DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
	The amendment filed October 17 2022 has been entered. Applicant amended claims 1,2, 5, 8-10, 13, and 16-18. Accordingly, claims 1-20 remain pending.
	Applicant’s amendment to the abstract and specification overcomes the abstract and specification objections of July 15 2022. Therefore, the abstract and specification objections are withdrawn.
Applicant’s amendment to the claims overcomes the 35 USC 112(b) rejection of July 15 2022 for claims 1-8. Thus, the 35 USC 112(b) rejection of July 15 2022 is withdrawn for claims 1-8.  However, the 35 USC 112(b) rejection remains outstanding for claims 9 -20, because independent claims 9 and 17 still recite in the last line “the core code” which result in insufficient antecedent basis for the limitation.

Response to Arguments
Applicant’s arguments, see page 9, filed October 17 2022, with respect to the abstract and specification objections have been fully considered and are persuasive.  The abstract and specification objections of July 15 2022 have been withdrawn. 
Applicant’s arguments, see pages 9-10, filed October 17 2022, with respect to the 35 USC 112(b) rejection have been fully considered.  The 35 USC 112(b) rejection of July 15 2022 has been withdrawn for claims 1-8.  However, the 35 USC 112(b) rejection remains outstanding for claims 9 -20 because independent claims 9 and 17 still recite in the last line “the core code”, resulting in insufficient antecedent basis for the limitation.

Applicant's arguments filed October 17 2022 with respect to the 35 USC 103 rejection  have been fully considered but they are not persuasive. 
On page 10, Applicant alleges, “…the cited references fail to disclose, teach, or suggest at least ‘wherein the scoring is based at least in part on a change from a prior version of the core code component, a likelihood value, and a personally identifiable information type’ as claimed.” This is not persuasive. Balasubramanian reveals in paragraph 142 that pattern of risks is determined based on correlations between an attribute of the system state and the level of security risk to the monitored application. The system may determine that recent updates (versions) in the system results in an increased security risk of unauthorized access to the system. Paragraph 186 also discloses a health report that provides a health score that is based on system/operating state and corresponds to the likelihood that current attributes of a dependency application may cause the monitored application to enter into an unhealthy state. Examples of what is included in dependency applications are provided in paragraph 44, wherein paragraph 44  of Balasubramanian reveals an application can have three dependencies services/applications, and these services/applications can include user address information and/or account authentications which are PII types. 
Therefore, applying the broadest reasonable interpretation, Balasubramanian discloses scoring that is based  at least in part on a change from a prior version of the core code component (paragraph 142 discloses the system determine recent updates/versions in the system that results in an increase security risk, thus per paragraph 186 corresponds to the system state), a likelihood value (paragraph 186 discloses score is corresponds to the likelihood that current attributes of dependency application may cause the monitored application to enter into an unhealthy state), and a PII type (paragraph 44 discloses the dependency applications include PII type data such as user address information and/or account authentications).
In addition, Alsharif discloses in paragraphs 93-94 a database that stores vulnerability record which include data such as software patch version, security scan or analysis, location identifier (paragraph 36 of Alsharif discloses location identifier can be physical address, thus a PII type).  The data from the database is used to compute vulnerability score and severity level field/likelihood value. Paragraph 101 of Alsharif discloses the severity adjustment matrix/likelihood value is used to adjust the ranking/scoring value (paragraph 97 of Alsharif reveals the ranking is provided to determine vulnerability score(s)).

On page 11, Applicant alleges “…the cited portions of Balasubramanian fail to disclose, teach, or suggest at least that the scoring ‘is based at least in part on a change from a prior version of the core code component, a likelihood value, and a personally identifiable information type’ as claimed”. This is not persuasive, please see paragraph above which discusses additional cited portions of Balasubramanian that teaches “the scoring is based at least in part on a change from a prior version of the core code component, a likelihood value, and a personally identifiable information type” as claimed.

Further on page 11, Applicant alleges, “[f]or at least the foregoing reasons, Applicant respectfully submits that independent claims 1, 9, and 17 are novel and non-obvious the art of record and that these claims are therefore in condition for allowance. Applicant respectfully request reconsideration and withdrawal of these rejections”. This is not persuasive, please see paragraphs above.

