DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Siman et al USPN 11,087,002 in view of Wysopal et al USPN 8,613,080.
Regarding claims 1, 13 and 18
Siman et al teaches 
subjecting the binary and/or source code representations to static testing to generate raw static test results, the raw static test results indicating one or more potential security weaknesses in the application, at least one of the one or more potential security weaknesses being a false-positive (column 5, line 56, program code to be evaluated for security vulnerabilities comprises inputs to the system 10. The program code may be of two kinds: source code 16 and binary code 18. The binary code 18 may comprise object code modules or executable code. The system 10 is capable of testing security vulnerabilities of both the source code 16 and binary code 18. Queries 20 that detect various types of security vulnerabilities are input by an operator and initially processed in a query input module 22. The queries 20 are written in a query language, referred to herein as the “unified query language”, which is discussed below. The query input module 22 submits the queries 20 to query processor 28, which directs them to either a static testing tool 24 or a dynamic testing tool 26. The query input module 22, query processor 28, static testing tool 24 and dynamic testing tool 26 may execute in the computer 12 (or in other computers in a distributed environment). The dynamic testing tool 26 can be the tool disclosed in commonly assigned application Ser. No. 15/535,732, entitled Code Instrumentation for Runtime Application Self-Protection, which is herein incorporated by reference) 
generating, for each potential security weakness, a corresponding dynamic test set, including one or more dynamic test cases, each dynamic test set being generated in dependence on (i) the corresponding potential security weakness, and (ii) lookups to a weakness data set, an application context data set, and an attack pattern data set (column 7, line 6, during runtime, the instrumented application gets inputs and creates outputs as part of its regular workflow. Each input data that arrives at an instrumented input (source) point is checked by one or more vulnerability sensors, which examine the input for syntax that is characteristic of attack patterns, such as SQL injection, cross-site scripting (XSS), file path manipulation, and JavaScript Object Notation (JSON) injection. Matching of regular expressions may be used for this purpose. When an input is identified as potentially malicious by one of these sensors, it is saved in a cache for a certain period of time (for example, one minute) or until the cache is full. Both cache capacity and saving time duration are configurable. For each saved input, the cache also holds a flag indicating the vulnerabilities to which the input may be relevant, along with other pertinent metadata, such as time, stack trace, and context. Aside from caching the suspicious input, the application workflow continues without interruption);

wherein the weakness data set includes an enumeration of different weakness types and descriptions thereof, the application context data set includes information specific to the application, and the attack pattern data set includes information about how to generate attacks for the different weakness types enumerated in the weakness data set (column 1, line 52, enterprise security solutions have historically focused on network and host security, e.g., using so-called “perimeter protection” techniques. Despite these efforts, application level vulnerabilities remain as serious threats. Detection of such vulnerabilities has been attempted by lexical analysis of source code. This typically results in large numbers of false positive indications. Line-by-line code analysis has been proposed. However, this has proved to be impractical, as modern software suites typically have thousands of lines of code. Indeed, even in relatively compact environments, such as Java 2 Standard Edition (J2SE), Java 2 Platform, Java 2 Enterprise Edition (J2EE), a runtime module may include thousands of classes) 

