DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to the correspondence filed on 11/12/19.  Claims 1-20 are still pending and have been considered below.

Claim Objections
Claims 1-3, 5-10, 12-17, 19 and 20 are objected to because of the following informalities:  the instant claims should be amended to recite “the plurality of web resources”.  Appropriate correction is required.
Claims 1, 8 and 15 are objected to because of the following informalities:  the instant claims should be amended to recite “the plurality of security risk factors”.  Appropriate correction is required.
Claims 10 and 17 are objected to because of the following informalities:  the instant claims should be amended to recite “the program instructions further direct the”.  Appropriate correction is required.

Claim Interpretation
Examiner notes that the claim term “computer-readable storage media” has been interpreted in view of Applicant’s own disclosure, which prevents the term from being read to include signals per se (see paragraph [0053] of the Specification filed on 11/12/19); thus, is directed to only statutory subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-8, 10-15 and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ranadive et al. (8,516,590) in view of Quinnell et al. (2007/0169199).
Claim 1:  Ranadive et al. discloses a method of operating a computing system to facilitate operation of a centralized trust authority for web application components, the method comprising:
receiving a plurality of web resources used to construct web applications(site elements loaded from third party sources and/or advertisements served by ad servers) [column 3, lines 55-67 | column 4, lines 1-5 & 65-67 | column 5, lines 1-5];
analyzing the plurality of web resources to determine unique identities and security attributes for each of the web resources(analyze page content elements and/or advertisements for malware) [column 6, lines 15-25 | column 24, lines 5-25];
identifying a plurality of security risk factors for each of the plurality of web resources based on industry standards or other guidelines(additional information considered when making risk assessment such as various lists and/or historical infection information) and the security (identify risk posed by various components and/or identify malicious advertisements and syndicates) [column 16, lines 50-67 | column 17, lines 1-10 | column 24, lines 15-25 | column 25, lines 30-40]; and
generating a security profile for each of the plurality of web resources based on the security risk factors identified for each of the web resources(summary of risks posed to the site by the components) [column 17, lines 40-50 | column 18, lines 15-25 | column 24, lines 40-50];
but does not explicitly disclose receiving, over a secure application programming interface (API), component registration information associated with each of the plurality of web resources provided by producers of the web resources; and identifying the plurality of security risk factors for each of the plurality of web resources based on the component registration information.
However, Quinnell et al. discloses a similar invention [page 4, paragraph 0040] and further discloses receiving, over a secure application programming interface (API), component registration information associated with each of the plurality of web resources provided by producers of the web resources(vulnerability metadata/definitions) [page 5, paragraphs 0059-0060 | pages 6-7, paragraphs 0073-0074]; and identifying the plurality of security risk factors for each of the plurality of web resources based on the component registration information(using metadata exchange system for policy testing) [page 7, paragraphs 0083-0084].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the disclosure of Ranadive et al. with the additional features of Quinnell et al., in order to automate the surveillance of deployed web services in such a way that new vulnerabilities are profiled and captured, as suggested by Quinnell et al. [page 4, paragraph 0040].
Claim 3:  Ranadive et al. and Quinnell et al. disclose the method of claim 1 and Ranadive et al. further discloses wherein analyzing the plurality of web resources to determine the unique identities for each of the web resources comprises computing hashes of each of the web resources to determine the unique identities for each of the web resources(fingerprints and/or hashes) [column 19, lines 45-55 | column 24, lines 35-45].
Claim 4:  Ranadive et al. and Quinnell et al. disclose the method of claim 1 and Quinnell et al. further discloses further comprising receiving, over the secure API, updated component registration information associated with at least one of the plurality of web resources(import new definitions and/or update definitions) [page 8, paragraphs 0089 & 0091].
Claim 5:  Ranadive et al. and Quinnell et al. disclose the method of claim 1 and Quinnell et al. further discloses wherein the component registration information comprises integrity hashes of each of the web resources provided by the producers of the web resources(signature) [page 4, paragraph 0042].
Claim 6:  Ranadive et al. and Quinnell et al. disclose the method of claim 1 and Quinnell et al. further discloses wherein the component registration information comprises lists of authorized host domains for each of the web resources(list of expected/valid values) [page 8, paragraph 0092 | page 9, paragraph 0097] [Ranadive et al.: column 17, lines 1-10].
Claim 7:  Ranadive et al. and Quinnell et al. disclose the method of claim 1 and Quinnell et al. further discloses wherein the component registration information comprises version release information for each of the web resources(vulnerability description synopsis includes version) [page 6, paragraph 0072] [Ranadive et al.: column 19, lines 55-65].
Claim 8:  Ranadive et al. discloses one or more computer-readable storage media having program instructions stored thereon to facilitate operation of a centralized trust authority for web 
receive a plurality of web resources used to construct web applications [column 3, lines 55-67 | column 4, lines 1-5 & 65-67 | column 5, lines 1-5];
analyze the plurality of web resources to determine unique identities and security attributes for each of the web resources [column 6, lines 15-25 | column 24, lines 5-25];
identify a plurality of security risk factors for each of the plurality of web resources based on industry standards or other guidelines and the security attributes determined for each of the web resources [column 16, lines 50-67 | column 17, lines 1-10 | column 24, lines 15-25 | column 25, lines 30-40]; and
generate a security profile for each of the plurality of web resources based on the security risk factors identified for each of the web resources [column 17, lines 40-50 | column 18, lines 15-25 | column 24, lines 40-50];
but does not explicitly disclose receive, over a secure application programming interface (API), component registration information associated with each of the plurality of web resources provided by producers of the web resources; and identify a plurality of security risk factors for each of the plurality of web resources based on the component registration information.
However, Quinnell et al. discloses a similar invention [page 4, paragraph 0040] and further discloses receive, over a secure application programming interface (API), component registration information associated with each of the plurality of web resources provided by producers of the web resources [page 5, paragraphs 0059-0060 | pages 6-7, paragraphs 0073-0074]; and identify a plurality of security risk factors for each of the plurality of web resources based on the component registration information [page 7, paragraphs 0083-0084].
Ranadive et al. with the additional features of Quinnell et al., in order to automate the surveillance of deployed web services in such a way that new vulnerabilities are profiled and captured, as suggested by Quinnell et al. [page 4, paragraph 0040].
Claim 10:  Ranadive et al. and Quinnell et al. disclose the one or more computer-readable storage media of claim 8 and Ranadive et al. further discloses wherein the program instructions direct the computing system to analyze the plurality of web resources to determine the unique identities for each of the web resources by directing the computing system to compute hashes of each of the web resources to determine the unique identities for each of the web resources [column 19, lines 45-55 | column 24, lines 35-45].
Claim 11:  Ranadive et al. and Quinnell et al. disclose the one or more computer-readable storage media of claim 8 and Quinnell et al. further discloses wherein the program instructions further direct the computing system to receive, over the secure API, updated component registration information associated with at least one of the plurality of web resources [page 8, paragraphs 0089 & 0091].
Claim 12:  Ranadive et al. and Quinnell et al. disclose the one or more computer-readable storage media of claim 8 and Quinnell et al. further discloses wherein the component registration information comprises integrity hashes of each of the web resources provided by the producers of the web resources [page 4, paragraph 0042].
Claim 13:  Ranadive et al. and Quinnell et al. disclose the one or more computer-readable storage media of claim 8 and Quinnell et al. further discloses wherein the component registration Ranadive et al.: column 17, lines 1-10].
Claim 14:  Ranadive et al. and Quinnell et al. disclose the one or more computer-readable storage media of claim 8 and Quinnell et al. further discloses wherein the component registration information comprises version release information for each of the web resources [page 6, paragraph 0072] [Ranadive et al.: column 19, lines 55-65].
Claim 15:  Ranadive et al. discloses an apparatus comprising:
one or more computer-readable storage media [column 2, lines 45-55];
a processing system operatively coupled with the one or more computer-readable storage media [column 2, lines 45-55]; and
program instructions stored on the one or more computer-readable storage media that, when executed by the processing system, direct the processing system to at least:
receive a plurality of web resources used to construct web applications [column 3, lines 55-67 | column 4, lines 1-5 & 65-67 | column 5, lines 1-5];
analyze the plurality of web resources to determine unique identities and security attributes for each of the web resources [column 6, lines 15-25 | column 24, lines 5-25];
identify a plurality of security risk factors for each of the plurality of web resources based on industry standards or other guidelines and the security attributes determined for each of the web resources [column 16, lines 50-67 | column 17, lines 1-10 | column 24, lines 15-25 | column 25, lines 30-40]; and
generate a security profile for each of the plurality of web resources based on the security risk factors identified for each of the web resources [column 17, lines 40-50 | column 18, lines 15-25 | column 24, lines 40-50];