Further on page 11, Applicant alleges, “[d]ependent claims 2-8, 10-16, and 18-20, on their own merits and in view of their dependence on claims 1, 9, or 17 are novel and patentable over Balasubramanian and Podjarny….Applicant submits that the addition of Alsharif fails to cure the deficiencies of Balasubramanian and Podjarny as discussed above. Applicant respectfully requests reconsideration and withdrawal of these rejections. For this reason, Applicant respectfully requests that the rejection of claims 1-20 be withdrawn”. This is not persuasive, please see paragraphs above.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.




Claims are 9-20 rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 9 and 17 recites the limitation "the core code" in the last line of the respective claims.  There is insufficient antecedent basis for this limitation in claims 9 and 17.
Claims 10-16 are rejected under 35 USC 112(b) because said claims depend upon claim 9.
Claims 18-20 are rejected under 35 USC 112(b) because said claims depend upon claim 17.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 6-12, 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al US 20200409825 (hereinafter Balasubramanian) in view of Podjarny et al US 20180260301 (hereinafter Podjarny).

As to claim 1, Balasubramanian teaches a computer-implemented method (Figure 5) for privacy change risk remediation for dependent product code (paragraph 142 discloses method that detect a level of security risk to the monitored application, such that the system may determine whether recent updates to a framework in the system results in an increase security risk of unauthorized access to the system), the method comprising: 
scanning, by a processing device, a code dependency list and core code components (Figure 5, reference number 505 “Determine dependencies of target application” and paragraph 66 discloses the monitoring device may determine dependencies of a target/monitored application; reference number 510 “Build dependency tree for target application”) and a hierarchy of a core code component (paragraph 64 disclose the monitoring application check the operating status of each first level dependency of the monitored application, when a first level dependency is identified as having errors, the monitoring application may proceed down a layer to check operating status of each second level dependencies); 
pulling, by the processing device, data of the core code component using the scanned code dependency list (Figure 5, step 520 “Determine monitoring interfaces corresponding to target application” and paragraph 70 discloses “capturing a Splunk query and query file associated with a monitoring interface application”, the capture query file is the pulling of data) ; 
[determining], by the processing device, for each dependency of the code dependency list, information from the data (Figure 5, reference number 530 “Determine monitoring interfaces corresponding to dependencies” and paragraphs 71-72) ; 
scoring, by the processing device, the information for a version of the core code component to detect a likelihood of user data posture changes,(Figure 5, step 550 “Generate health report for target application and dependencies” and paragraph 77 discloses the monitoring application may generate a health report for the target application and its dependencies based on the determined operating statuses; see also paragraph 166 which disclose the monitoring application device may observe different changes after detecting unhealthy operating status event; paragraph 142 discloses the system assessed a pattern of risk to the monitored application; and monitor and determine recent updates to an authentication framework. Paragraph 44 discloses the authentication consist of user data posture changes such as account authentications data, user address information), wherein the scoring is based at least in part on change from a prior version of the core code component(paragraph 142 discloses the system determine recent updates/versions in the system that results in an increase security risk, thus per paragraph 186 corresponds to the system state), a likelihood value(paragraph 186 discloses score is corresponds to the likelihood that current attributes of dependency application may cause the monitored application to enter into an unhealthy state), and a personally identifiable information type(paragraph 44 discloses the dependency applications include PII type data such as user address information and/or account authentications); and 
enforcing, by the processing device, a compensating control for the core code component (paragraph 78 discloses when detection of error trends arises, alerts will surface for the administrator to address).
Balasubramanian does not teach extracting, by the processing device, for each dependency of the code dependency list, information from the data.
  	Podjarny teaches extracting, by the processing device, for each dependency of the code dependency list, information from the data (paragraph 12 discloses extracting from the application files, the list of dependencies and obtaining a package specification and extrapolating the list of dependencies based on the package specification; paragraph 10 discloses method is performed by a processing apparatus). 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Balasubramanian’s  method for privacy change risk remediation with Podjarny’s teaching of extracting information from the list of dependencies to prevent, detect, and report potential security flaws of new software packages/versions  (paragraph 10 of Podjarny).

