Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the amendments filed 10/22/2021.   Claims 1 and 11 have been amended, Claims 10 and 20 have been cancelled. Claims 1-9 and 11-19 are pending and have been considered.

Priority
Acknowledgment is made of a non-claim of foreign priority.

Drawings
The drawings filed on 06/21/2019 are accepted.

Specification
The specification filed on 06/20/2019 is accepted.

Response to Arguments
Applicant’s arguments, with respect to “Claim Objection”, remarks page 6 have been fully considered and are persuasive.  The objection has been withdrawn in view of the cancellation of the claim. 
Applicant’s arguments with respect to newly amended independent claims such as prior art of record failing to teach “identifying, based on the security vulnerability diagnostic score, a most effective software testing regimen for the software application”, remarks pages 7-9 have been fully considered but are moot in view of the newly found prior art to Atyam et al U.S. 20170091078 A1.
 Atyam et al teaches par.3-4, that code are analyzed according to a risk assessment criteria, the risk assessment criteria includes risk assessment factors; weighting the risk assessment factors for the code as part of the criteria; determining a risk assessment score of the code based on the criteria; and allocating testing resources in response to the risk assessment score and par 18-19 further teaches wherein allocated testing resources can be adjusting in response to the risk assessment. For example, allocated testing resources can be increased in response to a higher risk based on the risk assessment score. Allocated testing resources can be decreased in response to a lower risk based on the risk assessment score. The step of allocating test resources can include: determining a first risk assessment threshold for allocating functional testing resources; determining a second risk assessment threshold for allocating regression testing resources; and determining a third risk assessment threshold for allocating integration testing resources which met the limitations of identifying, based on the security vulnerability diagnostic score(risk assessment score), a most effective software testing regimen (allocation testing resource based first, second or third risk assessment threshold) for the software application.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8, 9, 11-16, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gershoni et al U.S. 2017/0200006 A1 in view of Wysopal et al U.S. 2011/0173693 A1in further view of Atyam et al U.S. 2017/0091078 A1.
Claim 1: Gershoni et al teaches a method of performing a security vulnerability diagnostic assessment of a software application (par.20, 31, security assessment of a product (e.g., a software application) includes analyzing a product during its development and collecting inputs regarding a security vulnerability), the method comprising:
receiving, at a security assessing server, a set of technical attributes (par. a plurality of descriptions of a component of a product criticality)of the software application (par.11, 14-18, 33, a comprehensive risk profile calculator can include an application that receives and/or generates inputs related to business characteristics and security vulnerabilities of the product 342 being analyzed);
determining a security vulnerability diagnostic score for the software application based at least in part on the set of technical attributes and the par.22-23, to calculate a product risk profile for the product via a multiplication of the criticality score and the vulnerability score. As used herein, a product risk profile includes a quantification and/or characterization of a security risk and/or business/security value of an assessed product based on the two component scores: the criticality score and the vulnerability score for the product. For example, the product risk profile can be a product of the criticality score multiplied by the vulnerability score).
Cershoni et al teaches receiving technical attributes (critical attributes) and set of vulnerability attributes but fail to specify that the vulnerabilities attribute are contextual to the execution of the software, however Wysopal et al in the same field of endeavor teaches 
receiving a set of execution context attributes of the software application (par. 8, 50, context in which the application operates (collectively, "application metadata" collecting the business context in which the application will operate is determined (STEP 310), and combined with the technical details to produce an application profile P.).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Gershoni et al with the addition feature of Wysopal et al in order to provide the ability for identification and reporting of flaws in software programs, as suggested by Wysopal et al et al par.2.
Atyam et al in the same field of endeavor teaches 