subjecting an instance of the application running in a test runtime environment to the generated dynamic test case(s) to generate dynamic test results, the dynamic test results indicating whether each of the one or more potential security weakness is a verified security weakness of the application, the dynamic test results including fewer false-positives than the raw static test results (column 7, line 42, Referring again to FIG. 1, the outputs of the static analysis module 30 and dynamic analysis module 32 contribute to vulnerability reports 50, which are contributed by the static analysis module 30 and the dynamic analysis module 32, and may be presented on the display 14 or transmitted to another I/O device (not shown).The extended data models of both SAST & IAST may be correlated, using the unified query language, as each data model has its own “blind spots” and its own advantages. The query exploits both in order to get improved results. The run-time results of dynamic IAST can be used in order to validate SAST results, which are sometimes doubtful. The combined vulnerability reports 50 add valuable information for the software developer in proving that vulnerabilities identified by SAST have actually been fixed) and (column 6, line 52, DAST approaches the application as a “black box,” and attempts to find vulnerabilities by bombarding the application during runtime with potentially harmful inputs. The dynamic testing tool 26 operates on the binary code 18, for example by recompiling and instrumenting the binary code 18 by known techniques to accommodate the queries 20. For example, code instrumentation and selected inputs may be injected by an interactive application security testing (IAST) agent in order to track relevant points in the input flow. When the binary code is executed in an execution module 48 the flow of the program is captured. Runtime events are collected and analyzed in the dynamic analysis module 32). Simon et al teaches security vulnerability but doesn’t teach explicitly outputting a listing of each verified security weakness of the application, however Wysopal et al teaches (column 1, line 52, there are a myriad of testing and assessment techniques for validating various properties of software applications and network implementations. However, one of the most critical processes for ensuring that the deployment of software does not expose an organization to unacceptable risks is security and vulnerability testing. Some of the conventional techniques used to perform such testing includes static analysis (automated code review), dynamic analysis (automated penetration testing) and manual analyses such as code review, design review, and manual penetration testing. All of these analysis techniques are aimed at finding security weaknesses and vulnerabilities in an application and typically provided in report format to the programmers, product managers and quality assurance (QA) staff. The report can provide detailed results (e.g., program names, line numbers, variable names, data connections, etc.) as well as a summary of the results. The report may be a conventional document such as a text file or a structured XML file). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate security weakness to be generated and reviewed. The modification would have been obvious because one of ordinary skill in the art would have been motivated to combine teaching into testing an application for security issues and resources to administer what is necessitated for degree of analysis in event of threat and severity.

Regarding claims 2, 14 and 19
Simon et al teaches 
 the listing of verified security weakness(es) of the application includes, for each verified security weakness, an indication of a location of where in the binary and/or source code representation(s) the respective verified security weakness occurs (column 6, line 31, ) reference is now made to FIG. 3, which is a data flow graph 42 of the sort produced by the static testing tool 24 (FIG. 1) in accordance with a disclosed embodiment of the invention. A data flow graph describes data flow within a single method. Each time a value is assigned to a variable, the influencing object and the location of the assignment is recorded. As result, a graph can be constructed, in which the data flow nodes are variables in a specific location, and connections represent dependency. The graph is transitive. Thus, a backward transitive closure computed at a specific location retrieves all influencing variables. It will be noted that each node is directed to a node that affects or influences it. For example, in node 44, the assigned value of the variable “c” is influenced by an assignment to a variable “a” in node 46). The feature of providing verified security weakness(es) of the application includes, for each verified security weakness, an indication of a location of where in the binary and/or source code that limitation from the claim 1 would be obvious for the reasons set forth in the rejection of claim 1.

Regarding claims 3, 15 and 20
Simmon et al teaches 
 automatically modifying the binary and/or source code representation(s) of the application to repair one or more of the verified security weaknesses (column 8, line 49, the data captured by dynamic testing, i.e., runtime testing, includes a data flow that can be reproduced during tests. Such tests can be manually initiated, automated, or can be a record in a production environment. In any case the tests can be analyzed by queries written in the unified query language in order to find security vulnerabilities). The feature of providing automatically modifying the binary and/or source code representation that limitation from the claim 1 would be obvious for the reasons set forth in the rejection of claim 1.

Regarding claims 4-5 and 21
Simmon et el teaches
the binary and/or source code representations stored to a first data store and are accessed via a first set of data exchange interfaces (column 5, line 57, program code to be evaluated for security vulnerabilities comprises inputs to the system 10. The program code may be of two kinds: source code 16 and binary code 18. The binary code 18 may comprise object code modules or executable code. The system 10 is capable of testing security vulnerabilities of both the source code 16 and binary code 18. Queries 20 that detect various types of security vulnerabilities are input by an operator and initially processed in a query input module 22. The queries 20 are written in a query language, referred to herein as the “unified query language”, which is discussed below. The query input module 22 submits the queries 20 to query processor 28, which directs them to either a static testing tool 24 or a dynamic testing tool 26. The query input module 22, query processor 28, static testing tool 24 and dynamic testing tool 26 may execute in the computer 12 (or in other computers in a distributed environment). The dynamic testing tool 26 can be the tool disclosed in commonly assigned application Ser. No. 15/535,732, entitled Code Instrumentation for Runtime Application Self-Protection, which is herein incorporated by reference).

Regarding claims 6, 8, 22 and 24
Simmon et el teaches
the second set of data exchange interfaces include an API and/or a command line interface (column 11, line 39, this sequence is similar to a data flow graph, since it has the form of a connected graph in which nodes contain source commands, such as input and Output APIs, and there is a directed edge between two nodes if there is a data flow between the two corresponding commands). The feature of providing data exchange interface with API that limitation from the claim 1 would be obvious for the reasons set forth in the rejection of claim 1.

