DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 16 February 2022 has been entered.
Claims 1-8, 10-18, and 20 are pending.
This Action is Non-Final.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 7, 8, 10-13, 15, 17, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dhakshinamoorthy et al. (US 20190109872) in view of Walls et al. (US 7284274) and further in view of Lee et al. (US 20200336507).

diagnosing a set of results associated with the software execution as comprising one of a security vulnerability and not a security vulnerability, the set of results produced based at least in part on the attack vectors; and assessing a dynamic security vulnerability score for the software program based at least in part on the diagnosing (see paragraphs [0128] and [0083]).
While discloses the use of standards (see paragraph [0010], but fails to explicitly disclose awarding a certification status to the software program under execution based at least in part on the dynamic security vulnerability score in accordance with a pre-established certification standard, the pre-established certification standard including at least one of an industry mandated, a proprietary and a government mandated certification standards.
However, Walls et al. teaches a system that performs vulnerability assessments including a dynamic analysis to produce a result that is used to provide a result that is used for awarding a  certification status to the software program under execution based at least in part on the dynamic analysis and in accordance with a pre-established certification standard, the pre-established certification standard including at least one of an industry mandated, a proprietary and a government mandated certification standards (see column 14 lines 38-52 showing the use of the different analysis operations are used to certify the software; column 12 line 38 through column 13 line 33 showing the dynamic analysis and column 6 line 21 through column 7 line 6 additionally showing the certification of the software).

Motivation to do so would have been that a software vendor can ensure the software it releases is likely not to fail in a way that will compromise system security, safety, reliability, and other dependability properties (see Walls et al. column 6 line 21 through column 7 line 2).
The modified Dhakshinamoorthy et al. and Walls et al. system discloses the use of attack vectors to test and detect various types of vulnerabilities on both client and server side software (see Dhakshinamoorthy et al. paragraphs [0099]-[0103] and FIG. 4B numerals 470a-j), but fails to explicitly disclose the security vulnerability is in accordance with a cross-site forgery command.
However, Lee et al. teaches the use of attack vectors to test a system for various types of vulnerabilities, include cross-site forgery commands (see paragraphs [0021]-[0023]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to detect cross-site forgery command vulnerabilities in the modified Dhakshinamoorthy et al. and Walls et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to detect a well-known and common attack to thereby protect the system against additional types of attacks which increases the security of the system.
As per claims 2 and 12, the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system discloses the software program comprises a cloud based software program that is communicative accessible to the security assessing server during the execution, and the identifying is based at least partly on having acquired no prior knowledge of execution attributes of the software program (see Dhakshinamoorthy et al. paragraphs [0052], [0066] and [0073] showing a cloud based system and paragraphs [0126]-[0127] showing that the fuzzer determines capabilities and therefore has no prior knowledge until the process begins).
As per claims 5 and 15, the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system discloses the dynamic security vulnerability score comprises an aggregation of the set of results constituting the security vulnerability that is attributable to the series of attack vectors (see Dhakshinamoorthy et al. paragraph [0083] where the score is determined based on the results, i.e. an aggregation of the results).
As per claims 7-8 and 17-18, the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system discloses at least one attack vector of the series comprises a data set that encodes an attempt to exploit a security vulnerability aspect of the software application under execution, wherein the data set 
As per claims 10 and 20, the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system discloses the diagnosing of the security vulnerability comprises the software application providing an error response indicating that at least one attack vector in the series of attack vectors successfully exploited a security vulnerability of the application (see Dhakshinamoorthy et al. paragraph [0099]).
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Dhakshinamoorthy et al. and Walls et al. system as applied to claims 3 and 13 above, and further in view of Abramowitz (US 20160112445).
As per claims 4 and 14, the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system discloses correlating the certification status with a level of software security risk of an enterprise (see Dhakshinamoorthy et al. paragraphs [0083] and Walls et al. column 6 line 21 through column 7 line 6); but fails to explicitly disclose based on the correlating, assessing a monetary premium of a risk insurance policy as merited by the enterprise in accordance with a potential for at least one of: a sensitivity of enterprise data compromised, a level of control ceded, an amount of financial damage, and a level of commercial integrity harm to the enterprise.
However, Abramowitz teaches assessing a monetary premium of a risk insurance policy as merited by the enterprise in accordance with a potential for at least one of: a sensitivity of enterprise data compromised, a level of control ceded, an amount of financial damage, and a level of commercial integrity harm to the enterprise (see paragraphs [0036], [0060]-[0064]).
At a time before the effective filing date of the invention, it would have been obvious to include the insurance assessment of Abramowitz in the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system.
.
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Dhakshinamoorthy et al. and Walls et al. system as applied to claims 5 and 15 above, in view of Belfoire, JR. et al. (US 20180146004).
As per claims 6 and 16, the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system generally discloses the use of weights (see Dhakshinamoorthy et al. paragraph [0078]), but fails to explicitly disclose the dynamic security vulnerability score comprises a weighted aggregation of the set of results constituting the security vulnerability that is attributable to the respective ones of the series of attack vectors
However, Belfoire, JR. et al. teaches the dynamic security vulnerability score comprises a weighted aggregation of the set of results constituting the security vulnerability that is attributable to the respective ones of the series of attack vectors (see paragraph [0062]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to use weights on the results in the modified Dhakshinamoorthy et al., Walls et al., and Lee et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow for more control of the scoring.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-8, 10-18, and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to vulnerability assessments and software certifications.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875.  The examiner can normally be reached on Monday-Thursday 7:30am-5:00pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Michael Pyzocha/               Primary Examiner, Art Unit 2419