DETAILED ACTION
 	Claims 13-18 and 21-23 are presented for examination.
 	Claims 1-12 and 19-20 are cancelled.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
Figures 4, 5 and 6 are objected to because they are blurry. Corrected drawings are required.

Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


	Claims 13-18 and 21-23 are rejected under 35 U.S.C. 101 because they are directed to software per se.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 13-18 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Elder et al (US Pub. No. 2014/0189873) in view of Zhang et al (US. Pub. No. 2018/0018459).

Re Claim 13. Elder discloses a system for security risk identification in a software application, the system comprising: a knowledge database comprising a plurality of security elements, each security element comprising an identification of a security risk and a recommended remediation task of the security risk (i.e. Risk analysis module 508 issues list of vulnerabilities query 520 to fix database 514. List of vulnerabilities query 520 includes the list of vulnerabilities from vulnerabilities datastore 536. In one embodiment, fix database 514 and vulnerabilities database 412 are part of the same database or data source……….., fix database 514 includes a list of fixes or patches that are mapped to each vulnerability. For each vulnerability there can be a variety of fixes including hotfixes, security rollups, and service packs for any number of different vulnerable versions of the product or products suffering that vulnerability) [Elder, para.0040-0041]; a security element selection module for selecting a plurality of security requirements from the security elements in the knowledge database (i.e. Risk analysis module 508 issues list of vulnerabilities query 520 to fix database 514. List of vulnerabilities query 520 includes the list of vulnerabilities from vulnerabilities datastore 536…………….   For each vulnerability there can be a variety of fixes including hotfixes, security rollups, and service packs…………………………….Fix database 514 returns list of fixes 522. List of fixes 522 is used to filter the list of vulnerabilities stored in vulnerabilities datastore 536. For example, if a word processor program vulnerability is included in list of vulnerabilities query 520 and fix database 514 includes a fix for the vulnerability, that fix will be part of list of fixes 522) [Elder, para.0040-0042]; 
 	Elder does not explicitly disclose: a code scanner for identifying at least one code vulnerability in the software application code (i.e. A static analysis engine 252 may check for developer certificate signatures, malicious keywords in strings of binary codes, URLs, malicious domain names, known functions calls used in malware, sections of mobile application machine codes or other features of known malicious codes. A static analysis engine 252 may parse the binary code to identify different software components, and then analyze the software components and their functionality and structure for maliciousness or vulnerability) [Zhang, para.0034], 
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Elder with Zhang because Zhang’s system may include instrumentations that block the application program from performing any malicious behavior. The application program may be identified as malware by malware detection methods that perform static and dynamic analysis of the application program on the analysis system [Zhang, Abstract].
 	Elder further discloses: the at least one code vulnerability associated with at least one of the security requirements (i.e. fix database 514 includes a list of fixes or patches that are mapped to each vulnerability. For each vulnerability there can be a variety of fixes including hotfixes, security rollups, and service packs for any number of different vulnerable versions of the product or products suffering that vulnerability) [Elder, para. 0041]; a prioritization engine for prioritizing the plurality of selected security requirements, the prioritizing based on the security risk of each of the selected security requirements; and a task list generator for generating a task list for the software project, the task list comprising a prioritized list of the selected security requirements (i.e. perform automatic risk analysis, as described herein, that allows a user to be presented with actionable intelligence that can be used to prioritize remediation activities including: the host with the highest risk tuple in the enterprise, the product that contributes the most to the overall enterprise risk score, the vulnerability that contributes the most to the overall enterprise risk score) [Elder, para.0054].

Re Claim 14. Elder in view of Zhang discloses the system of claim 13, Elder further discloses: comprising a verification module for updating at least one of selected security requirements [in the task list] once the recommended remediation task has been completed (i.e. If risk analysis module 508 determines that the fix for the word processor program vulnerability is installed, the vulnerability is removed from vulnerabilities datastore 536) [Elder, para.0042].
	Elder in view of Zhang does not explicitly teach that the update is specifically in the task list however it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Elder in view of Zhang to include updating security requirements in the task list because Elder teaches updating the vulnerabilities; and since the task list or remediations are performed for existing vulnerabilities, removing/updating a vulnerability yields an expected result of removing/updating a corresponding security requirements in the task list.

Re Claim 15. Elder in view of Zhang discloses the system of claim 13, Elder in view of Zhang further discloses: wherein the prioritization [Elder, as in claim 1] engine identifies security requirements that are ineffectively identified by the code scanner (i.e. A basic block is a straight-line piece of or a small section of code from the source code building the operating system binary image. The basic block may reveal the actions an application calls in its activity or service and can be used to trace the control flow inside a complied application binary package. The control flow graph therefore can be analyzed to reveal dependencies among basic blocks. As such, a software application package in which malicious code is hidden and cannot be detected by the static analysis engine 206 can be detected because the malicious behavior can be detected by analyzing the control flow graph) [Zhang, para.0043].
	The same motivation to modify with Zhang, as in claim 1, applies.

