01/12/2021DETAILED ACTION
	Claims 1-20 are presented on 01/12/2022 for examination on merits.  Claims 1, 14, and 20 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 1, 14, and 20 each recite a limitation for “a DevOps deployment” unclearly, because academics and practitioners have not developed a universal definition for the term "DevOps".  For example, Dyck et al. (2015) "To our knowledge, there is no uniform definition for the terms release engineering and DevOps. As a consequence, many people use their own definitions or rely on others, which results in confusion about those terms."[ Dyck, Andrej; Penners, Ralf; Lichter, Horst (19 May 2015). "Towards Definitions for Release Engineering and DevOps". Proceedings of the 2015 IEEE/ACM 3rd International Workshop on Release Engineering. IEEE: 3. doi:10.1109/RELENG.2015.10. ISBN 978-1-4673-7070-7. S2CID 4659735].  Jabbari et al. (2016) "The research results of this study showed the need for a definition as individual studies do not consistently define DevOps."[ Jabbari, Ramtin; bin Ali, Nauman; Petersen, Kai; Tanveer, Binish (May 2016). "What is DevOps?: A Systematic Mapping Study on Definitions and Practices". Proceedings of the 2016 Scientific Workshop. Association for Computing Machinery].  Erich et al. (2017) "We noticed that there are various gaps in the study of DevOps: There is no consensus of what concepts DevOps covers, nor how DevOps is defined."[ Erich, F.M.A.; Amrit, C.; Daneva, M. (June 2017). "A Qualitative Study of DevOps Usage in Practice". Journal of Software: Evolution and Process. 29 (6): e1885. doi:10.1002/smr.1885. S2CID 35914007].  See also the notes a-d of DevOps from Wikipedia [https://en.wikipedia.org/wiki/DevOps#cite_note-3].
Independent claims 14 and 20 each recite a limitation for “a DevOps deployment” unclearly for the same reason as that for claim 1.
Claims 2-11, 13, 15-19 each recite the limitation for “the DevOps deployment” unclearly or lacking sufficient antecedent basis for this limitation in the respective claims for the same reason as that for claim 1.
Claims 1, 14 and 20 each recite a limitation for “a DevOps lifecycle” unclearly for the same reason as that for claim 1.
Claims 1, 14 and 20 each recite a limitation for “a DevOps security” unclearly for the same reason as that for claim 1.
Claims 2-13 and 15-19 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 1 and 14, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-3, 10-11, 13-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Considine (US 20190180039 A1; hereinafter “Consi”) in view of Nuñez Di Croce (US 20210326451 A1; hereinafter “NDC.” Note that the data of reference reaches back to 02/04/2016 through the parent applications).

As per claim 1, Consi teaches a method of providing a framework that quantifies security in a DevOps deployment (Consi, par. 0009-0010 and 0033-0034: an application lifecycle management (ALM) system calculates the risk score to be compared to the acceptance thresholds for acceptability of performing a task with respect to a computing application per user’s request), comprising: 
receiving, at a central computer, parameters pertaining to specified factors relevant to security in one or more stages of a DevOps lifecycle (Consi, par. 0024-0025: [receiving] and determining … any existing authorization rule defined with respect to the requested application (step 203), which is a computing application (e.g., a software program) maintained by the software management system 116 (e.g., an ALM system).  It is noted that the user is a registered user of the software management system 116 having user-related and application-related factors; par. 0030-0031; to access the desired computing application … and to execute a DevOps pipeline, or to deploy an update to a production; par. 0035-0037); 

calculating, by the central computer, a score indicative of an overall level of security in the DevOps deployment based on an aggregation of the measurement values (Consi, par. 0024 and 0032: compute a risk score as a weighted sum of these factors (step 206)); and 
in response to the calculated score exceeding a predetermined threshold, identifying at least one security gap in the DevOps deployment based at least on one or more of the received parameters (Consi, par. 0024 and 0033: compare the risk score to one or more thresholds to determine whether to authorize the access request (step 208).  Consi uses two or three levels of security risk analysis for identifying security gaps and adjust risk profiles accordingly).
However, Consi does not explicitly disclose using or generating measurement values of the received parameters.  This aspect of the claim is identified as a difference.
In a relate art, NDC teaches:
generating, by the central computer, measurement values of the received parameters (NDC, par. 0123 and 200: The user can then configure each parameter which is measured on a target system; see also clm. 1).
Consi and NDC are analogous art, because they are in a similar field of endeavor in improving security assessment of an application.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Consi with NDC’s teaching on parameter measurement that generates measurement values of the received parameters.  For this combination, the motivation would have been to improve the process of security assessment for Consi’s deployment of application.