	As to claim 2, the combination of Balasubramanian in view of Podjarny teach wherein the data of the core code component comprises core data(Balasubramanian: paragraph 10 discloses both data lineage documentation which is documentation data and a dependency tree which is core data, core data is understood as a framework for managing collection of interconnected data/object), binary data(Podjarny: paragraph 4 discloses the data components include: ImageMagick binary and library file directory data which is the binary data), library data (Podjarny: paragraph 4 discloses the data components include: Open SSL library file directory which is mapped to the library data limitation), source data(Podjarny: paragraph 4 discloses the data components include: ImageMagick library which includes source code/source data; paragraph 8 discloses the dependencies include open source software and thus is the source data), and documentation data (Podjarny: paragraph 4 discloses the data components include: Apache server which includes log data and is documentation data ).  

As to claim 3, the combination of Balasubramanian in view of Podjarny teach wherein the information comprises interface parameters, user indicators, and output avenues (Podjarny: paragraph 114 discloses the dependency analyzer may crawl monitoring interfaces; paragraph 53 discloses checking of key performance indicators; paragraph 19 disclose monitoring updates in the flaws database).

	As to claim 4, the combination of Balasubramanian in view of Podjarny teach wherein the compensation control is at least one of a revert dependency action, a manage dependency action, an alert, and a block deployment action(Balasubramanian: paragraph 78 discloses when detection of error trends arises, alerts will surface for the administrator to address).

	As to claim 6, the combination of Balasubramanian in view of Podjarny teach wherein the pulling is performed using a central repository, or a set of product archive files, or deliverables (Balasubramanian: paragraph 70 disclose the pulling/capturing is performed base on deliverable by the administrator).
	
As to claim 7, the combination of Balasubramanian in view of Podjarny teach wherein the pulling is performed with respect to a prior bundled version, a current version, and an upversion (Balasubramanian: paragraph 71 discloses the system may leverage prior configuration and claim 13 discloses pulling/monitoring is with respect to an updated version; Podjarny: paragraph 17 disclose the extracted data provides version indication, and per paragraph 29 the version indication is one of a minimal version number, a maximal version number, version compatible with another identified version, and a range of versions, see also paragraph 74).

As to claim 8, the combination of Balasubramanian in view of Podjarny teach further comprising: generating a change indicator between data of versions of a reference (Balasubramanian: paragraph 142 discloses the system monitor and determine recent updates to an authentication framework), the data of versions of the reference comprising: 
the personally identifiable information type (Balasubramanian: paragraph 44 discloses the authentication consist of account authentications data, user address information) ;  the
personally identifiable information output location(Balasubramanian: paragraph 44 discloses output service such as a third party transaction processor); 
path to output location(Balasubramanian: paragraph 47 discloses the service may be output by the monitoring application); 
likelihood of storage output(Balasubramanian: paragraph 47 discloses service may be output by the monitoring application); and 
a change from a prior version(Balasubramanian: paragraph 142 discloses the system monitor and determine recent updates to an authentication framework).
 