Regarding claims 7, 16 and 23
Simmon et el teaches
the raw static test results indicating one or more potential security weaknesses in the application each include an identifier for each potential security weakness, a first location of where in the binary and/or source code representation(s) the respective potential security weakness is caused to occur, and a second location of where data causing the potential security weakness enters the binary and/or source code representation(s), and wherein the identifier specifies an entry in the weakness data set (column 7, line 6, during runtime, the instrumented application gets inputs and creates outputs as part of its regular workflow. Each input data that arrives at an instrumented input (source) point is checked by one or more vulnerability sensors, which examine the input for syntax that is characteristic of attack patterns, such as SQL injection, cross-site scripting (XSS), file path manipulation, and JavaScript Object Notation (JSON) injection. Matching of regular expressions may be used for this purpose. When an input is identified as potentially malicious by one of these sensors, it is saved in a cache for a certain period of time (for example, one minute) or until the cache is full. Both cache capacity and saving time duration are configurable. For each saved input, the cache also holds a flag indicating the vulnerabilities to which the input may be relevant, along with other pertinent metadata, such as time, stack trace, and context. Aside from caching the suspicious input, the application workflow continues without interruption).

Regarding claims 9, 17 and 25
Simmon et el teaches
wherein each dynamic test case includes at least one attack vector, the attack vector(s) being generated using the second location and in connection with the attack pattern data set, the attack vector(s) being executed against the instance of the application running in the test runtime environment during the dynamic testing (column 5, line 26, a “sanitizer” as used herein refers to a procedure for correcting or eliminating user input to prevent insertion of invalid data. The terms “source” refers to the beginning of an attack vector (typically an input). The term “sink” refers to the destination or target of the attack, e.g., a database, file system or output). The feature of providing dynamic test case includes at least one attack vector, the attack vector that limitation from the claim 1 would be obvious for the reasons set forth in the rejection of claim 1.

Regarding claims 10 and 26
Wysopal et el teaches
each potential security weakness is assigned a severity score during the generation of the raw static test results and further comprising automatically modifying the binary and/or source code representation(s) of the application to repair one or more of the verified security weaknesses in an order determined by respective severity scores (see summary of the invention and column 20, table 3). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate to check potential security weakness. The modification would have been obvious because one of ordinary skill in the art would have been motivated to combine teaching into testing an application for security issues and resources administer to detect degree of analysis in event of threat and severity and measure its level and score for evaluation.

Regarding claims 11 and 27
Rejection of claims 1 and 18 are incorpoted and further claims recite similar limitations as claims 1 and 10, therefore rejected under same rationale.

Regarding claims 12 and 28
Simmon et al teaches 
Dynamic test results are collected for the different instances (column 6, line 51, DAST approaches the application as a “black box,” and attempts to find vulnerabilities by bombarding the application during runtime with potentially harmful inputs. The dynamic testing tool 26 operates on the binary code 18, for example by recompiling and instrumenting the binary code 18 by known techniques to accommodate the queries 20. For example, code instrumentation and selected inputs may be injected by an interactive application security testing (IAST) agent in order to track relevant points in the input flow. When the binary code is executed in an execution module 48 the flow of the program is captured. Runtime events are collected and analyzed in the dynamic analysis module 32). The feature of providing collecting dynamic test results that limitation from the claim 1 would be obvious for the reasons set forth in the rejection of claim 1.

Relevant Prior Art
US 8528093 B1 Kurecha et al Apparatus and Method for Performing Dynamic Security Testing Using Static Analysis Data
US 9921942 B1 Makohon et al teaches Security Validation of Software Delivered as A Service
US 10693901 B1 Chan et al teaches Techniques for Application Security
US 7975296 B2 Apfelbaum et al teaches Automated Security Threat Testing of Web Pages 
US 7861226 B1 Episkopos et al teaches Constraint Solver to Code Based Test Data Generation for Improving Software Reliability and Security



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Anil Khatri whose telephone number is (571)272-3725. The examiner can normally be reached M-F 8:30-5:00.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, W Zhen can be reached on 571-272-3708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ANIL KHATRI/            Primary Examiner, Art Unit 2191