DETAILED ACTION
This Action is a response to the reply received 5 January 2022. Claims 1, 3, 12-13, 17-18 and 21-22 are amended; claim 20 is canceled; claim 23 is new. Claims 1-13, 15-18 and 21-23 remain pending for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-13, 15-18 and 21-23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The independent claims currently recite “wherein the information comprises a model representation comprising one or more symbolic elements of the software project” (see claim 1 at lines 7-8 and similar language in claims 12 and 17). A review of the Specification discloses “a software design representation of the software project 
In order to advance prosecution, Examiner is interpreting the claim term “symbolic elements” to have a scope consistent with the specific examples provided in the Specification and recited at dependent claims 13, 18 and 23.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-12, 15-18 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Bhalla et al., U.S. 2020/0159525 A1 (hereinafter referred to as “Bhalla”) and Phoenix, Carlos, U.S. 2020/0073782 A1 (hereinafter referred to as “Phoenix”) in view of Gebhardt et al., U.S. 2007/0157174 A1 (hereinafter referred to as “Gebhardt”) and Giammaria et al., U.S. 9,195,573 B1 (hereinafter referred to as “Giammaria”), and in further view of Atighetchi et al., U.S. 2020/0364343 A1 (hereinafter referred to as “Atighetchi”).

Regarding claim 1, Bhalla teaches: A computer-implemented method (Bhalla, e.g., ¶11, providing a method, ¶19 indicating the method may be performed by multiple computing devices) comprising: obtaining information pertaining to a software project and a target market of the software project (Bhalla, e.g., ¶52, “system uses the software context … to select tasks or requirements from a knowledge database based on the extracted software context …” See also, e.g., ¶54, describing context as including language, function and regulatory requirements; ¶58 disclosing that the application will be run in the United States; and ¶62 describing a more comprehensive set of context categories including legal and other compliance sources, geographical and jurisdictional factors, business domain, security standards, legal context (such as where or how the application is used), types of information being handled, business drivers and policies, privacy requirements, among others. See also, e.g., ¶63, “context extraction engine 104 processes each context repository 102 o transform it into machine useable information and to extract context data for the software asset …”), wherein the information comprises a model representation comprising one or more symbolic elements1 of the software project (Bhalla, e.g., ¶95, “Application lifecycle management repository 214 manages requirements, tests, plans, tasks, bugs and issues … a story may be written … ‘As a user I need to be able to update my first and last name.’ … translate this natural language definition of a new feature to a new capability in the application …” Examiner’s note: claim 3 further describes ;
	identifying, based on the obtained information, one or more of the security controls in the database to be implemented in the software project (Bhalla, e.g., ¶83, “Each task in the prioritized task list 114 can further include … rules concerning security structures and procedures for communication on the internet and for particular businesses … For example, if the software context indicates that the software asset is used within a financial institution having credit card transactions, the task list would include regulations and control frameworks such as the PCI DSS, COBIT … the project is related to the healthcare industry, privacy regulations for medical data can be put in the task list …”), in order to satisfy at least a [] level of security defined for the software project, wherein the threshold level of security is based at least in part on one or more of the plurality of security standards related to the target market (Bhalla, e.g.,  ¶61, “application must be free of high priority vulnerabilities before it can be deployed to production.” See also, e.g., ¶62, “Categories of software context can comprise, for example … legal and other compliance sources … functional requirements that affect security aspects … regulatory requirements, security standards … access restriction settings … privacy requirements … industry, environment, technology requirements …”); and
	wherein the method is performed by at least one processing device comprising a processor coupled to a memory (Bhalla, e.g., ¶30, “computerized system … comprising at least one processor, at least one memory device … memory device comprising computer readable instructions, that when executed by the at least one processor …”).
