EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Adam Chapin, registration no. 66712 on 8/23/2022.
The application has been amended as follows: 
In Claims
Cancel claim 2
Cancel claim 14
Cancel claim 19

1. (Currently Amended) A method of testing an application for security vulnerabilities, the application having binary and/or source code representations, the method comprising:
(a) executing, by using a computer system, a static test process by subjecting the binary and/or source code representations to static testing to generate raw static test results, 
the raw static test results indicating one or more potential security weaknesses in the application, at least one of the one or more potential security weaknesses being a false-positive;
(b) executing, by using the computer system, a dynamic test process to dynamically generate, for each corresponding potential security weakness of the one or more potential security weaknesses in the application indicated by the raw static test results, 
a corresponding dynamic test set, including one or more dynamic test cases, each dynamic test set being generated in dependence on (i) the corresponding potential security weakness indicated from the raw static test results, and (ii) lookups to a weakness data set, an application context data set, and an attack pattern data set, 
wherein the weakness data set includes an enumeration of different weakness types and descriptions thereof, the application context data set includes information specific to the application, and the attack pattern data set includes information about how to generate attacks for the different weakness types enumerated in the weakness data set;
(c) subjecting an instance of the application running in a test runtime environment to execution of the generated dynamic test case(s) to generate dynamic test results, 
the dynamic test results indicating whether each of the one or more potential security weakness is a verified security weakness of the application, the dynamic test results including fewer false-positives than the raw static test results; and
(d) generating, based on execution of the generated dynamic test case(s), a listing of each verified security weakness of the application from among the one or more potential security weaknesses indicated in the application via the raw static test results,
wherein the listing of verified security weakness(es) of the application includes, for each verified security weakness, an indication of a location of where in the binary and/or source code representation(s) the respective verified security weakness occurs.

13. (Currently Amended) A non-transitory computer readable storage medium tangibly storing a program for testing an application for security vulnerabilities, the application having binary and/or source code representations, the program, when executed by a computing system including at least one processor, performing functionality comprising:
(a) executing a static test process by subjecting the binary and/or source code representations to static testing to generate raw static test results, 
the raw static test results indicating one or more potential security weaknesses in the application, at least one of the one or more potential security weaknesses being a false-positive;
(b) executing a dynamic test process by dynamically generating, for each corresponding potential security weakness of the one or more potential security weaknesses in the application indicated by the raw static test results, 
a corresponding dynamic test set, including one or more dynamic test cases, each dynamic test set being generated in dependence on (i) the corresponding potential security weakness, and (ii) lookups to a weakness data set, an application context data set, and an attack pattern data 
wherein the weakness data set includes an enumeration of different weakness types and descriptions thereof, the application context data set includes information specific to the application, and the attack pattern data set includes information about how to generate attacks for the different weakness types enumerated in the weakness data set;
(c) subjecting an instance of the application running in a test runtime environment to execution of the generated dynamic test case(s) to generate dynamic test results, 
the dynamic test results indicating whether each of the one or more potential security weakness is a verified security weakness of the application, the dynamic test results including fewer false positives than the raw static test results; and
(d) generating, based on execution of the generated dynamic test case(s), a listing of each verified security weakness of the application from among the one or more potential security weaknesses indicated in the application via the raw static test results,
wherein the listing of verified security weakness(es) of the application includes, for each verified security weakness, an indication of a location of where in the binary and/or source code representation(s) the respective verified security weakness occurs.

18. (Currently Amended) A computing system for testing an application for security vulnerabilities, the application having binary and/or source code representations, the computing system comprising:
at least one processor; and
a first electronic interface to an instance of the application running in a test runtime environment;
the at least one processor being configured to control the computing system to at least:
	(a) execute a static test process by subjecting the binary and/or source code representations to static testing to generate raw static test results,
 the raw static test results indicating one or more potential security weaknesses in the application, at least one of the one or more potential security weaknesses being a false-positive;
	(b) executing a dynamic test process by dynamically generating, for each corresponding potential security weakness of the one or more potential security weaknesses in the application indicated by the raw static test results, 
a corresponding dynamic test set, including one or more dynamic test cases, each dynamic test set being generated in dependence on (i) the corresponding potential security weakness indicated from the raw static test results, and (ii) lookups to a weakness data set, an application context data set, and an attack pattern data set, 
wherein the weakness data set includes an enumeration of different weakness types and descriptions thereof, the application context data set includes information specific to the application, and the attack pattern data set includes information about how to generate attacks for the different weakness types enumerated in the weakness data set;
	(c) subject the instance of the application running in the test runtime environment to execution of the generated dynamic test case(s) to generate dynamic test results,
 the dynamic test results indicating whether each of the one or more potential security weakness is a verified security weakness of the application, the dynamic test results including fewer false positives than the raw static test results; and
	(d) generate, based on execution of the generated dynamic test case(s), a listing of each verified security weakness of the application from among the one or more potential security weaknesses indicated in the application via the raw static test results,
weakness(es) of the application includes, for each verified security weakness, an indication of a location of where in the binary and/or source code representation(s) the respective verified security weakness occurs.


Allowable Subject Matter
Claims 1, 3-13, 15-18 and 20-28 (renumbered 1-25) are allowed.
The following is an examiner’s statement of reasons for allowance: 
The arguments in applicant’s remarks filed on 8/2/2022 were fully considered and are persuasive. The applicant successfully argued the cited prior art does not teach or suggest the limitations " dynamic tests are generated in dependence on the results from the static tests - specifically - “in dependence on the corresponding potential security weakness indicated from the raw static test results, and lookups to a weakness data set, an application context data set, and an attack pattern data set” (remarks, pages 9-11).
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Anil Khatri whose telephone number is (571)272-3725. The examiner can normally be reached M-F 8:30-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, W Zhen can be reached on 571-272-3708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANIL KHATRI/Primary Examiner, Art Unit 2191