Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office action is in response to the Request for Continued Examination (RCE) filed on 1/4/2021.
Claims 1-7, 9, 11-12, 14, and 16-17 are pending and examined below.
Claims 1, 3, 4, 9, 11, 12, 14, and 16-17 have been amended.
Claims 8, 10, 13, and 15 have been cancelled.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 1/4/2021 has been entered.

Response to Amendment
Applicant’s arguments/amendment filed on 1/4/2021 changes the scope of the independent claims. Therefore, a new ground of rejection is applied.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6 and 14-17 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over 2015/0143524 (hereinafter referred to as Chestna), in view of US 2005/0246773 (hereinafter referred to as Draine), in view of US 2016/0139915 (hereinafter referred to as DIMITRAKOS), in view of US 2013/0061205 (hereinafter referred to as Bohm), and further in view of US 2015/0095899 (hereinafter referred as Carpenter).
In the following claim analysis, Applicant’s claim language is presented boldfaced and Examiner’s explanations are in square brackets.

Referring to claim 1, Chestna discloses:
 a system for application monitoring (Chestna, Abstract, a system for facilitating distributed security and vulnerability testing of a software application), comprising:an interface configured to receive an indication of a new application (Chestna, Fig. 1, para. 22, the metadata 104 and modules 106 corresponding to a software application 102 are generated … Once the policy is determined, it may be assigned at step 154 to the software application 102 [indicating it is a new application because the policy is determined first time and it is to ensure that subsequent modifications of the software application are compliant] so that it can be ensured that subsequent modifications of the software application are compliant with the security/vulnerability policy 108); 
a processor configured to: 
create a metadata storage region associated with the new application (Chestna, Fig. 1, para. 23, the policy is made available to a policy sandbox 114 [a metadata storage region]); 
determine an application compliance identifier associated with the new application (Fig. 1, para. 23, The application-level test results 116 (e.g., AT1) of the scan may be uploaded to the policy sandbox 114 … During further development of the software application, compliance with the policy may be evaluated against these results and a compliance result [the result plus the application name is an application compliance identifier] is obtained);
store the application compliance identifier in the metadata storage region (Chestna, Fig. 1, para. 23, The application-level test results 116 (e.g., AT1) of the scan may be uploaded [stored] to the policy sandbox 114 … During further development of the software application, compliance with the policy may be evaluated against these results and a compliance result [the compliance result plus the application name as the application compliance identifier] is obtained [and stored in the sandbox]).
	Chestna does not explicitly disclose: wherein the metadata storage region stores metadata associated with the application compliance identifier; determine whether the indication of the new application comprises developer metadata; and in response to a determination that the indication of the new application does not comprise developer metadata, add security item.
	However, in an analogous art to the claimed invention in the field of software management, Draine teaches wherein the metadata storage region stores metadata associated with the application compliance identifier (Draine, Fig. 4, para. 26-37, metadata includes keywords [associated with the application compliance identifier] with and category information for component library searches; Fig. 5, para. para. 38, IG. 5 illustrates an example storage 
determine whether the indication of the new application comprises developer metadata (Draine, Fig. 1, para. 20-21, the security analyzer 140 determines which security elements may be available or unavailable given a security context defined [as developer metadata] by the developer at 130); and in response to a determination that the indication of the new application does not comprise developer metadata, add security item (Draine, para. 20-24, upon observing the security output 200, a developer can be instructed that other security items should be added [i.e., not comprising developer data] before constructing or building a respective application).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Draine into the teaching of Chestna, with a reasonable expectation of success, to designate a storage area to store metadata associated with the application compliance identifier and determine whether the indication of the new application comprises developer metadata; and in response to a determination that the indication of the new application does not comprise developer metadata, add security item. The modification would be obvious because one of ordinary skill in the art would be motivated to have a storage implementation for metadata for better support locating and retrieving metadata, and provide a security development methodology with a series of acts to ensure secure software deployment.
Chestna as modified does not appear to explicitly disclose: determine whether deploy metadata has been received. However, in an analogous art to the claimed invention in the field of software management, DIMITRAKOS teaches determine whether deploy metadata has been received (DIMITRAKOS, Fig. 2, par. 43, receive one or more compliance characteristics ; par. 47, determining characteristics [deploy metadata] of the deployed software application 202; par. 69, a definition of the compliance characteristic 212 is received).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of DIMITRAKOS into the teaching of Chestna as modified, with a reasonable expectation of success, to determine whether deploy metadata has been received. The modification would be obvious because one of ordinary skill in the art would be motivated to provide a security development methodology with a series of acts to ensure secure software deployment.
Chestna as modified does not appear to explicitly disclose: wherein the determining of whether the deploy metadata has been received comprises to: determine whether the new application is a legacy application; and in response to determining that the new application is a legacy application, determine that the deploy metadata has not been received.
However, in an analogous art to the claimed invention in the field of software management, Bohm teaches: wherein the determining of whether the deploy metadata has been received comprises to: determine whether the new application is a legacy application (Bohm, para. 68, the process 400 makes a determination as to whether a request to build a legacy application has been received); and in response to determining that the new application is a legacy application, determine that the deploy metadata has not been received (Bohm, Fig. 4, para. 69. in response to determining that a request to build a legacy application has been received, the process 400 makes a determination at decision point 404 as to whether a machine-oriented language interface definition [the deploy metadata] of a new module has been received as input during invocation of the build process).