	Bhalla does not specifically teach that the security control is identified such that it satisfies at least a threshold level of security based at least in part on one or more security maintaining a database (Phoenix, e.g., FIG. 1, compliance control data store 110) comprising mappings between (i) a plurality of security controls (Phoenix, e.g., FIG. 1, compliance controls 124) and (ii) security requirements related to a plurality of security standards (Phoenix, e.g., FIG. 1, compliance standard 122 including control relationship data; see also, e.g., ¶25, “compliance control data store 110 may be a database … may store data associated with one or more compliance standards 122, including compliance controls 124 that make up the compliance standards 122 and control relationship data 126 that defines relationships and/or associations among the compliance controls 124”), wherein said maintaining is based at least in part on … [identifying] overlapping sections [of the security standards] (Phoenix, e.g., Phoenix, e.g., ¶24, “A single capability 118 may be mapped to multiple compliance controls 124 and multiple capabilities may be mapped to a single compliance control 124 …” See also, e.g., ¶34, “Once the mapping process identifies the first capability that maps to the compliance control, the process may refrain from identifying additional capabilities that may enable compliance with the compliance control to reduce the time and/or processing resources necessary to complete the mapping process …” Examiners note: compliance controls are elements of a compliance standard (see ¶14); capabilities are aspects or functions of an application (¶¶14-15). That a single capability may map to a plurality of compliance controls each of one or more compliance standards, and a combination-reduction is performed when scanning the application for compliance suggests a removal of overlapping security requirements when scanning the application under development for compliance)
threshold [level of security defined for the software project, wherein the threshold level of security is based at least in part on one or more security standards] (Phoenix, e.g., FIG. 5B, permitting in multiple instances a user choice between threshold security levels (NIST 800-53 high/moderate/low, FISMA high/moderate/low)) for the purpose of maintaining a database of mappings between security requirements and implemented control and facilitating an analysis of one or more potential software assets for compliance with one or more security levels each appropriate for one or more distinct standards (Phoenix, ibid.).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method for automated identification of security-related tasks for a software project as taught by Bhalla to provide that the security control is identified such that it satisfies at least a threshold level of security based at least in part on one or more security standards because the disclosure of Phoenix shows that it was known to those of ordinary skill in the pertinent art to improve a system and method for automated identification of security-related tasks for a software project to provide that the security control is identified such that it satisfies at least a threshold level of security based at least in part on one or more security standards for the purpose of maintaining a database of mappings between security requirements and implemented control and facilitating an analysis of one or more potential software assets for compliance with one or more security levels each appropriate for one or more distinct standards (Phoenix, Id.).
	Bhalla in view of Phoenix does not more particularly teach that the identification of the overlapping security controls may be accomplished using a script. However, Gebhardt does teach: a software script [that identifies] overlapping sections [of the security standards] (Gebhardt, e.g., ¶11, “a user may readily write a simple ABAP script that permits … the ability to analyze the content of an internal table automatically (e.g., finding duplicate entries) …”) for the purpose of automating the process of finding duplicate entries (Gebhardt, ibid.).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method for automated identification of security-related tasks for a software project as taught by Bhalla in view of Phoenix to provide that the identification of the overlapping security controls may be accomplished using a script because the disclosure of Gebhardt shows that it was known to those of ordinary skill in the pertinent art to improve a system and method for automated identification of duplicate table entries to provide that the identification of the overlapping security controls may be accomplished using a script for the purpose of automating the process of finding duplicate entries (Gebhardt, Id.).
