US 11,853,430 B2
Security risk identification in a secure software lifecycle
Nishchal Bhalla, Mississauga (CA); Rohit Kumar Sethi, Toronto (CA); Ramanan Sivaranjan, Toronto (CA); Ehsan Foroughi, Toronto (CA); and Geoffrey Charles Whittington, Waterloo (CA)
Assigned to SECURITY COMPASS TECHNOLOGIES LTD., Toronto (CA)
Filed by 1230604 BC Ltd., Toronto (CA)
Filed on May 22, 2020, as Appl. No. 16/881,704.
Application 16/881,704 is a division of application No. 15/784,072, filed on Oct. 13, 2017, granted, now 10,706,156.
Prior Publication US 2020/0285756 A1, Sep. 10, 2020
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/57 (2013.01); G06F 21/55 (2013.01)
CPC G06F 21/577 (2013.01) [G06F 21/55 (2013.01); G06F 2221/034 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A system for security risk identification in a software application, the system comprising:
one or more hardware processor;
one or more memory in the one or more hardware processor, the one or more memory comprising:
a security knowledge database comprising a plurality of security elements, each security element comprising an identification of a security risk and a recommended remediation task for remediating the security risk;
a security element selection module for automatically selecting a customized set of security requirements for the software application from the plurality of security elements in the security knowledge database and automatically retrieving the customized set of security requirements from the security knowledge database, the customized set of security requirements includes security elements from the plurality of security elements that are relevant to software context of the software application, the software context comprising characteristics of the software environment pertaining to coding and running of the software application;
an automated code scanner for automatically identifying one or more instances of code vulnerability in software application code of the software application, the code scanner having a tool-specific mapping such that each of the one or more instances of code vulnerability identified by the code scanner is associated with and mapped to at least one of the security requirements for the software application together with the ability of the code scanner to identify a security risk associated with the at least one mapped security requirement;
a prioritization engine for prioritizing the customized set of security requirements by identifying security requirements in the customized set of security requirements that are ineffectively identified by the code scanner, that are not associated with the instances of code vulnerabilities identified by the code scanner mapping, and for which the automated code scanner is incapable of verifying a compliance state, the prioritizing generates a prioritized list of the customized set of security requirements based on the security risk of each of the security requirements in the customized set of security requirements by assigning higher priorities to security requirements with higher security risks; and
a task list generator for dynamically generating and automatically updating a task list for the software application, the task list comprising the recommended remediation tasks in the prioritized list of the customized set of security requirements wherein the task list is prioritized according to the priorities assigned in the prioritized list.