As per claim 2, the references as combined above teach the method of claim 1 wherein the receiving of the parameters pertaining to the specified factors relevant to security includes receiving the parameters pertaining to the specified factors relevant to security at a client level of the DevOps deployment (Consi, par. 0030 and 0034: a factor indicating the job level/grade of the use; the number of years of experience of the user, where a more inexperienced user is more likely to introduce a defect).

As per claim 3, the references as combined above teach the method of claim 2 wherein the receiving of the parameters pertaining to the specified factors relevant to security at the client level of the DevOps deployment includes receiving the parameters pertaining to the specified factors relating to one or more of (Note: optional limitations are recited herein):
role-based access control (RBAC) (Note: this option is not selected for examination), 
data-at-rest encryption (Note: this option is not selected for examination), and 
configuration management at the client level (Consi, par. 0034: configuration management in Consi is using multiple configurable inputs, which represents the level of risk that an application or product team is willing to accept in relation to the particular defect type; and 0036: adjusting the risk profile by adding the compensation score to the risk profile).

As per claim 10, the references as combined above teach the method of claim 1 wherein the identifying of the at least one security gap in the DevOps deployment includes performing an analysis of the received parameters (Consi, par. 0008 and 0034: analyzing… a type of defect to the computing application; DPXi represents an array of values indicating the probably of a particular defect type (i.e. security, performance, functional) occurring).

As per claim 11, the references as combined above teach the method of claim 10 further comprising: 
having identified the at least one security gap in the DevOps deployment, generating one or more recommendations for remediation of the at least one security gap (Consi, par. 0035-0036: adjusting the risk profile … as [a remediation] for security defect, i.e. a security gap).

As per claim 13, the references as combined above teach the method of claim 1 wherein the DevOps deployment is deemed to be compliant with specified audit regulations if the calculated score does not exceed the predetermined threshold, and wherein the method further comprises: 
in response to performing remediation of the at least one security gap in the DevOps deployment, iteratively performing the receiving of the parameters, the generating of the measurement values, and the calculating of the score until the calculated score does not exceed the predetermined threshold (par. 0009 and 0036: repeating step 312 with respect to the adjusted risk profile to determine whether to deny or authorize the access request; par. 0035-0036: compare the risk profile with a second predefined acceptable risk threshold and repeating step 312).

As per claim 14, Consi teaches a system for providing a framework that quantifies security in a DevOps deployment (Consi, par. 0009-0010 and 0033-0034: an application lifecycle management (ALM) system calculates the risk score to be compared to the acceptance thresholds for acceptability of performing a task with respect to a computing application per user’s request), comprising: 
a central computer communicably coupleable, over a network, to one or more client processing devices, one or more server processing devices, and one or more network processing devices (Consi, par. 0009-0010 and 0033-0034: an application lifecycle management (ALM) system), wherein the central computer includes processing circuitry configured to execute program instructions out of a memory to: 
receive parameters pertaining to specified factors relevant to security in one or more stages of a DevOps lifecycle (Consi, par. 0024-0025: [receiving] and determining … any existing authorization rule defined with respect to the requested application (step 203), which is a computing application (e.g., a software program) maintained by the software management system 116 (e.g., an ALM system).  It is noted that the user is a registered user of the software management system 116 having user-related and application-related factors; par. 0030-0031; to access the desired computing application … and to execute a DevOps pipeline, or to deploy an update to a production; par. 0035-0037);
calculate a score indicative of an overall level of security in the DevOps deployment based on an aggregation of the measurement values (Consi, par. 0024 and 0032: compute a risk score as a weighted sum of these factors (step 206)); and 
in response to the calculated score exceeding a predetermined threshold, identify at least one security gap in the DevOps deployment based at least on one or more of the received parameters (Consi, par. 0024 and 0033: compare the risk score to one or more thresholds to determine whether to authorize the access request (step 208).  Consi uses two or three levels of security risk analysis for identifying security gaps and adjust risk profiles accordingly).
However, Consi does not explicitly disclose using or generating measurement values of the received parameters.  This aspect of the claim is identified as a difference.
In a relate art, NDC teaches:
generate measurement values of the received parameters (NDC, par. 0123 and 200: The user can then configure each parameter which is measured on a target system; see also clm. 1).
Consi and NDC are analogous art, because they are in a similar field of endeavor in improving security assessment of an application.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Consi with NDC’s teaching on parameter measurement that generates measurement values of the received parameters.  For this combination, the motivation would have been to improve the process of security assessment for Consi’s deployment of application.