identifying, based on the security vulnerability diagnostic score(risk assessment score), a most effective software testing regimen (allocation testing resource based first, second or third risk assessment threshold)for the software application (par.3-4, analyzing the code according to a risk assessment criteria, the risk assessment criteria includes risk assessment factors; weighting the risk assessment factors for the code as part of the criteria; determining a risk assessment score of the code based on the criteria; and allocating testing resources in response to the risk assessment score  and par 18-19 further teaches  wherein allocated testing resources can be adjusting in response to the risk assessment. For example, allocated testing resources can be increased in response to a higher risk based on the risk assessment score. Allocated testing resources can be decreased in response to a lower risk based on the risk assessment score. The step of allocating test resources can include: determining a first risk assessment threshold for allocating functional testing resources; determining a second risk assessment threshold for allocating regression testing resources; and determining a third risk assessment threshold for allocating integration testing resources).
Gershoni et al with the addition feature of Atyam et al in order to provide a method of providing risk assessment for a developers commit, and based on the risk assessment, an appropriate amount of testing can be applied to the commit or unit., as suggested by Atyam et al et al par.12.
Claim 11: Gershoni et al teaches a server computing (par.27, computing device 220 implemented on a server device) system comprising:
 a processor (Fig.2, item 222);
a memory storing a set of instructions, the instructions executable in the processor to(Fig.2, items 222 and 224, par.26-27, The program instructions (e.g., computer readable instructions (CRI)) can include instructions stored on the memory resource 224 and executable by the processing resource 222 to implement a desired function):
receive a set of technical attributes of the software application (par.50criticality calculator provide the plurality of descriptions to the user device based on an analysis of the product 342 and/or inputs descriptive of the product);
determine a security vulnerability diagnostic score for the software application based at least in part on the set of technical attributes and the set of execution context attributes (par.22-23, to calculate a product risk profile for the product via a multiplication of the criticality score and the vulnerability score. As used herein, a product risk profile includes a quantification and/or characterization of a security risk and/or business/security value of an assessed product based on the two component scores: the criticality score and the vulnerability score for the product. For example, the product risk profile can be a product of the criticality score multiplied by the vulnerability score).
Cershoni et al teaches receiving technical attributes (critical attributes) and set of vulnerability attributes but fail to specify that the vulnerabilities attribute are contextual to the execution of the software, however Wysopal et al in the same field of endeavor teaches 
receiving a set of execution context attributes of the software application (par. 8, 50, context in which the application operates (collectively, "application metadata" collecting the business context in which the application will operate is determined (STEP 310), and combined with the technical details to produce an application profile P.).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Gershoni et al with the addition feature of Wysopal et al in order to provide the ability for identification and reporting of flaws in software programs, as suggested by Wysopal et al et al par.2.
Atyam et al in the same field of endeavor teaches 
identifying, based on the security vulnerability diagnostic score(risk assessment score), a most effective software testing regimen (allocation testing resource based first, second or third risk assessment threshold)for the software application (par.3-4, analyzing the code according to a risk assessment criteria, the risk assessment criteria includes risk assessment factors; weighting the risk assessment factors for the code as part of the criteria; determining a risk assessment score of the code based on the criteria; and allocating testing resources in response to the risk assessment score  and par 18-19 further teaches  wherein allocated testing resources can be adjusting in response to the risk assessment. For example, allocated testing resources can be increased in response to a higher risk based on the risk assessment score. Allocated testing resources can be decreased in response to a lower risk based on the risk assessment score. The step of allocating test resources can include: determining a first risk assessment threshold for allocating functional testing resources; determining a second risk assessment threshold for allocating regression testing resources; and determining a third risk assessment threshold for allocating integration testing resources).