Re Claim 16. Elder in view of Zhang discloses the system of claim 13, Zhang further discloses: wherein the code scanner is one or more of a static application security testing tool, dynamic application security testing tool, interactive application security testing scanner, and a runtime application security protection scanner (i.e. The static classification system 250 classifies a software application package as benign or malicious by using a static analysis of the software application package) [Zhang, para.0034].
 	The same motivation to modify with Zhang, as in claim 1, applies.

Re Claim 17. Elder in view of Zhang discloses the system of claim 13, Zhang further discloses: comprising multiple security assessment code scanners, Application Vulnerability Correlation tools, or a combination thereof (i.e. The static classification system 250 includes one or more static analysis engines 252 that analyze the object code of the software application package) [Zhang, para.0034].
The same motivation to modify with Zhang, as in claim 1, applies.

Re Claim 18. Elder in view of Zhang discloses the system of claim 13, Zhang further discloses: further comprising a plurality of code scanners, wherein each of the plurality of code scanners is one or more of a static application security testing tool, dynamic application security testing tool, interactive application security testing scanners, runtime application security protection scanner, and an Application Vulnerability Correlation (AVC) tool (i.e. The software application package is classified by one or more classification systems 250, 260, 270 included in the analysis system 140. Each classification system classifies the software application package into a category (e.g., benign or malicious)……………the classification systems include static classification systems 250 and dynamic classification systems 260. One of ordinary skill in the art would appreciate that the analysis system 140 can include classification systems 270 that use other techniques to classify an application) [Zhang, para.0033].
 The same motivation to modify with Zhang, as in claim 1, applies.

Re Claim 21. Elder in view of discloses the system of claim 13, Zhang further discloses: wherein each identified code vulnerability is mapped to at least one individual code scanner (i.e. application layer classification module 608 each observe and monitor behaviors of the application program at different layers and categorize the application program based on the observed behaviors during the application program's execution on the client device 400. That is, each of these layers collects different information related to the behavior of the application program at the corresponding layer and determines whether the observed behavior collection is benign or malicious. Each layer includes a data collection module (e.g., a signal collection module 610, a system call collection module 620, an action collection module 530, or a log collection module 640) that accesses and collects data related to executing behavior such as API calls, system logs, data objects access logs, etc.) [Zhang, para. 0065].
 	The same motivation to modify with Zhang, as in claim 1, applies.

Re Claim 22. Elder in view of discloses the system of claim 13, Elder further discloses: wherein the prioritization engine prioritizes the plurality of selected security requirements based on security risk, expedient order for software design, lifecycle stage of the project or software, test coverage by code scanners, or a combination thereof (i.e. perform automatic risk analysis, as described herein, that allows a user to be presented with actionable intelligence that can be used to prioritize remediation activities including: the host with the highest risk tuple in the enterprise, the product that contributes the most to the overall enterprise risk score, the vulnerability that contributes the most to the overall enterprise risk score) [Elder, para.0054].
 
Re Claim 23. Elder in view of discloses the system of claim 13, Elder in view of Zhang further discloses: wherein the prioritization [Elder, as in claim 1] engine identifies security requirements that do not have an associated code vulnerability identified by the security assessment code scanner, identifying a likelihood of a false negative result of the security assessment code scanner  (i.e. A basic block is a straight-line piece of or a small section of code from the source code building the operating system binary image. The basic block may reveal the actions an application calls in its activity or service and can be used to trace the control flow inside a complied application binary package. The control flow graph therefore can be analyzed to reveal dependencies among basic blocks. As such, a software application package in which malicious code is hidden and cannot be detected by the static analysis engine 206 can be detected because the malicious behavior can be detected by analyzing the control flow graph) [Zhang, para.0043].
 	The same motivation to modify with Zhang, as in claim 1, applies.




Prior art made of record, however not relied upon, includes: 

Satish (US Patent No. 9,058,492) describes a vulnerability reduction module that may identify potential vulnerabilities associated with a binary and/or one or more processes associated with a binary. Vulnerabilities may include exploitable code (e.g., gadgets). Vulnerabilities may be ranked and/or identified according to one or more of: severity, popularity with hackers, targeting of a vulnerability by a hacker tool (e.g., a toolkit), compliance with Address Space Layout Randomization (ASLR) of address space in which vulnerable code is loaded or is going to be loaded, a determination that bytes of vulnerable code are aligned, and a determination that bytes of vulnerable code are unaligned. According to some embodiments, binary vulnerability reduction module may identify vulnerable code in order of a ranking or priority. For example, vulnerabilities most likely to be exploited may be identified first [Satish, col.5,6].

Cole et al (US Pub. No. 2004/0015728) describes a system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434