DETAILED ACTION
This action is in response to the initial claims filed 2/14/2020.  Claims 1-5 are pending.  Independent claim 1, and corresponding dependent claims are directed towards a method and device for providing a scanning appliance to identify security risks and vulnerabilities in software design prior to the software’s implementation.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings are objected to because:  Fig. 1 item S112 “SCANE” should be “SCAN”; Fig. 2 item 212 is not described in the specification; Fig. 4 the acronym “REPO” is not described in the specification; and	Fig. 5 has significant issues and Examiner has made suggestions on how to remedy (Please read fully as suggested changes rely upon other changes): 		-  the scanning appliance “306” is labelled twice, (suggest removing the “306” on the outside of the “306” box); 		- item “522” is not described in the specification;		-  pg. 7 ¶3 describes “The appliance 306 communicates and scans the code through encrypted communication in 504”, however, the figure shows a duplicate line labelled “Encrypted Communication” between 502 and 306 as well as the “504” between 502 and 306, (suggest removal of the “Encrypted Communication” line, and making the arrows of the lines connected to 504 bi-directional); and		- pg. 7 ¶4 describes “After the new code from the developer has been added to the repository 502, scanning appliance 306 verifies that the vulnerabilities have been address in 508”, however, in the figure the flow shows that “508” is preceded by “504” the (Encrypted communication) and not “306” the (scanning appliance), (suggest removing line between 504 and 508, moving 504 over to where “Encrypted Communication” previous was, and adding an arrow line from 306 to 508). 	 Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
The disclosure is objected to because of the following informalities: pg. 3 ¶6 l. 2 “and its very nature”; pg. 3 ¶6 ll. 9-11 “this code [[is]]as written allows for a high, low or somewhere in between when evaluated [[it]] from a security perspective”; pg. 4 ¶3 l. 1 “which contains[[;]]:” for the beginning of a list; pg. 4 ¶3 l. 8 “the AI tier; and H)” prior to the last element of the list; pg. 4 ¶4 l. 1 which contains[[;]]:” for the beginning of a list; pg. 4 ¶4 l. 7 the acronym UI should be expanded; pg. 4 ¶4 l. 9 “event triggers; and[[;]] for correct positioning of semi-colon ion list; pg. 4 ¶5 l. 2 “including[[;]]:” for the beginning of a list; pg. 4 ¶5 ll. 2-3 “C) Small Compute format; and[[;]]” for correct positioning of semi-colon in list; pg. 5 ¶1 l. 1 “such as[[;]]: A)” for beginning of list and missing “A”; pg. 5 ¶1 ll. 2-3 possible misuse of the acronym “SSO” for “Integrations into Identity Management platforms”, in the realm of Computer Science the “SSO” acronym is typically used for “Single-Sign On”; pg. 5 ¶1 is missing an ending period; pg. 5 ¶2 ll. 5-6 “which allows the invention to prioritize and display to the user the urgency and priority of responses using the inventions remediation”;	- pg. 5 ¶3 l. 3 shows the first reference to label “100” for a “system”, which is not shown in the drawings, suggest removing all references to “100” from the specification by replacing instances of both (“the system the system connects” for grammar; pg. 5 ¶4 l. 5 “may be caused by”; pg. 6 ¶4 l. 3 “master branch”; pg. 6 ¶5 l. 4 “the code [[in]]is incorporated”; pg. 7 ¶2 l. 1 “depicts a system architecture 400 [[in]] which can accommodate”;	- pg. 7 ¶4 ll. 1-10 “As vulnerabilities are identified at the dashboard 304, remediation must occur.  Developers [[520]] can bid on remediation 520 and the client [[518]] can approve the bidder 518. Once the bid is approved, the developer [[516]] starts the coding to address the vulnerabilities 516. After the new code from the developer [[516]] has been added to the repository 502, scanning appliance 306 verifies that the vulnerabilities have been address in 508. If so, the funds are released to the developer [[516]] in step 510. If not, a message 512 is sent to the developer 516 that additional changes to the code are needed to address vulnerabilities. Using this workflow, scanning appliance 306 can be used to ensure that all vulnerabilities in the code have been addressed before releasing the funds to developer [[516]]. Also, because the coding is done behind firewall 506, the developer [[516]] is protected from any external threats” for correct usage of the labels 516, 518, and 520, as they reference steps shown in Fig. 5, not the “developer” or “client”;	- pg. 8 ll. 1-2 recites “Also, because the coding is done behind firewall 506, the developer is protected from any external threats”, pg. 7 ¶3 also states “The scanning by appliance 306 all occurs behind firewall 506”, Fig. 5 shows a firewall “506” traversal between the scan appliance 306 and the dashboard 304, however, it also shows a path between 304 and 306 (via 520, 518, 516, 514, 502 and 306) that appears to violate the purpose of a firewall.  Therefore, it is unclear what is “behind” vs. “outside” the firewall; and	pg. 8 ¶2 l. 1 “700” is not shown in the drawings.	Appropriate correction is required.
