This disclosure relates generally to application security, and
more particularly to method and system for identifying vulnerabilities and
security risks in an application.
Background
[002] With the phenomenal growth of information technology (IT), ITenabled business has come under an explosion of demand for IT related
products to support process and technology throughout an enterprise. A
software lies at heart of every IT product and software application and a
software code is what ensures that every IT product and every software
application execute and perform in an expected manner including carrying
out their security functions.
[003] Traditional solutions to conduct security testing and to perform
vulnerability assessment for the software application requires test
professionals to perform testing using varied testing and vulnerability scanner
tools. However, if the enterprise has a huge number of software applications
to perform the security testing and/or if the software applications are
frequently undergoing changes and getting released to market in a short
duration of time, the existing traditional solutions becomes exceedingly
challenging to implement because of use of manual testing procedures.
[004] Currently, the enterprises are constantly looking for innovative
security test and vulnerability scanning solutions to reduce efforts and time to
release products/applications to market in a short duration. Therefore, there
is a need in the art for improved methods and systems for providing an
automated approach for identifying risks and vulnerabilities of the software
application without requiring user intervention and reducing system
performance.
Docket No.: IIP-HCL-P0057
-3-
SUMMARY
[005] In an embodiment, a method for identifying vulnerabilities and
security risks in an application is disclosed. In one example, the method may
include receiving application data from the application and a set of test
configuration parameters from a user using a security testing device. The set
of test configuration parameters may include a set of vulnerability scan
parameters and a set of security test parameters. The method may further
include identifying a set of vulnerabilities in the application data through at
least one scanning technique. The at least one scanning technique may be
based on the set of vulnerability scan parameters. The method may further
include identifying a set of security risks in the application data using a
security test framework upon identifying the set of vulnerabilities. The security
test framework may be based on the set of security test parameters. The
method may further include adding each of the set of vulnerabilities and the
set of security risks to a list of threats associated with the application. The
method may further include identifying a set of valid threats and a set of false
positive threats from the list of threats using a debugging tool.
[006] In another embodiment, a system for identifying vulnerabilities
and security risks in an application is disclosed. In one example, the system
may include a security testing device comprising a processor and a memory
communicatively coupled to the processor, wherein the memory stores
processor-executable instructions, which, on execution, may cause the
processor to receive application data from the application and a set of test
configuration parameters from a user. The set of test configuration
parameters includes a set of vulnerability scan parameters and a set of
security test parameters. The processor-executable instructions, on
execution, may further cause the processor to identify a set of vulnerabilities
in the application data through at least one scanning technique, wherein the
at least one scanning technique is based on the set of vulnerability scan
parameters. The processor-executable instructions, on execution, may
further cause the processor to identify a set of security risks in the application
Docket No.: IIP-HCL-P0057
-4-
data using a security test framework upon identifying the set of vulnerabilities,
wherein the security test framework is based on the set of security test
parameters. The processor-executable instructions, on execution, may
further cause the processor to add each of the set of vulnerabilities and the
set of security risks to a list of threats associated with the application. The
processor-executable instructions, on execution, may further cause the
processor to identify a set of valid threats and a set of false positive threats
from the list of threats using a debugging tool.
[007] It is to be understood that both the foregoing general description
and the following detailed description are exemplary and explanatory only
and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[008] The accompanying drawings, which are incorporated in and
constitute a part of this disclosure, illustrate exemplary embodiments and,
together with the description, serve to explain the disclosed principles.
[009] FIG. 1 is a block diagram of an exemplary system for identifying
vulnerabilities and security risks in an application, in accordance with some
embodiments.
[010] FIG. 2 illustrates a functional block diagram of a security testing
device implemented by the exemplary system of FIG. 1, in accordance with
some embodiments.
[011] FIGS. 3A and 3B, illustrate an exemplary process for
identifying vulnerabilities and security risks in an application, in accordance
with some embodiments of the present disclosure.
[012] FIG. 4 illustrates a workflow of the system, in accordance with
some embodiments., in accordance with some embodiments of the present
disclosure.
[013] FIG. 5A illustrates a flow diagram for performing scan
configuration and testing of data by the security testing device, in accordance
with some embodiments of the present disclosure.
Docket No.: IIP-HCL-P0057
-5-
[014] FIG. 5B illustrates a flow diagram for depicting functioning of
the core engine of the security testing device, in accordance with some
embodiments of the present disclosure.