	Bhalla in view of Phoenix and Gebhardt does not teach automatically implementing at least one identified security control in response to an estimated complexity thereof satisfying a threshold level. However, Giammaria does teach: automatically implementing at least one of the identified security controls in the software project (Giammaria, e.g., 14:1-15, “While the above-described description contemplates cloud administrator involvement in the problem selection/remediation, this is not a requirement. The process may also be automated for all cloud application packages stored in a repository, e.g., based on administrator-specified thresholds for severity and/or complexity … if the package includes any component having a known problem whose severity and/or complexity values exceed a configurable threshold, the cloud application package is automatically updated using one or more fixes …” See also, e.g., 7:62-8:13, describing a community cloud deployment wherein one or more security requirements, policies and/or compliance considerations to be managed, and 12:24-13:31 more generally, wherein ibid.).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method for automated identification of security-related tasks for a software project as taught by Bhalla in view of Phoenix and Gebhardt to provide for automatically implementing at least one identified security control in response to an estimated complexity thereof satisfying a threshold level because the disclosure of Giammaria shows that it was known to those of ordinary skill in the pertinent art to improve a system and method for automated identification of security-related tasks for a software project to provide for automatically implementing at least one identified security control in response to an estimated complexity thereof satisfying a threshold level for the purpose of identifying potential security vulnerabilities and automatically addressing them if the complexity of said remediation satisfies an administrator-specified threshold (Giammaria, Id.).
	Bhalla and Phoenix in view of Gebhardt and Giammaria do not more particularly teach that the identification of overlapping sections is based on an evaluation of the text of the security standards. However, Atighetchi does teach: [wherein said maintaining is based at least in part on] evaluates text of the plurality of security standards to identify [overlapping sections] (Atighetchi, e.g., ¶70, “Alternatively or additionally, a system-specific requirements analysis may identify two or more system requirements that are conflicting, redundant, overlapping …” See also, e.g., ¶97, “SRA [systems requirements analysis] service determines whether the source document is a plaintext document … SRA service may generate a propositions model based on the plaintext …” and ¶102, “SRA service applies semantic queries to the system model … to perform a system-specific requirements analysis …” See also more generally FIG. 1A and FIGs. 2A-2B, showing that text is extracted in order to generate a system model against which queries are applied in order to perform the requirements analysis to identify, among other possibilities, overlapping requirements. Examiner’s note: generating the model from the text document is interpreted as broadly consistent with “evaluating text” and security standards are also considered at least one type of system requirement, in this case for compliance with security regulations) for the purpose of evaluating system requirements in order to identify redundant or overlapping standards (Atighetchi, ibid.).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method for automated identification of security-related tasks for a software project as taught by Bhalla and Phoenix in view of Gebhardt and Giammaria to provide that the identification of overlapping sections is based on an evaluation of the text of the security standards because the disclosure of Atighetchi shows that it was known to those of ordinary skill in the pertinent art to improve a system and method for automated identification of security-related tasks for a software project to provide that the identification of overlapping sections is based on an evaluation of the text of the security standards for the purpose of evaluating system requirements in order to identify redundant or overlapping standards (Atighetchi, Id.).

