Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 05/22/2020.
Claims 1-21 are under examination.
The Information Disclosure Statements filed on 05/22/0202 has been entered and considered.


  
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-14 of U.S. Patent No. 10,706,156 in view of Holz (US 2018/0165457 A1). The subject matter claimed in the instant application is disclosed in the patent and is covered by the patent except limitation of identifying at least one security requirement in the set of security requirements that has passed the test of the code scanner for which the code scanner is known to be capable of detecting. However, Holz in the field relates to ranking security scanning routines based on vulnerability information from third party resources teaches this feature. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of U.S. Patent No. 10,706,156 with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz.
Claims 1-21 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/881704 in view of Holz (US 2018/0165457 A1). The subject matter claimed in the instant application is disclosed in the patent and is covered by the patent except limitation of identifying at least one security requirement in the set of security requirements that has passed the test of the code scanner for which the code scanner is known to be capable of detecting. However, Holz in the field relates to ranking security scanning routines based on vulnerability information from third party resources teaches this feature. Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of copending Application No. 16/881704 with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz.
This is a provisional nonstatutory double patenting rejection.

	

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-8 and 10-21 are rejected under 35 U.S.C. 103 as being unpatentable over Patil (US 8584247 B1), Holz (US 2018/0165457 A1) and Cornell et al. (US 2018/0176245 A1).
Regarding claim 1, Patil discloses A method for identifying security risks in a software application [abs, “A computer-implemented method for evaluating compliance checks”, col. 3, lines 6-8, “the compliance check is being applied to computers with a reputation for security risks implies that the compliance check is directed to security”], the method comprising: identifying a software context relating to the environment of the software application; selecting a set of security requirements for the software application based on the software context, the security requirements selected from a security knowledge database comprising security elements [col. 11, lines 34-37, “A scope of a compliance standard may describe the software/hardware on which the compliance check may operate and/or the goal to which the compliance check is directed.”, fig. 4, col. 8, lines 20-23, “financial group computer 401 may include three registered compliance standards: a first security standard 410, a SOX standard 412, and a first network optimization standard 414”, col. 7, lines 34-38, “database 120 may contain records and/or other data structures that identify compliance standards, compliance checks included in the compliance standards, and the locations where those compliance standards are registered and/or active”];
Patil does not explicitly disclose generating a prioritized task list comprising the customized set of selected security requirements; scanning code of the software application with at least one code scanner; identifying at least one security requirement in the set of security requirements that has passed the test of the code scanner for which the code scanner is known to be capable of detecting; 
However, Holz teaches generating a prioritized task list comprising the customized set of selected security requirements; scanning code of the software application with at least one code scanner [par. 0042, “As described in block 408, the multiple security routines are sorted according to the real-time trends, where the sorting establishes an order of priority for running each of the multiple security routines based on the real-time trends”]; identifying at least one security requirement in the set of security requirements that has passed the test of the code scanner for which the code scanner is known to be capable of detecting [par. 0037, “the PICS 147 will first run security routines from the multiple dynamic application scanning routines 202 that address SQL injection attacks against computer 101, may or may not then run security routines from the multiple dynamic application scanning routines 202 that address moderate level DDoS attacks against computer 101, and will not run security routines from the multiple dynamic application scanning routines 202 that address the low-level XSS attacks against computer 101”, par. 0047, “the computer then executes the percentage of the sorted security routines in the order of priority to identify one or more computer security issues for the computer system”];
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of Patil with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz [Holz: par. 0001].
They do not explicitly disclose identifying the strength of the code scanner to discover a particular code vulnerability associated with the at least one security requirement to provide a level of confidence that the code scanner will have discovered the particular code vulnerability; and updating any security requirements in the prioritized task list for which the at least one code scanner is capable of verifying a compliance state to indicate a verified compliance state.  
However Cornell et al. teaches identifying the strength of the code scanner to discover a particular code vulnerability associated with the at least one security requirement to provide a level of confidence that the code scanner will have discovered the particular code vulnerability [par. 0022, “in step 90 the embodiment 58 next determines the strength of the identification and generates a set of confidence-scored shared vulnerabilities 96. Vulnerability confidence scoring is accomplished by taking into account a number of the characteristics of the shared vulnerabilities and giving those characteristic different weights [Weight.sub.Match Count, Weight.sub.Application Count], leading to a confidence score [Confidence Score]”]; and updating any security requirements in the prioritized task list for which the at least one code scanner is capable of verifying a compliance state to indicate a verified compliance state [par. 0020, par. 0024, “the embodiment 58 prioritizes vulnerabilities based on the amount of risk to the organization that would be reduced by remediating the vulnerability. In step 102, the embodiment 58 considers the vulnerability severity [Severity.sub.Vulnerabilities]. Initial vulnerability severity ranking are typically provided by the SAST or IAST testing technology, but may also be manually overridden by an analyst. The severity is meant to capture the risk the organization is exposed to based on its presence in an application. Each vulnerability is given a weight reflecting its severity [Weight.sub.Severity]. More serious vulnerabilities are typically more valuable to fix because, in fixing them, more risk is reduced”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Cornell et al. into the teaching of Patil and Holz with the motivation of identifying vulnerabilities in code shared between development teams to facilitate efficient remediation of such vulnerabilities as taught by Cornell et al. [Cornell et al. : par. 0003].
Regarding claim 2, the rejection of claim 1 is incorporated.
Cornell et al. further teaches calling upon a particular code scanner which has high confidence capability for identifying the particular code vulnerability to verify that the security requirement has been completed [par. 0020, “Static application security testing (SAST) or interactive application security testing (IAST) of Application 1 reveals six vulnerabilities and static testing of Application 2 reveals seven vulnerabilities, which are contained within the consolidated vulnerabilities database 70. By looking at the data flows and control flows in each table, the method identifies where vulnerabilities terminate in shared code for both applications (the bottom rows 3 rows of each table), the inference being that the vulnerability exists because of that shared code and that fixing the shared code would result in the vulnerability being successfully remediated”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Cornell et al. into the teaching of Patil and Holz with the motivation of identifying vulnerabilities in code shared between development teams to facilitate efficient remediation of such vulnerabilities as taught by Cornell et al. [Cornell et al. : par. 0003].