Claim Objections
Claim 1 is objected to because of the following informalities, shown with suggested amendments:  Claim 1 ll. 2-3 “implementation of [[the]] software source code” as this is the first recitation.	Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-5 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 1 l. 6 recites “recognized cyber security standards and best practice standards” of which the term “recognized” is a relative term which renders the claim indefinite as it is subjective in nature (see MPEP 2173.05(b) § IV). The term “recognized” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. For purposes of applying prior art the limitation has been construed as “ cyber security standards and best practice standards”.
Claim 5, depending from claim 1, recites “wherein recognized cyber security standards are” and has been construed as “wherein the 
Claim 1 l. 9 recites the limitation “based on the constraints and priority of the risk categorization” which lacks proper antecedent basis as there is no prior recitation of “constraints and priority” or “risk categorization”.  For purposes of applying prior art the limitation has been construed as “based on [[the]] constraints and priority of [[the]] risk categorization”.
Claims 2-5 incorporate the deficiencies of claim 1, through dependency, and are therefore also rejected.
Claim 2 ll. 5-6 recite the limitation “the method described in claims 1 and 2” which lacks proper antecedent basis, as a claim cannot depend from itself, nor can a multiple dependent claim be in any form other than as an alternate (using “or” instead of “and”).  For purposes of applying prior art the limitation has been construed as “the method described in claim[[s]] 1
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4 are rejected under 35 U.S.C. 103 as being unpatentable over Bhalla et al. (US 2019/0114435 A1), filed Oct. 13, 2017, in view of Wasiq et al. (US 9,813,450 B1), issued Nov. 7, 2017.
As to claim 1, Bhalla substantially discloses a method for a Compute Security Risk and Vulnerabilities analysis (Bhalla [Abstract]) comprising:	a. scanning software source code prior to implementation of software source code in a production environment (Bhalla [0057] scanning code during development to identify vulnerabilities; [0081] code scanner receives code of software application for scanning);	b. identifying vulnerabilities in software designs by simulation of the software source code at runtime (Bhalla [0057] scanning the code includes Static & Dynamic Application Security Testing (SAST) & (DAST), SAST involves source code debugging and theorizing about security vulnerabilities and DAST involves testing and evaluation based on execution);	c. developing a Risk Score in accordance with cyber security standards (Bhalla [0045] context defined for the software environment based on security standards; [0047] relevant security requirements are selected based on context; [0066] a risk number is assigned to each security requirement) and best practice standards (Bhalla [0043] knowledge database used to provide security tasks based on identification of risk; [0047] knowledge database includes best practice rules concerning security structures); and	d. providing recommendations on mitigation or remediation of the vulnerabilities based on constraints (Bhalla [0045] context defined for the software environment (constraints); [0047] relevant security requirements are selected based on context) and priority of risk categorization (Bhalla Fig. 5; [0086] task list of security requirements displayed on developer GUI, security requirements with highest priority on top; [0066] risk number used to generate prioritized task list; [0067] each security requirement is provided with guidance for remediation).	Bhalla fails to disclose scanning code repositories.	Wasiq describes scanning of repositories for policy non-compliance.	With this in mind, Wasiq discloses scanning code repositories (Wasiq c. 1 ll. 40-46 conventional use of periodic scanning of source code repositories for vulnerabilities, and triggering of corrective actions for policy violators).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the periodic repository scanning of Wasiq with the software lifecycle security risk identification of Bhalla, such that the scanning of repositories is done on a periodic basis, as it would advantageously allow for continuous timely identification of security vulnerabilities within source code.
