Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed action
Claims 1-3, 6, 8-13, 16 and 18-24 are pending and are being considered
Claims 1, 3, 11 and 13 have been amended.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/09/2021 was filed after the mailing date of the application no. 15447108 on 03/01/2017.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Examiner's Amendments
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. Authorization for this examiner's amendment was given in a telephone interview and by Email from Anne Christy Reg. No. 78,155 on 04/09/2021.
AMEND THE CLAIMS AS FOLLOWS:
1.	(Currently amended) A method performed by a computer system for automating detection of security vulnerabilities of an application programming interface (API), the method comprising:
receiving information about an API of a third-party system;

generating an API specification based on the received information, the API specification describing one or more API endpoints of the API, wherein a description of an API endpoint comprises a specified addressable location that provides access to one or more of services associated with the API, a method term that indicates a type of interaction with the API endpoint, and a set of input parameters that indicates the data types accepted as input by the API endpoint;
for each of the one or more API endpoints described in the API specification:
for each of the one or more authentication flows for the API: 
determining, based on 
for each of the determined one or more potential security vulnerabilities of the API endpoint, performing a first audit job on the API endpoint to determine an indication of whether the API endpoint is vulnerable to the potential security vulnerability and performing a second audit job on the authentication flow to determine an indication of whether the authentication flow is vulnerable to the potential security vulnerability, wherein performing the second audit job includes modifying the authentication flow based on the potential security vulnerability by removing one or more authentication units and testing the modified authentication flow against the potential security vulnerability by receiving an unauthenticated request; and

generating a scan report for the API based on the recorded results; and
sending the scan report to the third-party system. 

3. 	(Currently amended) The method of claim 2, wherein the result is an indication that the potential security vulnerability is present if the output of the API endpoint does not match the expected output.
11.	(Currently amended) A non-transitory computer-readable medium comprising instructions that when executed by a processor cause the processor to perform steps for automating detection of security vulnerabilities of an application programming interface (API), the steps comprising:
receiving information about an API of a third-party system;
receiving one or more one authentication flows for the API;
generating an API specification based on the received information, the API specification describing one or more API endpoints of the API, wherein a description of an API endpoint comprises a specified addressable location that provides access to one or more of services associated with the API, a method term that indicates a type of interaction with the API endpoint, and a set of input parameters that indicates the data types accepted as input by the API endpoint;
for each of the one or more API endpoints described in the API specification:
for each of the one or more authentication flows for the API:
determining, based on 
against the potential security vulnerability by receiving an unauthenticated request; and
recording results of the first and the second audit jobs performed;
generating a scan report for the API based on the recorded results; and
sending the scan report to the third-party system.

13. 	(Currently amended) The non-transitory computer-readable medium of claim 12, wherein the result is an indication that the potential security vulnerability is present if the output of the API endpoint does not match the expected output.