[015] FIG. 6A is a flow diagram depicting functioning of the DAST test
engine, in accordance with some embodiments of the present disclosure.
[016] FIG. 6B is a flow diagram depicting functioning of the SAST test
engine, in accordance with some embodiments of the present disclosure.
[017] FIG. 6C is a flow diagram depicting functioning of the OWASP
test engine, in accordance with some embodiments of the present disclosure.
[018] FIG. 7 illustrates an exemplary triggering of a security
assessment job by the system in accordance with some embodiments of the
present disclosure.
[019] FIG. 8 illustrates an exemplary vulnerability assessment report
dashboard in accordance with some embodiments of the present disclosure.
[020] FIG. 9 illustrates an exemplary vulnerability graph generated by
the security testing device in accordance with some embodiments of the
present disclosure.
[021] FIG. 10 is a block diagram of an exemplary computer system
for implementing embodiments consistent with the present disclosure.
DETAILED DESCRIPTION
[022] Exemplary embodiments are described with reference to the
accompanying drawings. Wherever convenient, the same reference numbers
are used throughout the drawings to refer to the same or like parts. While
examples and features of disclosed principles are described herein,
modifications, adaptations, and other implementations are possible without
departing from the spirit and scope of the disclosed embodiments. It is
intended that the following detailed description be considered as exemplary
only, with the true scope and spirit being indicated by the following claims.
Additional illustrative embodiments are listed below.
Docket No.: IIP-HCL-P0057
-6-
[023] Referring now to FIG. 1, an exemplary system 100 for
identifying vulnerabilities and security risks in an application is illustrated, in
accordance with some embodiments of the present disclosure. The system
100 may implement a security testing device 102 (for example, server,
desktop, laptop, notebook, netbook, tablet, smartphone, mobile phone, or any
other computing device), in accordance with some embodiments of the
present disclosure. The security testing device 102 may identify
vulnerabilities and security risks in an application (such as, software
applications, smartphone applications, web applications, etc.) by identifying
a set of vulnerabilities in the application data and a set of set of security risks
in the application data. It should be noted that, in some embodiments, the
security testing device 102 may identify a set of valid threats and a set of false
positive threats from a list of threats using a debugging tool.
[024] As will be described in greater detail in conjunction with FIGS.
2 – 10, the security testing device may receive application data from the
application and a set of test configuration parameters from a user. The set of
test configuration parameters may include a set of vulnerability scan
parameters and a set of security test parameters. The security testing device
may further identify a set of vulnerabilities in the application data through at
least one scanning technique. The at least one scanning technique is based
on the set of vulnerability scan parameters. The security testing device may
further identify a set of security risks in the application data using a security
test framework upon identifying the set of vulnerabilities. The security test
framework is based on the set of security test parameters. The security
testing device may further add each of the set of vulnerabilities and the set of
security risks to a list of threats associated with the application. The security
testing device may further identify a set of valid threats and a set of false
positive threats from the list of threats using a debugging tool.
[025] In some embodiments, the security testing device 102 may
include one or more processors 104 and a computer-readable medium 106
(for example, a memory). The computer-readable medium 106 may include
Docket No.: IIP-HCL-P0057
-7-
a plurality of requirements corresponding to a plurality of applications.
Further, the computer-readable storage medium 106 may store instructions
that, when executed by the one or more processors 104, cause the one or
more processors 104 to identify common requirements from applications, in
accordance with aspects of the present disclosure. The computer-readable
storage medium 106 may also store various data (for example, the application
data, set of test configuration parameters, set of vulnerabilities, set of security
risks, and the like) that may be captured, processed, and/or required by the
system 100.
[026] The system 100 may further include a display 108. The system
100 may interact with a user via a user interface 110 accessible via the
display 108. The system 100 may also include one or more external devices
112. In some embodiments, the security testing device 102 may interact with
the one or more external devices 112 over a communication network 114 for
sending or receiving various data. The external devices 112 may include, but
may not be limited to, a remote server, a digital device, or another computing
system.
[027] Referring now to FIG. 2, a functional block diagram of a security
testing device 200 is illustrated, in accordance with some embodiments. In
an embodiment, the security testing device 200 may include a vulnerability
identification module 202, a security risk identification module 204, a threat
list addition module 206, a valid and false positive threat identification module
208. In such an embodiment, the security testing device 200 may be
analogous to the security testing device 102 of the system 100.