However, Quinnell et al. discloses a similar invention [page 4, paragraph 0040] and further discloses receive, over a secure application programming interface (API), component registration information associated with each of the plurality of web resources provided by producers of the web resources [page 5, paragraphs 0059-0060 | pages 6-7, paragraphs 0073-0074]; and identify a plurality of security risk factors for each of the plurality of web resources based on the component registration information [page 7, paragraphs 0083-0084].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the disclosure of Ranadive et al. with the additional features of Quinnell et al., in order to automate the surveillance of deployed web services in such a way that new vulnerabilities are profiled and captured, as suggested by Quinnell et al. [page 4, paragraph 0040].
Claim 17:  Ranadive et al. and Quinnell et al. disclose the apparatus of claim 15 and Ranadive et al. further discloses wherein the program instructions direct the processing system to analyze the plurality of web resources to determine the unique identities for each of the web resources by directing the processing system to compute hashes of each of the web resources to determine the unique identities for each of the web resources [column 19, lines 45-55 | column 24, lines 35-45].
Claim 18:  Ranadive et al. and Quinnell et al. disclose the apparatus of claim 15 and Quinnell et al. further discloses wherein the program instructions further direct the computing system to 
Claim 19:  Ranadive et al. and Quinnell et al. disclose the apparatus of claim 15 and Quinnell et al. further discloses wherein the component registration information comprises integrity hashes of each of the web resources provided by the producers of the web resources [page 4, paragraph 0042].
Claim 20:  Ranadive et al. and Quinnell et al. disclose the apparatus of claim 15 and Quinnell et al. further discloses wherein the component registration information comprises lists of authorized host domains for each of the web resources [page 8, paragraph 0092 | page 9, paragraph 0097] [Ranadive et al.: column 17, lines 1-10].

Allowable Subject Matter
Claims 2, 9 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Hurst et al. (2007/0186285).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686.  The examiner can normally be reached on Monday-Friday 9AM-5PM EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571)272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/EDWARD ZEE/Primary Examiner, Art Unit 2435