Claims 12 and 17 are rejected for the reasons given in the rejection of claim 1 above. Examiner notes that with respect to claim 12, Bhalla further teaches: A computer program product comprising a non-transitory processor-readable storage medium having stored thereon program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device (Bhalla, e.g., ¶30, “a context extraction engine stored in the at least one memory device comprising computer readable instructions, that when executed by the at least one processor cause the at least one processor to …”); and with respect to claim 17, Bhalla further teaches: An apparatus comprising: at least one processing device comprising a processor coupled to a memory; the at least one processing device being configured (Bhalla, e.g., ¶30, “a computerized system for automation of task identification … comprising at least one processor, at least one memory device … a context extraction engine stored in the at least one memory device comprising computer readable instructions, that when executed by the at least one processor cause the at least one processor to …”).

Regarding claim 2, the rejection of claim 1 is incorporated, and Bhalla further teaches: wherein the obtained information corresponds to user input provided in response to one or more application profiling questions provided on a graphical user interface (Bhalla, e.g., FIG. 2, showing user interface 226; see also, e.g., ¶109, “user interface 226 can also be used to obtain additional information … through direct user input …” and ¶114, “clarification can be used by obtaining user input 416 to provide additional context … which could include updating or adding relevant context … inquiry for input from users 416 can be provided as a list of curated software context inquiries … Questions can include inclusion rules so that the system only asks relevant questions … Developers can also provide additional details about the context and functions of the project, for example, by specifying whether the application being developed involves interactions with an operating system, file-upload function, authentication of end users …”).
Regarding claim 3, the rejection of claim 1 is incorporated, and Bhalla further teaches: wherein the one or more symbolic elements of the model representation comprise at least one of: one or more processes of the software project (Bhalla, e.g., ¶95, “[ALM] repository 214 manages requirements, tests, plans, tasks, bugs and issues … a story may be written … ‘As a user I need to be able to update my first and last name.’ … translate this natural language definition of a new feature to a new capability in the application …”), 
one or more dataflows within the software project, a type of each of the dataflows (Bhalla, e.g., ¶95, “work defined in an ALM issue can also provide details on the business and technical requirements of the software project, including any specific data flows …” Examiner’s note: “details” on the data flows is interpreted to include all context regarding a data flow as would be commonly understood in the art, to include identification and type(s) thereof, as well as a specification of the data flow type), 
one or more existing security controls (Bhalla, e.g., ¶104, “configuration management repository 218 can store information about how a system is configured … to ensure consistent performance and function … such as … how the system is configured with respect to, for example, firewall rules, user access rule, and network access details …”), and 
one or more storage data locations (Bhalla, e.g., ¶62, “Categories of context data can comprise … data being handled … geographical and jurisdictional factors … data collected by the software asset, data shared by the software asset … network architecture …” Examiner’s note: data types collected and jurisdictional and geographic details describe a physical location of data, and network architecture describes physical and/or logical data location information).
Regarding claim 4, the rejection of claim 1 is incorporated, and Phoenix further teaches: wherein the database maps at least one of the security controls to multiple ones of the security standards to remove overlapping security requirements defined in the plurality of security standards (Phoenix, e.g., ¶24, “A single capability 118 may be mapped to multiple compliance controls 124 and multiple capabilities may be mapped to a single compliance control 124 …” See also, e.g., ¶34, “Once the mapping process identifies the first capability that maps to the compliance control, the process may refrain from identifying additional capabilities that may enable compliance with the compliance control to reduce the time and/or processing resources necessary to complete the mapping process …” Examiners note: compliance controls are elements of a compliance standard (see ¶14); capabilities are aspects or functions of an application (¶¶14-15). That a single capability may map to a plurality of compliance controls each of one or more compliance standards, and a combination-reduction is performed when scanning the application for compliance suggests a removal of overlapping security requirements when scanning the application under development for compliance. The disclosure discusses many-to-one, one-to-many, and many-to-many mappings, and therefore related deduplications).

Claim 15 is rejected for the reasons given in the rejection of claim 4 above.

Regarding claim 5, the rejection of claim 1 is incorporated, and Phoenix and Bhalla further teach: maintaining one or more application criteria for each of the plurality of security controls, wherein the application criteria defines software characteristics that trigger a corresponding one of the security controls (Phoenix, e.g., ¶26, “compliance standards 122 include text that defines requirements for compliance with the standard … user data security compliance standard may include requirements for how user data is stored (e.g., what type of encryption must be used) … how user data is transferred over networks … compliance standard 122 may include requirements that the software enable users to sign in with passwords to access user information and that the software stores information in an encrypted format …” Examiner’s note: Applicant’s Specification provides an example wherein a technological characteristic can include whether software communicates over a network and/or cryptography requirements (see Spec. at 6:26-28)) 
and a context in which the corresponding security control is required (Bhalla, e.g., ¶80, “Each task in the knowledge database 108 has tags delineating its relevance to a particular software context …” See also, e.g., ¶83, “Each task in the prioritized task list 114 can further include … rules concerning security structures and procedures for communication on the internet and for particular businesses … For example, if the software context indicates that the software asset is used within a financial institution having credit card transactions, the task list would include regulations and control frameworks such as the PCI DSS, COBIT … the project is related to the healthcare industry, privacy regulations for medical data can be put in the task list …” Examiner notes that Applicant’s Specification describes context as including market and/or regulatory context in which a security control is required (see, e.g., 6:23-26)).

Regarding claim 6, the rejection of claim 5 is incorporated, and Bhalla further teaches: wherein the identifying the one or more security controls is based at least in part on the application criteria maintained for each of the plurality of security controls (Bhalla, e.g., ¶52, “system uses the software context in each context repository 102 to select tasks or requirements from a knowledge database 108 based on the extracted software context …” and ¶54, “software context describes the characteristics of the software asset, including but not limited to the language, function, regulatory requirements, and connections of the software asset …”).