[028] The vulnerability identification module 202 may receive an input
210. By way of an example, the input 210 may be application data (e.g., the
application data may be URL of a website or an application/software
program) that is received from an application. Further, the input 210 may
include a set of test configuration parameters from a user. The set of test
configuration parameters may include a set of vulnerability scan parameters
and a set of security test parameters. In an embodiment, the application data
Docket No.: IIP-HCL-P0057
-8-
received from the application and the set of test configuration parameters as
received from the user, are received through a Continuous
Integration/Continuous Delivery (CI/CD) pipeline. In an exemplary scenario,
the input 210 may include Uniform Resource Locator (URL) of the application
that is to be scanned, authentication information related to the application,
information related to whether the san to be performed is an active scan or a
passive scan, an input related to configuring the scan options, and email
address of multiple users (e.g., recipients). In an embodiment, the set of
security test parameters may correspond to one or more Open Web
Application Security Project (OWASP) standard tests. In an exemplary
embodiment, various open source tools may be integrated and deployed in
the security testing device 200 for performing OWASP test automation,
automating determination of valid threats and false positive threats thereby
foregoing the need to perform manual testing. For example, on receiving an
application (via a URL), the security testing device 200 may determine if the
application has been partially or fully developed, check whether there is any
code change for the received application and may then automatically perform
testing to determine underlying threats and risks.
[029] The security risk identification module 204, may identify a set of
vulnerabilities in the application data through at least one scanning technique.
The at least one scanning technique may be based on the set of vulnerability
scan parameters. In an embodiment, the one scanning technique may be
based on an active vulnerability scanning technique, a passive vulnerability
scanning technique, or a combination thereof, and wherein the security test
framework is a Dynamic Application Security Testing (DAST) framework, a
Static Application Security Testing (SAST) framework, or a combination
thereof.
[030] Upon identifying the set of vulnerabilities, the threat list addition
module 206 may identify a set of security risks in the application data using a
security test framework. The security test framework may be based on the
set of security test parameters. In an embodiment, each of the set of
Docket No.: IIP-HCL-P0057
-9-
vulnerabilities and the set of security risks may be added to a list of threats
associated with the application. In an embodiment, the threat list addition
module 206 may remove the set of false positive threats from the list of
threats. In another embodiment, a risk score may be assigned to each of the
set of vulnerabilities and a risk classification may be determined for each of
the set of vulnerabilities based on the risk score. In yet another embodiment,
one or more remediations may be determined for each of the set of
vulnerabilities. The one or more remediations may be pre-defined steps for
the user to follow to fix each of the set of vulnerabilities.
[031] The valid and false positive threat identification module 208
may identify a set of valid threats and a set of false positive threats from the
list of threats using a debugging tool as an output 212. In an embodiment, a
security test report of the application may be generated. The security test
report may include the set of vulnerabilities, the risk classification
corresponding to each of the set of vulnerabilities, and the one or more
remediations for each of the set of vulnerabilities.
[032] It should be noted that all such aforementioned modules 202 –
208 may be represented as a single module or a combination of different
modules. Further, as will be appreciated by those skilled in the art, each of
the modules 202 – 208 may reside, in whole or in parts, on one device or
multiple devices in communication with each other. In some embodiments,
each of the modules 202 – 208 may be implemented as dedicated hardware
circuit comprising custom application-specific integrated circuit (ASIC) or gate
arrays, off-the-shelf semiconductors such as logic chips, transistors, or other
discrete components. Each of the modules 202 – 208 may also be
implemented in a programmable hardware device such as a field
programmable gate array (FPGA), programmable array logic, programmable
logic device, and so forth. Alternatively, each of the modules 202 – 208 may
be implemented in software for execution by various types of processors
(e.g., processor 104). An identified module of executable code may, for
instance, include one or more physical or logical blocks of computer
Docket No.: IIP-HCL-P0057
-10-
instructions, which may, for instance, be organized as an object, procedure,
function, or other construct. Nevertheless, the executables of an identified
module or component need not be physically located together, but may
include disparate instructions stored in different locations which, when joined
logically together, include the module and achieve the stated purpose of the
module. Indeed, a module of executable code could be a single instruction,
or many instructions, and may even be distributed over several different code
segments, among different applications, and across several memory devices.