Regarding claim 3, the rejection of claim 1 is incorporated.
Cornell et al. further teaches indicating a confidence level of risk identification of at least one of the selected security requirements based on capability of the code scanner to verify a compliance state of the security requirement [par. 0022, “in step 90 the embodiment 58 next determines the strength of the identification and generates a set of confidence-scored shared vulnerabilities 96. Vulnerability confidence scoring is accomplished by taking into account a number of the characteristics of the shared vulnerabilities and giving those characteristic different weights [Weight.sub.Match Count, Weight.sub.Application Count], leading to a confidence score [Confidence Score]. Shared vulnerability characteristics that could be used might include, for example, the number of matching data or control flow elements shared in common for the vulnerabilities [Match Count], the number of applications in which these vulnerabilities are found [Application Count], and the SAST or IAST technologies that identified individual results [Relative Value.sub.Technology Type]”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Cornell et al. into the teaching of Patil and Holz with the motivation of identifying vulnerabilities in code shared between development teams to facilitate efficient remediation of such vulnerabilities as taught by Cornell et al. [Cornell et al. : par. 0003].
Regarding claim 5, the rejection of claim 1 is incorporated.
Patil further teaches each of the security requirements comprises instructions to address the security requirement [abs, “providing a recommendation for whether to implement the compliance check based at least in part on the reputation score assigned to the compliance check”].
Regarding claim 6, the rejection of claim 1 is incorporated.
Holz further teaches scanning code of the software application with a plurality of code scanners [par. 0033, “For example and with reference now to FIG. 2, assume that the computer 101 introduced in FIG. 1 has multiple dynamic application scanning routines 202 and multiple static source code scanning routines 204, which may be accessed by or may be part of the PICS 147 introduced in FIG. 1. The multiple dynamic application scanning routines 202 are designed to identify and/or solve issues with the application-based operation of the computer 101 (e.g., XSS attacks, DDOS attacks, etc.), while the multiple static source code scanning routines 204 are designed to identify and/or correct improper changes to source code running on the computer 101”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of Patil with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz [Holz: par. 0001].
Regarding claim 7, the rejection of claim 1 is incorporated.
Patil further teaches validating that a security requirement has been verified using the instructions to address the security requirement [col. 1, lines 49-56, “the instant disclosure generally relates to systems and methods for evaluating compliance checks. In particular, embodiments of the instant disclosure may analyze the compliance checks deployed within an organization (or organizations) in order to determine their prevalence, source, and/or efficacy and then provide recommendations for implementing the same based on this information”].
Regarding claim 8, the rejection of claim 1 is incorporated.
Holz further teaches the at least one code scanner is one or more of a static application security testing tool, dynamic application security testing tool, interactive application security testing scanners, runtime application security protection scanner, and an Application Vulnerability Correlation (AVC) tool [par. 0033, “For example and with reference now to FIG. 2, assume that the computer 101 introduced in FIG. 1 has multiple dynamic application scanning routines 202 and multiple static source code scanning routines 204, which may be accessed by or may be part of the PICS 147 introduced in FIG. 1. The multiple dynamic application scanning routines 202 are designed to identify and/or solve issues with the application-based operation of the computer 101 (e.g., XSS attacks, DDOS attacks, etc.), while the multiple static source code scanning routines 204 are designed to identify and/or correct improper changes to source code running on the computer 101”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of Patil with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz [Holz: par. 0001].
Regarding claim 10, the rejection of claim 1 is incorporated.
Patil further teaches confirming the verified compliance state with a human check [col. 11, lines 34-37, “These tests may include a test based on user reviews of the compliance check and tests based on a number of reported incidents related to devices where the compliance check is active”].
Regarding claim 11, the rejection of claim 1 is incorporated.
Patil further teaches assigning at least one security requirement with a verified compliance state with a verification status which is one of a plurality of status levels [see fig. 5, col. 17, lines 48-52, “The virtual reputation module may then highlight the display of those high-reputation compliance checks in top panel 520, or otherwise display an indication of which high-reputation compliance checks satisfy the reputation threshold”].
Regarding claim 12, the rejection of claim 1 is incorporated.
Patil further teaches the environment of the software application is one or more of a coding environment and a system environment [col. 8, lines 16-30, “three group computers may be included within system 100: a financial group computer 401, a medical group computer 403, and an order processing group computer 405… financial group computer 401 may include three registered compliance standards”].
Regarding claim 13, the rejection of claim 1 is incorporated.
Patil further teaches identifying a new security requirement for the software application; scanning the software code of the software application with the code scanner; determining if the new security requirement is adequately identified by the code scanner; and updating the task list based on identification of the new security requirement [see fig. 5, col. 3, lines 41-59, “The systems described herein may also add an additional compliance standard to the group of compliance standards and update the reputation score assigned to the compliance check based at least in part on the additional compliance standard. For example, these exemplary systems may calculate a reputation score for a compliance check based at least in part on how prevalent the compliance check is. The prevalence of the compliance check may represent an absolute or relative frequency of the compliance check among registered and/or activated compliance checks. For example, once a user registers a compliance standard that includes a particular compliance check, the exemplary systems may update a prevalence score (or information indicating prevalence) based on the newly-added compliance standard. Because the particular compliance check is now included within an additional compliance standard (which was just registered), the particular compliance check's prevalence score may increase, and its reputation score may also, therefore, increase”].
Regarding claim 14, the rejection of claim 1 is incorporated.
Patil further teaches generating a standards report identifying each security requirement of the software application and how each security requirement has been met [see fig. 5, col. 17, lines 48-52, “The virtual reputation module may then highlight the display of those high-reputation compliance checks in top panel 520, or otherwise display an indication of which high-reputation compliance checks satisfy the reputation threshold”].
Regarding claim 15, the rejection of claim 1 is incorporated.
Patil further teaches the database of security elements comprises regulatory elements [ col. 8, lines 53-54, “HIPAA standard”].
Regarding claim 16, the rejection of claim 1 is incorporated.
Holz further teaches prioritizing the security requirements based security risk [par. 0035, par. 0050, “The one or more processors then filter and rank the system vulnerabilities using the description of real-time trends for multiple computer security issues to further establish the order of priority for running each of the multiple security routines”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of Patil with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz [Holz: par. 0001].