Gershoni et al with the addition feature of Atyam et al in order to provide a system of providing risk assessment for a developers commit, and based on the risk assessment, an appropriate amount of testing can be applied to the commit or unit., as suggested by Atyam et al et al par.12.
Claim 2 and 12: the combination teaches   
wherein the security vulnerability diagnostic score comprises a weighted aggregation of a technical attribute security score based on the set of technical attributes and an execution context security score based on the set of execution context attributes (Gershoni et al, Fig.4, item 466, par.23 Waysopal et al par.39, 90-92, Atyam et al par. 30-41).
The same motivation to modify the teaching of Gershoni et al in view of Wysopal et al applied to claims 1 and 11 above applies here.
The same motivation to modify the combined teaching of Gershoni et al in view of Atyam et al applied to claims 1 and 11 above applies here.
Claims 3 and 13: the combination teaches     
wherein the set of technical attributes comprises at least one of a security history of constituent software development libraries used in developing the software application, a cryptographic attribute, and a system Gershoni et al, par.44, 47-48, 157, item 466, par.. Waysopal et al par.31, 39, atyam et al par.20, 32, 42-43).
The same motivation to modify the teaching of Gershoni et al in view of Wysopal et al applied to claims 2 and 12 above applies here.
The same motivation to modify the combined teaching of Gershoni et al in view of Atyam et al applied to claims 2 and 12 above applies here.
Claims 4 and 14: the combination teaches
wherein the technical attribute security score is determined based on at least one of: constituent software development libraries used in developing the software application, the cryptographic attribute, and the system protocol attribute (Gershoni et al par.44, 47-48, 157, Waysopal et al par.31, 39, Atyam et al par.30-40).
The same motivation to modify the teaching of Gershoni et al in view of Wysopal et al applied to claims 3 and 13 above applies here.
The same motivation to modify the combined teaching of Gershoni et al in view of Atyam et al applied to claims 3 and 13 above applies here.
Claims 5 and 15:    the combination teaches
Gershoni et al par.44, 47-48, 157, Waysopal et al par. 28, 87-90, 92).
The same motivation to modify Gershoni et al in view of Wysopal et al applied to claims 2 and 12 above applies here.
Claims 6 and 16:    the combination teaches
 wherein the execution context security score is determined based on an assessment of at least one of: the customer facing transactions, the QoS performance level and the interlocking applications implicated in operational deployment of the software application (Gershoni et al par.44, 47-48, 157, Waysopal et al par. 28, 87-90, 92).
The same motivation to modify Gershoni et al in view of Wysopal et al applied to claims 5 and 15 above applies here.
Claims 8 and 18: the combination teaches
    	 wherein the security history of constituent software development libraries used in developing the software application includes security vulnerability data accumulated based on industry- wide deployment of the Gershoni et al par.23, 44, 47-48, 157, Waysopal et al par. 28, 87-90, 92).
The same motivation to modify Gershoni et al in view of Wysopal et al applied to claims 3 and 13 above applies here.
Claims 9 and 19: the combination teaches
 wherein the system protocol attribute pertains to effectiveness of the cryptographic attribute as an indication of the vulnerability of systems and protocols applying cryptographic material to account for known vulnerabilities of the cryptographic material when deployed in conjunction with particular systems and protocols (Gershoni et al par.44, 47-48, 157, Waysopal et al par. 28, 87-90, 92).
The same motivation to modify Gershoni et al in view of Wysopal et al applied to claims 3 and 13 above applies here.

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gershoni et al U.S. 2017/0200006 A1 in view of Wysopal et al U.S. 2011/0173693 A1 in further view of Atyam et al U.S. 2017/0091078 A1 and  Rastogi et al U.S. 10,313,211 B1.
Claims 7 and 17: the combination fails to teach, however Rastogi et al in the same field of endeavor teaches
col.12, lines 55-67, col.18, lines 8-15).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Gershoni et al with the addition feature of Wysopal et al in order to provide the ability for evaluating health of a distributed network service environment (DNSE) includes determining an application performance measurement (APM) based at least in part on performance metrics (PM) associated with sources, where the sources are associated with the DNSE, as suggested by Rastogi et al abstract.
Conclusion
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Dominessy et al U.S. 10,868,825 B1 Cybersecurity and Threat Assessment Platform for Comuting Environment.
Czaplewski et al U.S. 10,915,638 B2   Security Evaluator. 
2017025
Chen et al U.S 2011/0093955 A1 designing security into software during the development lifecycle.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for 





Sunday, February 6, 2022
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436