As to claim 9, Balasubramanian teaches a system(Figure 1) comprising: 
a memory comprising computer readable instructions (Figure 1, reference number 121 “Memory”); and 
a processing device for executing the computer readable instructions (Figure 1, reference number 111 “Processor”), the computer readable instructions (paragraph 40 ) controlling the processing device to perform operations for privacy change risk remediation for dependent product code(paragraph 142 discloses method that detect a level of security risk to the monitored application, such that the system may determine whether recent updates to an framework in the system results in an increase security risk of unauthorized access to the system), the operations comprising: 
scanning a code dependency list (Figure 5, reference number 505 “Determine dependencies of target application” and paragraph 66 discloses the monitoring device may determine dependencies of a target/monitored application; reference number 510 “Build dependency tree for target application”) and a hierarchy of a core code component(paragraph 64 disclose the monitoring application check the operating status of each first level dependency of monitored application, when a first level dependency is identified as having errors, the monitoring application may proceed down a layer to check operating status of each second level dependencies);
 pulling data of the core code component using the scanned code dependency list(Figure 5, step 520 “Determine monitoring interfaces corresponding to target application” and paragraph 70 discloses “capturing a Splunk query and query file associated with a monitoring interface application); 
P201902255US01Page 26 of 29[determ[determining] for each dependency of the core code dependency list, information from the data (Figure 5, reference number 530 “Determine monitoring interfaces corresponding to dependencies” and paragraphs 71-72); 
scoring the information for a version of the core code component to detect a likelihood of user data posture changes(Figure 5, step 550 “Generate health report for target application and dependencies” and paragraph 77 discloses the monitoring application may generate a health report for the target application and its dependencies based on the determined operating statuses; see also paragraph 166 which disclose the monitoring application device may observe different changes after detecting unhealthy operating status event), wherein the scoring is based at least in part on change from a prior version of the core code component(paragraph 142 discloses the system determine recent updates/versions in the system that results in an increase security risk, thus per paragraph 186 corresponds to the system state), a likelihood value(paragraph 186 discloses score is corresponds to the likelihood that current attributes of dependency application may cause the monitored application to enter into an unhealthy state), and a personally identifiable information type(paragraph 44 discloses the dependency applications include PII type data such as user address information and/or account authentications); and 
enforcing a compensating control for the core code(paragraph 78 discloses when detection of error trends arises, alerts will surface for the administrator to address).
Balasubramanian does not teach extracting, for each dependency of the core code dependency list, information from the data.
  	Podjarny teaches extracting, for each dependency of the core code dependency list, information from the data (paragraph 12 discloses extracting from the application files, the list of dependencies and obtaining a package specification and extrapolating the list of dependencies based on the package specification; paragraph 10 discloses method is performed by a processing apparatus). 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Balasubramanian’s  method for privacy change risk remediation with Podjarny’s teaching of extracting information from the list of dependencies to prevent, detect, and report potential security flaws of new software packages/versions  (paragraph 10 of Podjarny).

As to claim 10, the combination of Balasubramanian in view of Podjarny teach wherein the data of the core code component comprises core data(Balasubramanian: paragraph 10 discloses both data lineage documentation which is documentation data and a dependency tree which is core data, core data is understood as a framework for managing collection of interconnected data/object), binary data(Podjarny: paragraph 4 discloses the data components include: ImageMagick binary and library file directory data which is the binary data), library data (Podjarny: paragraph 4 discloses the data components include: Open SSL library file directory which is mapped to the library data limitation), source data(Podjarny: paragraph 4 discloses the data components include: ImageMagick library which includes source code/source data; paragraph 8 discloses the dependencies include open source software and thus is the source data), and documentation data (Podjarny: paragraph 4 discloses the data components include: Apache server which includes log data and is documentation data ).  

As to claim 11, the combination of Balasubramanian in view of Podjarny teach wherein the information comprises interface parameters, user indicators, and output avenues (Podjarny: paragraph 114 discloses the dependency analyzer may crawl monitoring interfaces; paragraph 53 discloses checking of key performance indicators; paragraph 19 disclose monitoring updates in the flaws database).

As to claim 12, the combination of Balasubramanian in view of Podjarny teach wherein the compensation control is at least one of a revert dependency action, a manage dependency action, an alert, and a block deployment action(Balasubramanian: paragraph 78 discloses when detection of error trends arises, alerts will surface for the administrator to address).

As to claim 14, the combination of Balasubramanian in view of Podjarny teach wherein the pulling is performed using a central repository, or a set of product archive files, or deliverables (Balasubramanian: paragraph 70 disclose the pulling/capturing is performed base on deliverable by the administrator).

As to claim 15, the combination of Balasubramanian in view of Podjarny teach wherein the pulling is performed with respect to a prior bundled version, a current version, and an upversion (Balasubramanian: paragraph 71 discloses the system may leverage prior configuration and claim 13 discloses pulling/monitoring is with respect to an updated version; Podjarny: paragraph 17 disclose the extracted data provides version indication, and per paragraph 29 the version indication is one of a minimal version number, a maximal version number, version compatible with another identified version, and a range of versions, see also paragraph 74).