Claim 16 is rejected for the reasons given in the rejection of claim 6 above.

Regarding claim 7, the rejection of claim 1 is incorporated, and Bhalla further teaches: maintaining, for a given one of the security controls, a plurality of verification methods, wherein each respective one of  the verification methods verifies whether the given security control satisfies a corresponding one of a plurality of different levels of security defined for the software project (Bhalla, e.g., ¶83, “Each task in the prioritized task list 114 can further include tailored relevant test cases and sample quality assurance test code, including tracking and audit trail information for satisfying requirement standards and audit criteria, best practice rules concerning the design of software code to produce software assets, as well as rules concerning security structures and procedures for communication on the internet and for particular businesses …”); and
	providing information indicative of the identified one or more security controls and at least one verification method corresponding to at least one of the identified security control that corresponds to the threshold level of security defined for the software project (Bhalla, e.g., ¶82, “prioritized task list 114 can be stored on a computer, server, or on another electronic device or system, and can be accessed by and presented to a developer on a user interface …”).

Regarding claim 8, the rejection of claim 7 is incorporated, and Phoenix further teaches: wherein the threshold level of security is configurable based on user input (Phoenix, e.g., FIG. 5B, permitting in multiple instances a user choice between threshold security levels (NIST 800-53 high/moderate/low, FISMA high/moderate/low)).

Regarding claim 9, the rejection of claim 7 is incorporated, and Bhalla further teaches: wherein the plurality of verification methods for the given security control comprises one or more of: a self-attestation method (Bhalla, e.g., ¶79, “tasks in the knowledge database 10 comprises a plurality of tasks, with each task having an identification of a coding requirement, a security requirement … and a recommended strategy for completion of the coding requirement … remediation of the security requirement … tasks in the knowledge database 108 can relate to, for example … check lists to enable non-expert developers to systematically test security requirements …” Examiner’s note: Applicant describes a self-attestation method as being done by a developer (see Spec. 6:28-7:4));
an automated static analysis method (Bhalla, e.g., ¶107, “code scanner 222 can be, for example … a static application security testing scanner (SAST) …” and ¶108, indicating that the code scanner can be used to both extract code context and detect code deficiencies conferring risk); and 
an expert-verification method (Bhalla, e.g., ¶83, “Each task in the prioritized task list 114 can further include tailored relevant test cases and sample quality assurance test code, including tracking and audit trail information for satisfying requirement standards and audit criteria …” Examiner’s note: Applicant describes an example of expert-verification as being white-box verification (see Spec. 6:28-7:4), wherein it is generally understood in the art that 2 may generally refer to testing an application at the level of source code, including unit, integration and/or regression testing, among others, through the use of test cases).

Regarding claim 10, the rejection of claim 1 is incorporated, and Phoenix further teaches: obtaining user input specifying a change to one or more of the target market and the threshold level for the software project; and dynamically updating the identified  (Phoenix, e.g., FIG. 5B, permitting in multiple instances a user choice between threshold security levels (NIST 800-53 high/moderate/low, FISMA high/moderate/low). Examiner’s note: Phoenix does not disclose a limit to a single review of a single unit of source code at a single point in time; that is, multiple users may analyze multiple projects under multiple standards at multiple levels of precision and generate different reports. See, e.g., ¶74, “a software vendor wants to understand how their offered services and/or applications can be used in an environment that includes substantial compliance requirements … vendor can obtain a compliance report … including their current compliance based on their use of applications or capabilities that have already been mapped … to identify any gaps in compliance and as a guide to notate their own offerings with respect to the compliance requirements, such that the vendor is able to provide compliance information to their customers.” Examiner notes that this portion of the disclosure, in combination with the multiple-choice GUI example permitting selection of one or a plurality of software projects to scan against one or a plurality of different standards, that a “change” on one or more of “target level” and/or “threshold level” may be analyzed by a vendor in advance of offering one or more available products to one or more potential customers).
Regarding claim 11, the rejection of claim 1 is incorporated, and Giammaria further teaches: estimating a complexity to implement the at least one identified security control, wherein the at least one identified security control is automatically implemented in the software project responsive to the estimated complexity satisfying a threshold complexity level (Giammaria, e.g., 14:1-15, “While the above-described description contemplates cloud administrator involvement in the problem selection/remediation, this is not a requirement. The process may also be automated for all cloud application packages stored in a repository, e.g., based on administrator-specified thresholds for severity and/or complexity … if the package includes any component having a known problem whose severity and/or complexity values exceed a configurable threshold, the cloud application package is automatically updated using one or more fixes …” See also, e.g., 7:62-8:13, describing a community cloud deployment wherein one or more security requirements, policies and/or compliance considerations to be managed, and 12:24-13:31 more generally, wherein security vulnerabilities may be scanned for and remediated).