Regarding claim 17, the rejection of claim 1 is incorporated.
Patil further teaches regenerating the task list by updating at least one of the selected security requirements [see fig. 5, col. 3, lines 41-59, “The systems described herein may also add an additional compliance standard to the group of compliance standards and update the reputation score assigned to the compliance check based at least in part on the additional compliance standard. For example, these exemplary systems may calculate a reputation score for a compliance check based at least in part on how prevalent the compliance check is. The prevalence of the compliance check may represent an absolute or relative frequency of the compliance check among registered and/or activated compliance checks. For example, once a user registers a compliance standard that includes a particular compliance check, the exemplary systems may update a prevalence score (or information indicating prevalence) based on the newly-added compliance standard. Because the particular compliance check is now included within an additional compliance standard (which was just registered), the particular compliance check's prevalence score may increase, and its reputation score may also, therefore, increase”].
Holz teaches prioritizing the security requirements based security risk [par. 0035, par. 0050, “The one or more processors then filter and rank the system vulnerabilities using the description of real-time trends for multiple computer security issues to further establish the order of priority for running each of the multiple security routines”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of Patil with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz [Holz: par. 0001].
Regarding claim 18, the rejection of claim 1 is incorporated.
Patil further teaches the code scanner identifies at least one software context relating to the environment of the software application [col. 8, lines 16-30, “three group computers may be included within system 100: a financial group computer 401, a medical group computer 403, and an order processing group computer 405”, col. 8, lines 53-54, “Medical group computer 403 may include… HIPAA standard”].
Regarding claim 19, the rejection of claim 1 is incorporated.
Holz teaches prioritizing the selected security requirements based on security risk, expedient order for software design, lifecycle stage of the project or software, test coverage by code scanners, or a combination thereof [par. 0044, “the security routines are sorted according to the severity of the attacks that they are designed to address”, par. 0050, “The one or more processors then filter and rank the system vulnerabilities using the description of real-time trends for multiple computer security issues to further establish the order of priority for running each of the multiple security routines”,].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holz into the teaching of Patil with the motivation to ranking security scanning routines based on vulnerability information from third party resources as taught by Holz [Holz: par. 0001].
Regarding claim 20, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 21, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.