As to claim 16, the combination of Balasubramanian in view of Podjarny teach further comprising: 
generating a change indicator between data of versions of a reference (Balasubramanian: paragraph 142 discloses the system monitor and determine recent updates to an authentication framework), the data of versions of the reference comprising: 
the personally identifiable information type (Balasubramanian: paragraph 44 discloses account authentications, user address information) ; 
personally identifiable information output location(Balasubramanian: paragraph 44 discloses output service such as a third party transaction processor); 
path to output location(Balasubramanian: paragraph 47 discloses service may be output by the monitoring application); 
likelihood of storage output(Balasubramanian: paragraph 47 discloses service may be output by the monitoring application); and 
a change from a prior version(Balasubramanian: paragraph 142 discloses the system monitor and determine recent updates to an authentication framework).

As to claim 17, Balasubramanian teaches a computer program product comprising a computer readable storage medium having program instructions (paragraph 40 ) embodied therewith, the program instructions executable by a processor to cause the processor (Figure 1, reference number 111 “Processor”) to perform operations for privacy change risk remediation for dependent product code(paragraph 142 discloses method that detect a level of security risk to the monitored application, such that the system may determine whether recent updates to an framework in the system results in an increase security risk of unauthorized access to the system), the operations comprising: 
scanning a code dependency list (Figure 5, reference number 505 “Determine dependencies of target application” and paragraph 66 discloses the monitoring device may determine dependencies of a target/monitored application; reference number 510 “Build dependency tree for target application”) and a hierarchy of a core code component(paragraph 64 disclose the monitoring application check the operating status of each first level dependency of monitored application, when a first level dependency is identified as having errors, the monitoring application may proceed down a layer to check operating status of each second level dependencies); 
pulling data of the core code component using the scanned code dependency list(Figure 5, step 520 “Determine monitoring interfaces corresponding to target application” and paragraph 70 discloses “capturing a Splunk query and query file associated with a monitoring interface application); 
[determining] ,for each dependency of the core code dependency list, information from the data(Figure 5, reference number 530 “Determine monitoring interfaces corresponding to dependencies” and paragraphs 71-72); 
scoring the information for a version of the core code component to detect a likelihood of user data posture changes(Figure 5, step 550 “Generate health report for target application and dependencies” and paragraph 77 discloses the monitoring application may generate a health report for the target application and its dependencies based on the determined operating statuses; see also paragraph 166 which disclose the monitoring application device may observe different changes after detecting unhealthy operating status event) wherein the scoring is based at least in part on change from a prior version of the core code component(paragraph 142 discloses the system determine recent updates/versions in the system that results in an increase security risk, thus per paragraph 186 corresponds to the system state), a likelihood value(paragraph 186 discloses score is corresponds to the likelihood that current attributes of dependency application may cause the monitored application to enter into an unhealthy state), and a personally identifiable information type(paragraph 44 discloses the dependency applications include PII type data such as user address information and/or account authentications); and 
enforcing a compensating control for the core code(paragraph 78 discloses when detection of error trends arises, alerts will surface for the administrator to address).
Balasubramanian does not teach extracting, for each dependency of the core code dependency list, information from the data.
Podjarny teaches extracting, for each dependency of the core code dependency list, information from the data (paragraph 12 discloses extracting from the application files, the list of dependencies and obtaining a package specification and extrapolating the list of dependencies based on the package specification; paragraph 10 discloses method is performed by a processing apparatus). 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Balasubramanian’s  method for privacy change risk remediation with Podjarny’s teaching of extracting information from the list of dependencies to prevent, detect, and report potential security flaws of new software packages/versions  (paragraph 10 of Podjarny).