Regarding claim 21, the rejection of claim 1 is incorporated, and Bhalla further teaches: wherein said obtaining comprises: determining the target market of the software project by identifying one or more portions of software code associated with the software project that correspond to one or more of the plurality of security standards (Bhalla, e.g., ¶107, “context extraction engine 220 extracts software context from the context repositories 202 using a plurality of tools, such as, for example, a code scanner 222 … Using a code scanner 222, software context can be extracted from the source code … code scanner 222 can also be used to analyze the scanned code to provide further context information to assist the selection module in selecting security requirements for the software asset …” See also, e.g., ¶72, “Machine learning and artificial intelligence can also be used to identify relationships between software features and technical context and provide a predicted subset of task requirements for the software asset … if context extraction reveals that credit card information is required AND a software asset operating jurisdiction is France, the set of requirements relevant to {function: credit card} and {jurisdiction: France} can be automatically extracted and added to the task list …”).

Claims 13, 18 and 22-23 are rejected under 35 U.S.C. 103 as being unpatentable over Bhalla and Phoenix in view of Gebhardt and Giammaria, and in further view of Atighetchi and Sheridan et al., U.S. 10,282,550 B1 (hereinafter referred to as “Sheridan”).

Regarding claim 13, Bhalla further teaches: wherein at least one of: the obtained information corresponds to user input provided in response to one or more application profiling questions provided on a graphical user interface (Bhalla, e.g., FIG. 2, showing user interface 226; see also, e.g., ¶109, “user interface 226 can also be used to obtain additional information … through direct user input …” and ¶114, “clarification can be used by obtaining user input 416 to provide additional context … which could include updating or adding relevant context … inquiry for input from users 416 can be provided as a list of curated software context inquiries … Questions can include inclusion rules so that the system only asks relevant questions … Developers can also provide additional details about the context and functions of the project, for example, by specifying whether the application being developed involves interactions with an operating system, file-upload function, authentication of end users …”); and
	 the one or more symbolic elements of the model comprise at least one of: one or more processes of the software project (Bhalla, e.g., ¶95, “[ALM] repository 214 manages requirements, tests, plans, tasks, bugs and issues … a story may be written … ‘As a user I need to be able to update my first and last name.’ … translate this natural language definition of a new feature to a new capability in the application …” Examiner’s note: the claim further describes below that a symbolic element comprises one or more of processes of the software project, among other alternatives, and this citation to Bhalla discloses one or more processes), 
one or more dataflows within the software project, a type of each of the dataflows (Bhalla, e.g., ¶95, “work defined in an ALM issue can also provide details on the business and technical requirements of the software project, including any specific data flows …” Examiner’s note: “details” on the data flows is interpreted to include all context regarding a data flow as would be commonly understood in the art, to include identification and type(s) thereof, as well as a specification of the data flow type), 
one or more existing security controls (Bhalla, e.g., ¶104, “configuration management repository 218 can store information about how a system is configured … to ensure consistent performance and function … such as … how the system is configured with respect to, for example, firewall rules, user access rule, and network access details …”), and 
one or more storage data locations (Bhalla, e.g., ¶62, “Categories of context data can comprise … data being handled … geographical and jurisdictional factors … data collected by the software asset, data shared by the software asset … network architecture …” Examiner’s 
Bhalla and Phoenix in view of Gebhardt, Giammaria and Atighetchi do not more particularly teach that the method further comprises generating and outputting a modified software design representation that visually indicates at least one of the identified security controls with respect to at least one of the one or more elements. However, Sheridan does teach: wherein method further comprises generating and outputting a modified  model representation of the software project that visually indicates at least one of the identified security controls with respect to at least one of the one or more symbolic elements (Sheridan, e.g., 9:6-41, “security patch rules in review phase 312 may then be verified 320 to ensure, for example, that the security patch rules in review phase 312 were properly selected and/or generated and additionally to ensure that the security patch rules in review phase 312 may provide remediation for the security vulnerabilities identified in the vulnerability data 306 … security patch rules in review phase 312 may be applied 316 to the source code representation 302 by, for example, a security patch applicator to produce a set of modified source code representations 318 … modified source code representations 318 may be used in combination with the security patch rules in review phase 312 … illustrate the effects of applying each of the security patch rules in review phase 312 to the source code representation 302.” See also, e.g., 9:41-60, “verified security patch rules in review phase 322 may be provided to a user (e.g., an end user) for review and selection … verified security patch rules … may also be provided … security patch description 314 may also be provided … set of changes 326 may also be provided … by comparing the source code representation 302 to one or more of the set of modified source code representations 318 …” See also, e.g., 4:66-5:26, describing that the ibid.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method for automated identification of security-related tasks for a software project as taught by Bhalla and Phoenix in view of Gebhardt, Giammaria and Atighetchi to provide that the method further comprises generating and outputting a modified software design representation that visually indicates at least one of the identified security controls with respect to at least one of the one or more elements because the disclosure of Sheridan shows that it was known to those of ordinary skill in the pertinent art to improve a system and method for automated identification of security-related tasks for a software project to provide that the method further comprises generating and outputting a modified software design representation that visually indicates at least one of the identified security controls with respect to at least one of the one or more elements for the purpose of facilitating review and implementation of additional security controls in a source code representation by an end user or expert (Sheridan, Id.).