Chestna as modified does not appear to explicitly disclose: receive running metadata; and store the running metadata in the metadata storage region. However, in an analogous art to the claimed invention in the field of software management, Carpenter teaches: receive running metadata (Carpenter, para. 36, dynamic release control 200 builds metadata describing software applications that are running on a corresponding mainframe system); and store the running metadata in the metadata storage region (Carpenter, para. 62, embedding the appropriate metadata in the registration component 308 to be passed to the upgrade repository 214 [as part of the metadata storage region]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Carpenter into the teaching of Chestna as modified, with a reasonable expectation of success, to expand applicable categories to include "receive running metadata; and store the running metadata in the metadata storage region". The modification would be obvious because one of ordinary skill in the art would be motivated to provide a security development methodology with a series of acts to 

Referring to claim 2, the rejection of claim 1 is incorporated.  Chestna as modified further discloses: the system of claim 1, wherein the new application comprises the new application added by a developer to an application system (Chestna, Fig. 1, para. 23, The application-level test results 116 (e.g., AT1) of the scan may be uploaded to the policy sandbox 114 … During further development of the software application, compliance with the policy may be evaluated against these results and a compliance result is obtained).

Referring to claim 3, the rejection of claim 1 is incorporated.  Chestna as modified further discloses: wherein the indication comprises the developer metadata (Chestna, para. 24, the metadata 122_k associated with the entire application, including developer’s metadata relating to modify and/or test the portion of the program assigned to each sandbox; Draine, Fig. 1 and para 5 and 20-2, security analyzer 140 performs a determination activity to determine whether developer’s metadata relating to security context is available or unavailable).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Draine into the teaching of Chestna, with a reasonable expectation of success, to include that the indication comprises the developer metadata. The modification would be obvious because one of ordinary skill in the art would be motivated to have a storage implementation for metadata for better support locating and retrieving metadata, and provide a security development methodology with a series of acts to ensure secure software deployment.

Referring to claim 4, the rejection of claim 1 is incorporated. Chestna as modified further discloses: wherein the new application comprises the legacy application (Bohm, para. 68, the process 400 makes a determination as to whether a request to build a legacy application has been received).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Bohm into the teaching of Chestna as modified, with a reasonable expectation of success, to include that the new application comprises the legacy application. The modification would be obvious because one of ordinary skill in the art would be motivated to provide a security development methodology with a series of acts to ensure secure software deployment.

Referring to claim 5, the rejection of claim 4 is incorporated. Chestna as modified further discloses: wherein the legacy application comprises an application that exists on an application server and is newly being added to a metadata storage system (Carpenter, Fig. 1, and par. [0024], at least one software application instance has been updated to a version that has a new compatibility level; par. 61, proprietary mainframe software applications, legacy mainframe software applications, etc., can integrate with the dynamic release control).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Carpenter into the teaching of Chestna as modified, with a reasonable expectation of success, to include that the legacy application comprises an application that exists on an application server and is newly being added to a metadata storage system. The modification would be obvious because one of ordinary skill in the art would be motivated to provide a security development methodology with 

Referring to claim 6, the rejection of claim 1 is incorporated. Chestna as modified further discloses: wherein the metadata storage region comprises a new directory for storing metadata (Carpenter, para. 62, embedding the appropriate metadata in the registration component 308 to be passed to the upgrade repository 214 [as a new directory]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Carpenter into the teaching of Chestna as modified, with a reasonable expectation of success, to include that the metadata storage region comprises a new directory for storing metadata. The modification would be obvious because one of ordinary skill in the art would be motivated to provide a security development methodology with a series of acts to ensure secure software deployment.