Claims 4 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Patil (US 8584247 B1), Holz (US 2018/0165457 A1) and Cornell et al. (US 2018/0176245 A1) as applied to claims ** above, and further in view of Wysopal et al. (US2012/0072968 A1).
Regarding claim 4, the rejection of claim 1 is incorporated.
Patil, Holz and Cornell et al.  discloses identifying at least one code vulnerability identified by the at least one security scanner.
They do not explicitly disclose identifying at least one code vulnerability not identified by the at least one security scanner.
However Wysopal et al. teaches identifying at least one code vulnerability not identified by the at least one security scanner [par. 0065, “the prevalence of certain code across an enterprise or industry (e.g., commonly-used open source components, for example) is tracked over time and periodic updates may be sent to developers know to be using the code if newly discovered issues (technical, legal or both) are identified”, par. 0073].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Wysopal et al. into the teaching of Patil, Holz and Cornell et al. with the motivation to handle the situation when the  newly discovered issues (technical, legal or both) are identified as taught by Wysopal et al. [Wysopal et al.: par. 0065].
Regarding claim 9, the rejection of claim 1 is incorporated.
Patil, Holz and Cornell et al.  discloses identifying at least one code vulnerability identified by the at least one security scanner.
They do not explicitly disclose confirming the verification with an additional code scanner.
However Wysopal et al. teaches identifying at least one code vulnerability not identified by the at least one security scanner [par. 0073, “ Different types of analysis (e.g., automated, manual, static, dynamic, etc.) have different false negative rates because they are either unable to detect particular security defects (100% false negative rate) or they have varying levels of false negatives depending on the threat. As a result, introducing additional security analysis processes into the workflow lowers the false negative rate”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Wysopal et al. into the teaching of Patil, Holz and Cornell et al. with the motivation to lower the false negative rateas taught by Wysopal et al. [Wysopal et al.: par. 0073].


Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 10540502 B1		Software Assurance For Heterogeneous Distributed Computing Systems
US 20180293386 A1		SECURITY SCANNING OF APPLICATION PROGRAM INTERFACES THAT ARE AFFECTED BY CHANGES TO SOURCE CODE
US 20180198814 A1		IDENTIFYING SECURITY RISKS IN CODE USING SECURITY METRIC COMPARISON
US 20170154183 A1		Systems And Methods For Software Security Scanning Employing A Scan Quality Index
US 20050132188 A1		Methods And Systems For Determining Security Requirements For An Information Resource
US 6535227 B1		System And Method For Assessing The Security Posture Of A Network And Having A Graphical User Interface
US 20180285571 A1		AUTOMATIC DETECTION OF AN INCOMPLETE STATIC ANALYSIS SECURITY ASSESSMENT


Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JASON CHIANG/Primary Examiner, Art Unit 2431