Claim 18 is rejected for the reasons given in the rejection of claim 13 above.

Regarding claim 22, the rejection of claim 1 is incorporated, but Bhalla and Phoenix in view of Gebhardt, Giammaria and Atighetchi do not more particularly teach determining, for a given one of the security controls, relevant information for implementing the control comprising at least one of an estimated complexity, one or more code snippets, and one or more software libraries, and outputting the relevant information to a GUI. However, Sheridan does teach: determining, for a given one of the identified security controls, relevant information for implementing the given security control within the software project, wherein the relevant information comprises at least one of: an estimated complexity for implementing the given security control, one or more code snippets related to the given security control, and one or more software libraries related to the given security control; and outputting the relevant information to a graphical user interface (Sheridan, e.g., 8:54-9:5, “security patch description 314 may include … intrusiveness information … intrusiveness information may be a scale (e.g., ‘low,’ ‘medium,’ and ‘high’) indicating the amount of changes in the security patch … security patch description 314 may be include with the security patch rule in review phase 312 …” Examiner’s note: review phase 312 includes verification by an end-user or security engineer (see, e.g., 9:6-41); the review, verification and application steps may be performed via a web interface (see, e.g., FIG. 5 and 10:60-11:9)) for the purpose of providing comprehensive information to a user for reviewing, verifying, and applying security patches (Sheridan, ibid.).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method for automated identification of security-related tasks for a software project as taught by Bhalla and Phoenix in view of Gebhardt, Giammaria and Atighetchi to provide for determining, for a given one of the security controls, relevant information for implementing the control comprising at least one of an Id.).