Referring to claim 14, the rejection of claim 1 is incorporated. Chestna as modified further discloses: wherein the running metadata is received from an application monitor as the new application is run (Carpenter, par [0036], dynamic release control 200 builds metadata describing software applications [including new applications] that are running on a corresponding mainframe system … the metadata may include version information, compatibility information, build information, and other operating requirements for software applications being tracked [received] by the dynamic release control 200).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Carpenter into the teaching of Chestna as modified, with a reasonable expectation of success, to include that the 

Claims 16 and 17 are rejected under similar rationales as claim 1.

Claims 7 and 9 are rejected under 35 USC 103 (a) as being unpatentable over Chestna, in view of Draine, in view of DIMITRAKOS, in view of Carpenter, and further in view of US 2011/0093701 (hereinafter referred to as Etchegoyen).

Referring to claim 7, the rejection of claim 1 is incorporated. Chestna as modified does not appear to explicitly disclose: wherein the application compliance identifier is determined from an application name, from a hash of application executable code, from an application identifier table, or from an application file path. However, in an analogous art to the claimed invention in the field of software management, Etchegoyen teaches: wherein the application compliance identifier is determined from an application name (Etchegoyen, par. [0026], The administrative node may store and manage data for numerous different software applications and versions …. Each application and version pair may be associated with a hashed signature, textual description, software application identifier, developer information, signature date and other metadata, in a database; par. [0031], register completed signature values and associated metadata with a tracking database, such as by transmitting the signature values and metadata to the administrative node or other designated data storage resource), from a hash of application executable code (Etchegoyen, par. [0026], Each application and version pair may be associated with a hashed signature, textual description, software application identifier, developer information, signature date and other metadata, in a database), from an application identifier table (Etchegoyen, par. [0032], A signature tracking record [part of the database table] may be created for each subsequent version in the signature database), or from an application file path (Etchegoyen, par. [0033], The reports may also identify any installation or use event for new unauthorized software versions, also organized by category [an application file path]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Etchegoyen into the teaching of Chestna as modified to have a robust compliance identifier method to achieve that the application compliance identifier is determined from an application name, from a hash of application executable code, from an application identifier table, or from an application file path. The modification would be obvious because one of ordinary skill in the art would be motivated to create a method for preventing unauthorized use of software by executing computer-readable code with instructions for recording an indication of at least one selected file of a software application in a memory location accessible to a security component of the software application, in which software application the security component is configured to cause a hash signature of the at least one selected file to be generated in response to a signal arising from use of the software application, hashing the at least one selected file to generate a first file signature, transmitting the first file signature to a secure network-accessible computer memory for storage and subsequent comparison to at least one subsequent file signature generated via operation of the security component on a client device, comparing the first file signature to a second file signature generated by the security component in response to a signal arising from use of the 

Referring to claim 9, the rejection of claim 1 is incorporated. Chestna as modified further discloses: wherein the processor is further configured to in response to determining that the indication of the new application comprises developer metadata, store the developer metadata in the metadata storage region (Etchegoyen, par. [0026], Each application and version pair may be associated with a hashed signature, textual description, software application identifier, developer information, signature date and other metadata, in a database or other data structure), wherein the deploy metadata stored in the metadata storage region is associated with the application compliance identifier (Etchegoyen, Fig. 4, para. 43, the client node may then transmit the comparison signature to the administrative node together with metadata … In steps 408 and 410, the administrative node may compare the comparison fingerprint to a baseline fingerprint for the identified application and version, and transmit comparison results to the client; para. 47, if the results indicate a match, the client, again operating under control of the application security component, may enable full operation 414 of the application at the client node; Chestna, Fig. 1, para. 23, The application-level test results 116 (e.g., AT1) of the scan may be uploaded to the policy sandbox 114 … During further development of the software application, compliance with the policy may be evaluated against these results and a compliance result [an application compliance identifier] is obtained).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teaching of Etchegoyen into the .

Claims 11 and 12 are rejected under 35 USC 103 (a) as being unpatentable over Chestna, in view of Draine, in view of DIMITRAKOS, in view of Carpenter, and further in view of US 9,575,738 (hereinafter referred to as Chopra).