[033] As will be appreciated by one skilled in the art, a variety of
processes may be employed for identifying common requirements from
applications. For example, the exemplary system 100 and the associated
security testing device 102 may identify common requirements from
applications by the processes discussed herein. In particular, as will be
appreciated by those of ordinary skill in the art, control logic and/or automated
routines for performing the techniques and steps described herein may be
implemented by the system 100 and the associated security testing device
102 either by hardware, software, or combinations of hardware and software.
For example, suitable code may be accessed and executed by the one or
more processors on the system 100 to perform some or all of the techniques
described herein. Similarly, application specific integrated circuits (ASICs)
configured to perform some or all of the processes described herein may be
included in the one or more processors on the system 100.
[034] Referring now to FIGS. 3A and 3B, an exemplary process 300
for identifying vulnerabilities and security risks in an application is depicted
via a flowchart, in accordance with some embodiments. The process 300 may
be implemented by the security testing device 102 of the system 100. The
process 300 includes receiving application data from the application and a
set of test configuration parameters from a user, at step 302. It may be noted
that the set of test configuration parameters includes a set of vulnerability
scan parameters and a set of security test parameters. In some
embodiments, the application data from the application and the set of test
Docket No.: IIP-HCL-P0057
-11-
configuration parameters from a user are received through a Continuous
Integration/Continuous Delivery (CI/CD) pipeline.
[035] Further, the process 300 includes, identifying a set of
vulnerabilities in the application data through at least scanning technique, at
step 304. It may be noted that the at least one scanning technique is based
on the set of vulnerability scan parameters.
[036] Further, the process 300 includes, identifying a set of security
risks in the application data using a security test framework upon identifying
the set of vulnerabilities, at step 306. It may be noted that the security test
framework is based on the set of security test parameters.
[037] Further, the process 300 includes, adding each of the set of
vulnerabilities and the set of security risks to a list of threats associated with
the application, at step 308.
[038] Further, the process 300 includes, identifying a set of valid
threats and a set of false positive threats from the list of threats using a
debugging tool, at step 310. As an example, the valid and false positive threat
identification module 208 may remove the set of false positive threats form
the list of threats, at step 312.
[039] In another exemplary embodiment, the security risk
identification module 204 may assign a risk score to each of the set of
vulnerabilities, at step 314 and may determine a risk classification for each of
the set of vulnerabilities, at step 316. With respect to the example, the security
risk identification module 204 may determine one or more remediations for
each of the set of vulnerabilities, at step 318.
[040] Further, the process may generate a security report of the
application, at step 320. Also, the process may receive application data from
the application and the set of test configuration parameters from the user
through the CI/CD concept, at step 322.
[041] Referring now to FIG. 4, a workflow of the system 100 is
illustrated, in accordance with some embodiments. With reference to FIG. 4,
at block 402 an input file may be received. In an example, a URL link to the
Docket No.: IIP-HCL-P0057
-12-
input file may be received. Further, along with the application, authentication
information, information related to whether the scan to be performed on the
application is an active or a passive scan, and email address of receiver may
be received as an input. In an embodiment, the received input may be passed
to an automation server at block 404. The automation server at block 404
may be a free and open source automation server that may help in
automating building, testing, and deploying, facilitating continuous integration
and continuous delivery of the application. As an example, the automation
server at block 404 may be such as Jenkins®, that is an open source
automation server.
[042] In an embodiment, automation may be triggered by the
automation server at block 404 and passed to a security test automation
framework at block 406. The framework at block 406 may facilitate to perform
application security testing. As an example, the framework at block 406 may
perform a full-fledged vulnerability scan at block 408. To perform the
vulnerability scan at block 408, a full scan may be performed at block 410,
OWASP test automation may be performed at block 412, and false positive
analysis may be performed at block 414. As may be appreciated by those
skilled in the art, the full scan performed at block 410, the vulnerability scan
performed at block 412, and the false positive analysis performed at block
414 may be performed in any order and may be executed parallelly.
[043] In an embodiment, upon performing the vulnerability scan at
block 408, the determined vulnerabilities may be registered at block 416. The
vulnerabilities may be registered in an exemplary system that is a robust,
featureful and mature defect-tracking system, or bug-tracking system, e.g.,
Bugzilla. The system may allow the user to keep a track of outstanding bugs,
problems, issues, enhancement, and other change requests in the
applications effectively.
[044] In an embodiment, at block 418, scan results (e.g., the bugs or
errors) obtained during the vulnerability scan are stored in a database.