Response to arguments
Applicants arguments filled on 03/22/2021 have been fully considered and are persuasive.
Allowable Subject matter
Claims 1-3, 6, 8-13, 16 and 18-24 are allowed.
Examiner’s Statement of Reason for Allowance
According to 37 C.F.R. 1.104(e), it is the examiner's discretion to evaluate at the time of allowance whether the record of the prosecution as a whole does not make clear his or her reasons for allowing a claim or claims and set forth such a reasoning. At this time, the examiner believes that the claims allowed above require a separate reasoning to make the record clearer. The applicant or patent owner may file a statement commenting on the reasons for allowance within such time as may be specified by the examiner.
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
The present invention is directed towards A security system scans application programming interfaces (APIs) to detect security vulnerabilities. To do this, the security system receives API documentation from a third-party system associated with the API and organizes it in an API specification that describes the hostname of the API and one or more endpoints of the API. Alternatively, the security system may generate an API specification for the API without receiving API documentation by intercepting traffic between the API and an application that uses it. The security system also receives authentication flows for the API with the API documentation. The security system provides a framework for an administrative user of the third-party system to describe the authentication flows in terms of multiple discrete authentication units offered by the security system. Each authentication unit performs an authentication operation, such as adding query parameters, adding headers, performing an OAuth2 handshake, retrieving a multi-factor authentication token, constructing a request signature, or performing HTTP Basic authentication.
Claims 1 and 11 identifies a unique and distinct feature of “…..determining, based on information about the authentication flow and the API endpoint in the API specification, one or more potential security vulnerabilities of the API endpoint….and performing a second audit job on the authentication flow to determine an indication of whether the authentication flow is vulnerable to the potential security vulnerability, wherein performing the second audit job includes modifying the authentication flow based on the potential security vulnerability by removing one or more authentication units and testing the modified authentication flow against the potential security vulnerability by receiving an unauthenticated request…..” including other limitations in the claims.
	The closest prior art Lockhart et al (US 20080209567) is directed towards security assessment and vulnerability testing of software applications in a manner responsive to the technical characteristics and the business context in which the application operates (collectively, "application metadata"). The invention may, for example, determine an appropriate assurance level and test plan to attain it. In many instances, a test plan may dictate performance of different types of analyses. In such cases, the individual tasks of each test are combined into a "custom" or "application-specific" workflow, and the results of each test may be correlated with other results to identify a wide range of potential vulnerabilities and/or faults that are detected by the different tests. As such, a programmer reviewing the results can better understand how different potential vulnerabilities may relate to each other or in fact be caused by a common flaw.
Lockhart teaches receiving one or more authentication flows for API, determining whether the one or more authentication flow is vulnerable to the potential security vulnerability and generating a scan report based on the result, However Lockhart fails to teach determining, based on the information about the authentication flow and the API endpoint in the API specification, one or more potential security vulnerabilities of the API endpoint….and performing a second audit job on the authentication flow to determine an indication of whether the authentication flow is vulnerable to the potential security vulnerability, wherein performing the second audit job includes modifying the authentication flow based on the potential security vulnerability by removing one or more authentication units and 
The closest prior art Nicodemus et al (US 20090158407) is directed towards methods and systems for a Network Access Control Application Programming Interface Translation Agent (hereinafter referred to as an "NAC API Translation Agent"). An NAC API Translation Agent can translate messages written for one NAC agent API into a format suitable for use with a different NAC agent API. Multiple NAC agent APIs can be thus supported, and multiple NAC agent APIs can be used simultaneously. One benefit of an NAC API Translation Agent in accordance with aspects and features described herein is that it can decouple a software application that needs to support a particular NAC agent API from that NAC agent, and enable it to be used for any NAC agent. This makes it possible for organizations that use NAC solutions and that want to develop or use NAC-integration-capable software applications to select and use the NAC agent of their choice without affecting the software application.
Nicodemus teaches API endpoint comprising URL a method term and input parameter that indicated the data type accepted. Just like Lockhart, Nicodemus also fails to teach determining, based on the information about the authentication flow and the API endpoint in the API specification, one or more potential security vulnerabilities of the API endpoint….and performing a second audit job on the authentication flow to determine an indication of whether the authentication flow is vulnerable to the potential security vulnerability, wherein performing the second audit job includes modifying the authentication flow based on the potential security vulnerability by removing one or more authentication units and testing the modified authentication flow against the potential security vulnerability by receiving an unauthenticated request.
The closest prior art Allen et al (US 9015730) is directed towards methods and processes for programming computers and designing program code, and particularly to systems and methods which allow for such work to be performed in a natural language format. Users of online services may avoid 
Allen teaches API specification describing a method term indicating type of interaction and input parameters that indicated type of data accepted, however just like Lockhart and Nicodemus, Allen fails to teach determining, based on the information about the authentication flow and the API endpoint in the API specification, one or more potential security vulnerabilities of the API endpoint….and performing a second audit job on the authentication flow to determine an indication of whether the authentication flow is vulnerable to the potential security vulnerability, wherein performing the second audit job includes modifying the authentication flow based on the potential security vulnerability by removing one or more authentication units and testing the modified authentication flow against the potential security vulnerability by receiving an unauthenticated request.
Therefore the prior art of record does not teach or suggest individually or in combination the particular limitation listed below as recited in the claims.

“…..determining, based on the information about authentication flow and the API endpoint in the API specification, one or more potential security vulnerabilities of the API endpoint….and performing a second audit job on the authentication flow to determine an indication of whether the authentication flow is vulnerable to the potential security vulnerability, wherein performing the second audit job includes modifying the authentication flow based on the potential security vulnerability by removing one or more authentication units and testing the modified authentication flow against the potential security vulnerability by receiving an unauthenticated request…..”

None of the prior art of record, either taken individually or in any combination, would have anticipated or made obvious the invention of the instant application at or before the time it was filled.
Therefore these particular unique feature are found to be allowable only in context of all the other limitations in the claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 

/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436                                                                                                                                                                                                        




/MOEEN KHAN/               Examiner, Art Unit 2436