 ,  H04L29/06

CPC分类号： G06F21/577 ,  G06F8/65 ,  G06F17/30106 ,  G06F21/54 ,  G06F21/565 ,  G06F21/57 ,  G06F2221/034 ,  H04L63/145

摘要： In a binary patching system for alleviating security vulnerabilities in a binary representation of a software application, a binary code portion determined to be associated with a security vulnerability is replaced with a replacement binary code that can avoid such vulnerability without substantially changing the functionality of the code portion that was replaced. The replacement binary code can be selected based on properties and/or context of the code portion to be replaced.

公开(公告)号：US09645800B2

公开(公告)日：2017-05-09

申请号：US14577388

申请日：2014-12-19

申请人： Veracode, Inc.

发明人： Mansi Sheth

IPC分类号： G06F9/44 ,  G06F9/45 ,  G06F21/57 ,  G06F11/36

CPC分类号： G06F8/427 ,  G06F8/75 ,  G06F11/3604 ,  G06F21/577 ,  G06F2221/033

摘要： In system for enabling static vulnerability analysis of a software/web application that includes an indirectly modeled language portion and a directly modeled language portion, an indirectly modeled language information extractor select nodes of certain types from a syntax tree corresponding to the indirectly modeled language source code. Generally, the types of nodes that are selected are relevant to taint propagation. For one or more of the selected nodes, one or more statements corresponding to one or more of a type of the node, an input to the node, and an object associated with the node are generated. A static analyzer configured for a directly modeled language may perform vulnerability analysis of the software/web application using the generated statements.

公开(公告)号：US09286063B2

公开(公告)日：2016-03-15

申请号：US13770487

申请日：2013-02-19

申请人： Veracode, Inc.

发明人： Mark Kriegsman ,  Brian Black

IPC分类号： G06F9/44 ,  G06F11/36

CPC分类号： G06F11/3604 ,  G06F8/75 ,  G06F8/77 ,  G06F11/3668

摘要： The techniques and supporting systems described herein provide a comprehensive and customizable approach to identifying the use of best practices during the design and development of software applications, as well as recommending additional enhancements or courses of action that may be implemented to further improve the application. Target software application code is received specific application security best practices applicable to the target software application are identified. Locations in the code where the various best practices ought to be implemented are then identified, and a determination is made whether the relevant best practices are implemented for each location. Finally, positive feedback is provided to the developers for what appears to be their correct implementation of best practices.

摘要翻译： 本文所述的技术和支持系统提供了一种全面且可定制的方法，用于在软件应用程序的设计和开发过程中确定最佳实践的使用，以及推荐可以实现的进一步改进应用程序的其他增强功能或行动方案。 目标软件应用程序代码被接收到特定的应用程序安全性，适用于目标软件应用程序的最佳实践被识别。 然后确定要实施各种最佳做法的守则中的位置，并确定是否为每个位置实施相关的最佳做法。 最后，向开发人员提供积极的反馈意见，看来他们正确地实施最佳做法。

公开(公告)号：US09195833B2

公开(公告)日：2015-11-24

申请号：US14083750

申请日：2013-11-19

申请人： Veracode, Inc.

发明人： Peter John Chestna

IPC分类号： H04L29/06 ,  G06F21/57 ,  G06F11/36 ,  G06F21/53

CPC分类号： G06F21/577 ,  G06F8/30 ,  G06F11/36 ,  G06F21/53 ,  G06F2221/033

摘要： In a system for facilitating distributed security and vulnerability testing of a software application, each development sandbox in a set of sandboxes receives a portion of the entire application, and the received portion may be tested based on an application-level security policy to obtain a pass/fail result. The portion of the application corresponding to a certain sandbox may be modified and rescanned (i.e., retested) until the modifications, i.e., development achieves functional and quality requirements, and a pass result is obtained. Thereafter, the scan results are promoted to a policy sandbox, where a compliance result for the entire software application can be obtained based on, at least in part, the promoted results. Other sandboxes may also perform their respective pass/fail testing using the promoted results, thus minimizing the need for synchronizing the code changes in different sandboxes before testing for security policy in any sandbox and/or during application-level scanning.

摘要翻译： 在用于促进​​软件应用程序的分布式安全性和漏洞测试的系统中，一组沙盒中的每个开发沙箱接收整个应用的一部分，并且可以基于应用级安全策略来测试所接收的部分以获得通过 /失败结果。 对应于某个沙箱的应用的部分可以被修改和重新扫描（即，重新测试），直到修改，即开发实现功能和质量要求，并且获得通过结果。 此后，将扫描结果提升为策略沙盒，其中至少部分地基于推广结果可以获得整个软件应用的合规结果。 其他沙盒也可以使用推广的结果执行各自的通过/失败测试，​​从而最大限度地减少在测试任何沙箱和/或应用程序级扫描期间的安全策略之前同步不同沙盒中的代码更改的需要。

公开(公告)号：US20150106795A1

公开(公告)日：2015-04-16

申请号：US14295691

申请日：2014-06-04

申请人： Veracode, Inc.