As to claim 2, Bhalla and Wasiq disclose the invention as claimed as described in claim 1, including a Computing Device (Bhalla [0027] computing device) for implementing a Compute and Networking Appliance Security Risk and Vulnerabilities analysis (Bhalla [Abstract]) comprising:	a. a processor (Bhalla [0027] processor);	b. a computer storage medium coupled to the processor (Bhalla [0027] memory coupled to processor);	c. software instructions sets executed in accordance to the method (Bhalla [0027] instructions in memory executed by processor);	d. a reporting mechanism to display results sets from the software source code scans (Bhalla Fig. 5; [0086] task list of security requirements displayed on developer GUI); and	e. an Alerting mechanism to send off alerts based on predefined instruction criteria and thresholds (Bhalla [0079] ll. 29-48 updates to knowledge database regarding security risks/updates relevant to developer defined software application context are displayed as high priority alerts on the task list in high risk situations).
As to claim 3, Bhalla and Wasiq disclose the invention as claimed as described in claim 1, including wherein there is security risk associated with use of the software in a production environment (Bhalla [0002]-[0003] security risks associated with software).
As to claim 4, Bhalla and Wasiq disclose the invention as claimed as described in claim 1, including wherein users set software scans intervals for the software source code repositories (Wasiq c. 1 ll. 40-46 conventional use of periodic scanning of source code repositories for vulnerabilities, and triggering of corrective actions for policy violators).
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Bhalla et al. (US 2019/0114435 A1), filed Oct. 13, 2017, in view of Wasiq et al. (US 9,813,450 B1), issued Nov. 7, 2017, in view of Sloan et al. (US 2019/0034639 A1), published Jan. 31, 2019.
As to claim 5, Bhalla and Wasiq substantially disclose the invention as claimed as described in claim 1, failing, however, to explicitly disclose wherein the cyber security standards are the National Institute of Standards and Technology (NTST) Framework.	Sloan describes monitoring information-security coverage to identify an exploitable weakness in the information-security coverage.	With this in mind, Sloan discloses using cyber security standards that are the National Institute of Standards and Technology (NTST) Framework (Sloan [0061] NIST framework; [0091] used to identify vulnerability or risk in information-security coverage “environment does not comply with one or more controls”).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the NIST framework risk/vulnerability analysis with the risk analysis system of Bhalla and Wasiq, such that the NIST framework is used as a standard to evaluate risk, as it would advantageously allow a user to identify a vulnerability gap or risk (Sloan [0091]) to prevent threats to information (Sloan [0003]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kim et al. (US 2009/0119647 A1) is related to software "fuzzing" - testing for vulnerabilities.
Kim et al. (US 2019/0114436 A1) is related to detection of security vulnerabilities based on hybrid fuzzing and risk analysis.
Fink et al. (US 9,747,187 B2) is related to analyzing computer software for vulnerabilities.
Sheridan et al. (US 9,792,443 B1) is related to position analysis of source code vulnerabilities.
Song et al. (US 2020/0272743 A1) is related to checking an automation system for security vulnerabilities.
Lee et al. (US 2016/0188885 A1) is related to software vulnerability analysis.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654.  The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Eric W Shepperd/Primary Examiner, Art Unit 2492