As to claim 18, the combination of Balasubramanian in view of Podjarny teach wherein the data of the core code component comprises core data(Balasubramanian: paragraph 10 discloses both data lineage documentation which is documentation data and a dependency tree which is core data, core data is understood as a framework for managing collection of interconnected data/object), binary data(Podjarny: paragraph 4 discloses the data components include: ImageMagick binary and library file directory data which is the binary data), library data (Podjarny: paragraph 4 discloses the data components include: Open SSL library file directory which is mapped to the library data limitation), source data(Podjarny: paragraph 4 discloses the data components include: ImageMagick library which includes source code/source data; paragraph 8 discloses the dependencies include open source software and thus is the source data), and documentation data (Podjarny: paragraph 4 discloses the data components include: Apache server which includes log data and is documentation data ).  

As to claim 19, the combination of Balasubramanian in view of Podjarny teach wherein the information comprises interface parameters, user indicators, and output avenues (Podjarny: paragraph 114 discloses the dependency analyzer may crawl monitoring interfaces; paragraph 53 discloses checking of key performance indicators; paragraph 19 disclose monitoring updates in the flaws database).

	As to claim 20, the combination of Balasubramanian in view of Podjarny teach wherein the compensation control is at least one of a revert dependency action, a manage dependency action, an alert, and a block deployment action(Balasubramanian: paragraph 78 discloses when detection of error trends arises, alerts will surface for the administrator to address).

Claim(s) 5 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Balasubramanian et al US 20200409825 (hereinafter Balasubramanian) in view of Podjarny et al US 20180260301 (hereinafter Podjarny) in further view of Alsharif et al US 20210037038 (hereinafter Alsharif).

As to claim 5, the combination of Balasubramanian in view of Podjarny teach all the limitations recited in claim 1 above. The combination of Balasubramanian in view of Podjarny teach wherein the scan function scans the code dependency list(Figure 5, reference number 505 “Determine dependencies of target application” and paragraph 66 discloses the monitoring device may determine dependencies of a target/monitored application; reference number 510 “Build dependency tree for target application”)  and the hierarch of the core code component (paragraph 64 disclose the monitoring application check the operating status of each first level dependency of monitored application, when a first level dependency is identified as having errors, the monitoring application may proceed down a layer to check operating status of each second level dependencies).
The combination of Balasubramanian in view of Podjarny does not teach wherein the scanning comprises injecting a scan function into a processing pipeline of a project.
Alsharif teaches wherein the scanning comprises injecting a scan function into a processing pipeline of a project (paragraph 62 discloses Dynamic Application Security Testing DAST tools and Database Security DSS tools, wherein these tool involve injecting a scan function into a processing pipeline).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Balasubramanian’s  method for privacy change risk remediation with Podjarny’s teaching of extracting the data with Alsharif’s DAST tool to further detect, identify, or assess vulnerabilities across many hardware, firmware, or software platforms (paragraph 62 of Alsharif).

As to claim 13, the combination of Balasubramanian in view of Podjarny teach all the limitations recited in claim 9 above. The combination of Balasubramanian in view of Podjarny teach wherein the scan function scans the code dependency list(Figure 5, reference number 505 “Determine dependencies of target application” and paragraph 66 discloses the monitoring device may determine dependencies of a target/monitored application; reference number 510 “Build dependency tree for target application”)  and the hierarch of the core code component (paragraph 64 disclose the monitoring application check the operating status of each first level dependency of monitored application, when a first level dependency is identified as having errors, the monitoring application may proceed down a layer to check operating status of each second level dependencies).
The combination of Balasubramanian in view of Podjarny does not teach wherein the scanning comprises injecting a scan function into a processing pipeline of a project.
Alsharif teaches wherein the scanning comprises injecting a scan function into a processing pipeline of a project (paragraph 62 discloses Dynamic Application Security Testing DAST tools and Database Security DSS tools, wherein these tool involve injecting a scan function into a processing pipeline).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Balasubramanian’s  method for privacy change risk remediation with Podjarny’s teaching of extracting the data with Alsharif’s DAST tool to further detect, identify, or assess vulnerabilities across many hardware, firmware, or software platforms (paragraph 62 of Alsharif).


 Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FELICIA FARROW whose telephone number is (571)272-1856. The examiner can normally be reached M - F 7:30--5:30pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571)272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/F.F/Examiner, Art Unit 2437       

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437