发明人： Christien Rioux

IPC分类号： G06F9/45

CPC分类号： G06F8/53 ,  G06F8/427

摘要： Presently described is a decompilation method of operation and system for parsing executable code, identifying and recursively modeling data flows, identifying and recursively modeling control flow, and iteratively refining these models to provide a complete model at the nanocode level. The nanocode decompiler may be used to determine if flaws, security vulnerabilities, or general quality issues exist in the code. The nanocode decompiler outputs in a standardized, human-readable intermediate representation (IR) designed for automated or scripted analysis and reporting. Reports may take the form of a computer annotated and/or partially human annotated nanocode listing in the above-described IR. Annotations may include plain English statements regarding flaws and pointers to badly constructed data structures, unchecked buffers, malicious embedded code or “trap doors,” and the like. Annotations may be generated through a scripted analysis process or by means of an expert-enhanced, quasi-autonomous system.

摘要翻译： 目前描述的是用于解析可执行代码的操作和系统的反编译方法，识别和递归建模数据流，识别和递归地建模控制流，并迭代地改进这些模型以在纳代码级提供完整的模型。 纳代码反编译器可用于确定代码中是否存在缺陷，安全漏洞或一般质量问题。 纳代码反编译器以专门用于自动化或脚本化分析和报告的标准化，可读的中间表示（IR）输出。 报告可以采用上述IR中的计算机注释和/或部分人体注释的纳代码列表的形式。 注释可能包括关于缺陷的简明英语声明和指向构造不良的数据结构，未经检查的缓冲区，恶意嵌入代码或“陷阱门”等的指针。 注释可以通过脚本分析过程或通过专家增强的准自主系统来生成。

公开(公告)号：US08613080B2

公开(公告)日：2013-12-17

申请号：US13154576

申请日：2011-06-07

申请人： Christopher J. Wysopal ,  Matthew P. Moynahan ,  Jon R. Stevenson

发明人： Christopher J. Wysopal ,  Matthew P. Moynahan ,  Jon R. Stevenson

IPC分类号： H04L29/06

CPC分类号： G06F11/3612 ,  G06F21/577 ,  G06F2221/033

摘要： Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports.

摘要翻译： 安全分析和漏洞测试结果被“打包”或“绑定到”其描述的实际软件。 通过将结果与软件本身相关联，软件的下游用户可以访问关于软件的信息，对软件的实施做出明智的决定，并通过访问所有（或大多数）相关报告来分析整个系统的安全风险 可执行文件在系统上运行，并总结报告中确定的风险。

公开(公告)号：US20130097706A1

公开(公告)日：2013-04-18

申请号：US13617568

申请日：2012-09-14

申请人： Theodora H. Titonis ,  Nelson R. Manohar-Alers ,  Christopher J. Wysopal

发明人： Theodora H. Titonis ,  Nelson R. Manohar-Alers ,  Christopher J. Wysopal

IPC分类号： G06F21/56

CPC分类号： G06F21/56 ,  G06F21/562 ,  G06F21/566 ,  G06N99/005 ,  H04L63/1433 ,  H04W12/12

摘要： The present system includes a computer-networked system that allows mobile subscribers, and others, to submit mobile applications to be analyzed for anomalous and malicious behavior using data acquired during the execution of the application within a highly instrumented and controlled environment for which the analysis relies on per-execution as well as comparative aggregate data across many such executions from one or more subscribers.

摘要翻译： 本系统包括一个计算机网络系统，允许移动用户和其他用户使用在执行应用程序期间获取的数据提交移动应用程序，以在分析依赖的高度仪器化和受控环境中进行分析 在每个执行以及来自一个或多个订阅者的许多这样的执行中的比较聚合数据。

公开(公告)号：US20240329955A1

公开(公告)日：2024-10-03

申请号：US18194599

申请日：2023-03-31

申请人： Veracode, Inc.

发明人： Beth Cockerham ,  Trent Craig George Waddington

IPC分类号： G06F8/41 ,  G06F11/36

CPC分类号： G06F8/437 ,  G06F11/3612

摘要： Type definitions of user-defined types in application program code for which definitions are absent (“unknown types”) are inferred. A static analyzer implements two passes of a fixed-point type inference algorithm. Each pass encompasses a plurality of traversals of the application's control flow to build inferred definitions of unknown types until the inferred definitions are maximally built. To build an inferred definition, based on inferring a variable is an unknown type, the static analyzer infers member variables/functions of the unknown type based on contextual information associated with the variable. Type information of unknown types is propagated along control flow paths. After the first pass terminates, unknown types can be assigned known types based on matching of inferred definitions. Inferred definitions of remaining unknown types are incorporated into the application program code. A second pass of type inferencing and data flow analysis are then performed with the inferred definitions incorporated therein.