As per claim 15, the references as combined above teach the system of claim 14 wherein the processing circuitry is further configured to execute the program instructions out of the memory to receive the parameters pertaining to the specified factors relevant to security at a client level of the DevOps deployment (Consi, par. 0030 and 0034: a factor indicating the job level/grade of the use; the number of years of experience of the user, where a more inexperienced user is more likely to introduce a defect).

As per claim 20, Consi teaches a computer program product including a set of non-transitory, computer-readable media having instructions that, when executed by processing circuitry, cause the processing circuitry to perform a method of providing a framework that quantifies security in a DevOps deployment, the method comprising: 
receiving, at a central computer, parameters pertaining to specified factors relevant to security in one or more stages of a DevOps lifecycle (Consi, par. 0024-0025: [receiving] and determining … any existing authorization rule defined with respect to the requested application (step 203), which is a computing application (e.g., a software program) maintained by the software management system 116 (e.g., an ALM system).  It is noted that the user is a registered user of the software management system 116 having user-related and application-related factors; par. 0030-0031; to access the desired computing application … and to execute a DevOps pipeline, or to deploy an update to a production; par. 0035-0037); 
calculating, by the central computer, a score indicative of an overall level of security in the DevOps deployment based on an aggregation of the measurement values (Consi, par. 0024 and 0032: compute a risk score as a weighted sum of these factors (step 206)); and 
in response to the calculated score exceeding a predetermined threshold, identifying at least one security gap in the DevOps deployment based at least on one or more of the received parameters (Consi, par. 0024 and 0033: compare the risk score to one or more thresholds to determine whether to authorize the access request (step 208).  Consi uses two or three levels of security risk analysis for identifying security gaps and adjust risk profiles accordingly).
However, Consi does not explicitly disclose using or generating measurement values of the received parameters.  This aspect of the claim is identified as a difference.
In a relate art, NDC teaches:
generating, by the central computer, measurement values of the received parameters (NDC, par. 0123 and 200: The user can then configure each parameter which is measured on a target system; see also clm. 1).
Consi and NDC are analogous art, because they are in a similar field of endeavor in improving security assessment of an application.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and modify Consi with NDC’s teaching on parameter measurement that generates measurement values of the received parameters.  For this combination, the motivation would have been to improve the process of security assessment for Consi’s deployment of application.

Allowable Subject Matter
Claim 4-9, 12, 16-19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claims 4 and 16 each recite elements of “wherein the receiving of the parameters pertaining to the specified factors relevant to security includes receiving the parameters pertaining to the specified factors relevant to security at a network level of the DevOps deployment”.  The features for receiving the parameters pertaining to the specified factors relevant to security at a network level of the DevOps deployment, in combination with the other limitations thereof and the limitations in the respective base claims 1-3 and 14-15, are not anticipated by, nor made obvious over the prior art of record.
Claims 5-9 and 17-19 are allowable by virtue of their dependency from claims 4 and 16, respectively.
Claim 12 recites elements of “generating a report containing at least the calculated score, the specified factors contributing to the calculated score, and the recommendations for remediation of the at least one security gap”.  These features, in combination with the other limitations in the claims 1 and 10-11, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        11/29/2022