Regarding claim 23, the rejection of claim 1 is incorporated, but Bhalla and Phoenix in view of Gebhardt, Giammaria and Atighetchi do not more particularly teach that the method further comprises generating and outputting a modified model representation that visually indicates at least one of the identified security controls with respect to at least one of the one or more symbolic elements. However, Sheridan does teach: generating and outputting a modified model representation of the software project that visually indicates at least one of the identified security controls with respect to at least one of the one or more symbolic elements (Sheridan, e.g., 9:6-41, “security patch rules in review phase 312 may then be verified 320 to ensure, for example, that the security patch rules in review phase 312 were properly selected and/or generated and additionally to ensure that the security patch rules in review phase 312 may provide remediation for the security vulnerabilities identified in the vulnerability data 306 … security patch rules in review phase 312 may be applied 316 to the source code representation 302 by, for example, a security patch applicator to produce a set of modified source code representations 318 … modified source code representations 318 may be used in combination with the security patch rules in review phase 312 … illustrate the effects of applying each of the security patch rules in review phase 312 to the source code representation 302.” See also, e.g., 9:41-60, “verified security patch rules in review phase 322 may be provided to a user (e.g., an end user) for review and selection … verified security patch rules … may also be provided … security patch description 314 may also be provided … set of changes 326 may also be provided … by comparing the source code representation 302 to one or more of the set of modified source code representations 318 …” See also, e.g., 4:66-5:26, describing that the representations may comprise abstract syntax tress or other data structures; see also, e.g., 15:55-16:12, disclosing the use of a security control library for generating security patches that may be implemented in the source code representation. Examiner’s note: an abstract syntax tree or other data structure is interpreted as at least consistent with process and/or dataflows) for the purpose of facilitating review and implementation of additional security controls in a source code representation by an end user or expert (Sheridan, ibid.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method for automated identification of security-related tasks for a software project as taught by Bhalla and Phoenix in view of Gebhardt, Giammaria and Atighetchi to provide that the method further comprises generating and outputting a modified model representation that visually indicates at least one of the identified security controls with respect to at least one of the one or more symbolic elements because the disclosure of Sheridan shows that it was known to those of ordinary skill in the pertinent art to improve a system and method for automated identification of security-related tasks for a software project to provide that the method further comprises generating and Id.).

Response to Arguments
In the Remarks, Applicants Argue: In view of the amendments, the claims distinguish over the prior art of record. The claims are accordingly in condition for allowance.
	Examiner’s Response: In view of the amendments, Examiner newly rejects the claims under 35 U.S.C. 112 for the reasons set forth in full above, and further maintains the rejections under 35 U.S.C. 103 under the new grounds set forth above and explained therein.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Examiner has identified particular references contained in the prior art of record within the body of this action for the convenience of Applicant.  Although the citations made are representative of the teachings in the art and are applied to the specific limitations within the enumerated claims, the teaching of the cited art as a whole is not limited to the cited passages.  Other passages and figures may apply.  Applicant, in preparing the response, should consider fully the entire reference as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art and/or disclosed by Examiner.
Examiner respectfully requests that, in response to this Office Action, support be shown for language added to any original claims on amendment and any new claims.  That is, indicate support for newly added claim language by specifically pointing to page(s) and line number(s) in 
When responding to this Office Action, Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made.  He or she must also show how the amendments avoid such references or objections.  See 37 C.F.R. 1.111(c).
Examiner interviews are available via telephone and video conferencing using a USPTO-supplied web-based collaboration tool. Applicant is encouraged to submit an Automated Interview Request (AIR) which may be done via https://www.uspto.gov/patent/uspto-automated-interview-request-air-form, or may contact Examiner directly via the methods below.
Any inquiry concerning this communication or earlier communication from Examiner should be directed to Andrew M. Lyons, whose telephone number is (571) 270-3529, and whose fax number is (571) 270-4529.  The examiner can normally be reached Monday to Friday from 10:00 AM to 6:00 PM EST.            If attempts to reach Examiner by telephone are unsuccessful, Examiner’s supervisor, Wei Zhen, can be reached at (571) 272-3708.  The fax number for the organization where this application or proceeding is assigned is (571) 273-8300.            Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).  If you (800) 786-9199 (in USA or Canada) or (571) 272-1000.
/Andrew M. Lyons/Examiner, Art Unit 2191                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Nucci et al., U.S. 2013/0167109 A1, more particularly discloses that a process may have a symbolic representation; see, e.g., Abs. and claim 10
        2 See, e.g., “White-box testing,” Wikipedia, last retrieved from https://en.wikipedia.org/wiki/White-box_testing on 15 January 2021.