Referring to claim 11, the rejection of claim 1 is incorporated. Chestna as modified does not appear to explicitly disclose: wherein the deploy metadata comprises metadata determined upon application deployment. However, in an analogous art to the claimed invention in the field of software management, Chopra teaches wherein the deploy metadata comprises metadata determined upon application deployment (Chopra, col. 8 line 60-col. 9, line 8, user interface 410 may present a user with information about the application deployment process. For example, user interface 410 may include a rendering engine configured to render information stored in product database 404 as a topographical graphical representation of a cluster … User interface 410 may also display other information, such as a software install/upgrade path. In this way, a user may monitor, modify, and configure the process of deploying an application to nodes in one or more clusters of one or more coherency groups).
Therefore, it would have been obvious to one of ordinary skill in the art before the 

Referring to claim 12, the rejection of claim 1 is incorporated. Chestna as modified further discloses: wherein the processor is further configured to in response to determining that the deploy metadata has been received (Chopra, Fig. 5, col. 9, lines 46-59, retrieve information about one or more nodes in one or more clusters. For example, if a software application, such as an enterprise application, is to be deployed to a cluster of nodes, configuration and system information may be retrieved for each node in the cluster of nodes. The information may provide a complete representation [as a determining result that the metadata has been received] of each node in a cluster, thus enabling a user or a system component, such as a core engine, to determine an order in which the software application should be installed; col. 11, lines 29-43, Thus, an inventory engine may retrieve information about one or more nodes in one or more clusters of a coherency group and store the information in a database system), store the deploy metadata in the metadata storage region (Chopra, col. 17, lines 18-38, updated inventory information associated with a node may be stored in a separate data object or data entry than previously stored inventory information associated with that same node … metadata associated with the inventory information may be stored in the database system as well).
Therefore, it would have been obvious to one of ordinary skill in the art before the .

Response to Arguments
Applicant’s arguments filed on 1/4/2021 have been considered, but are unpersuasive/moot in view of the new ground(s) of rejection.
In the Remarks at pages 1-2, Applicant argues:
As discussed during the interview, the applied references fail to teach or render obvious "determine whether the indication of the new application comprises developer metadata; and in response to a determination that the indication of the new application does not comprise developer metadata: determine whether deploy metadata has been received, wherein the determining of whether the deploy metadata has been received comprises to: determine whether the new application is a legacy application; and in response to determining that the new application is a legacy application, determine that the deploy metadata has not been received; and in response to a determination that the deploy metadata has not been received: receive running metadata; and store the running metadata in the metadata storage region," as recited in claim 1 and similarly recited in claims 16 and 17.
Examiner’s response:
Examiner respectfully disagrees. First, the amended claim 1 is directed to monitor and collect data, then identify and classify the data as application compliance identifier, developer metadata, deploy metadata, legacy application data, and running metadata, and save the data accordingly. These activities are routine and conventional in the software development field.
Second, as articulated in the claim rejection section above, the prior art on record teaches the claim limitations “determine whether the indication of the new application comprises developer metadata (Chestna, para. 24, the metadata 122_k associated with the entire application, including developer’s metadata relating to modify and/or test the portion of the program assigned to each sandbox and Draine’s security analyzer 140 performs a determination activity to determine whether  developer’s metadata relating to security context is available or unavailable at Fig. 1 and para 5 and 20-21); and in response to a determination that the indication of the new application does not comprise developer metadata: determine whether deploy metadata has been received (e.g., at para. 24, Draine teaches in response to a determination, other data should be added before constructing or building a respective application; at para. 43, 47, and 69 , DIMITRAKOS teaches determining characteristics of the deployed software application is received), wherein the determining of whether the deploy metadata has been received comprises to: determine whether the new application is a legacy application (e.g., at para. 68, Bohm teaches a process makes a determination as to whether a request to build a legacy application has been received);  and in response to determining that the new application is a legacy application, determine that the deploy metadata has not been received (e.g., at para. 69, Bohm teaches that in response to determining that a request to build a legacy application has been received, the process 400 makes a determination at decision point 404 as to whether a machine-oriented 
Therefore, the prior art rejection of the claims 1, 16, and 17 are maintained.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 2008/0222631 teaches receiving computing system compliance data and comprising a plurality of compliance rules from a plurality of different compliance domains.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAXIN WU whose telephone number is (571)270-7721.  The examiner can normally be reached on M-F (7 am - 11:30 am; 1:30- 5 pm).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Zhen can be reached at (571) 272-3708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/DAXIN WU/            Primary Examiner, Art Unit 2191