Further, a set of reports may be generated at block 420 using the stored scan
Docket No.: IIP-HCL-P0057
-13-
results. In another embodiment, at block 422 customized vulnerability reports
including one or more remediations may be generated.
[045] The customized vulnerability reports may be shared with
relevant stakeholders. In an example, the reports may be shared via an email
or physically with the stakeholders. The stakeholders may be such as
software developers, testers, coders, and managers and the like associated
with the system 100.
[046] Referring now to FIG. 5A, a flow diagram for performing scan
configuration and testing of data by the security testing device 100 is
illustrated at 500-1, in accordance with some embodiments. With reference
to FIG. 5A, at block 502 a scan configuration and test data may be received.
In an embodiment, performing the scan configuration may relate to the
security testing device having information related to scan configuration. This
implies that tools being used by the security testing device may need to know
what kind of a scan is to be performed. The scan may be such as a full scan,
a partial scan, an explore option, a test option, an active scan (e.g., malicious
code, or errors may be injected to receive and analyze response as received
from HTTP), a passive scan (e.g., instead of providing any HTTP request or
any malicious inputs the responses may be analyzed to determine presence
of vulnerabilities) and the like. The scan configuration details may be
maintained in properties section of test data as maintained by the security
testing device 100.
[047] Further, at block 504, a validation of the received configuration
data is performed. Upon positive data validation at block 506, the
configuration data is passed to a core engine of the security testing device
200 to perform the scan. Otherwise, a validation error message may be
generated at block 508.
[048] Referring now to FIG. 5B a flow diagram for depicting
functioning of the core engine of the security testing device 200 is illustrated
at 500-2, in accordance with some embodiments. With reference to FIG. 5B,
at block 506 the core engine of the security testing device 200 is presented.
Docket No.: IIP-HCL-P0057
-14-
At block 508, a set of test engines present in the core engine 506 are
provided. The set of test engines at block 508 may further be classified under
block 512 as Dynamic Application Security Testing (DAST) engine, block 514
as Open Web Application Security Project (OWASP) test engine, and block
516 as Static Application Security Testing (SAST) engine. Further, the testing
performed under block 512, 514 and 516 may lead to production of
application scan results at block 518.
[049] As an example, the core engine at block 506 may validate the
configuration data. If the configuration data provided is to perform run time
analysis or dynamic application security testing, the core engine may transfer
the control to the DAST engine at block 512. Subsequently, the DAST engine
at block 512 may perform any of the active scan or the passive scan based
on rules defined at runtime to provide remediations for vulnerabilities. Further,
determined vulnerability results may be provided and presented as any of
reports, graphs, dashboards or as email. In another example when the
configuration data is for OWASP, the core engine at block 506 transfers
control to the OWASP test engine at block 514. The OWASP test engine at
block 514 may be configured to be perform a selective set of tests from a
plurality of test results available, i.e. HTTPP malicious request response. In
yet another example, the SAST engine at block 516 may be used to
performed testing when the application is partially ready or when the
application is to be deployed on a server, and the like.
[050] Referring now to FIG. 6A a flow diagram depicting functioning
of the DAST test engine is illustrated at 600-1, in accordance with some
embodiments. With reference to FIG. 6A, at block 602 a core engine is
provided. At block 604, it is determined whether the config data as received
from the core engine is DAST engine compliant config data. If the data is not
DAST engine compliant, the execution flow is directed towards the core
engine 602. Else, if the data is DAST engine compliant, the execution flow is
directed to the DAST engine at block 606.
Docket No.: IIP-HCL-P0057
-15-
[051] In an embodiment, the DAST engine at block 606 may facilitate
to execute application runtime policies at block 608 followed by performing a
passive web application scan at block 610. Further, an active web application
scan may be performed at block 612 and customized remediations are
generated at block 614.
[052] In an embodiment, after generating the customized
remediations, scan results are consolidated at block 616. The consolidated
scanned results may be presented in form of dashboards at block 618, as
scan HTML reports at block 620, and as graphs at block 622. Additionally,
the consolidated scanned results may be emailed to relevant stakeholders at
block 624.
[053] Referring now to FIG. 6B a flow diagram depicting functioning
of the SAST test engine is illustrated at 600-2, in accordance with some
embodiments. With reference to FIG. 6B, at block 602 is illustrated the core
engine. At block 604, it is determined if the config data is SAST engine
compliant config data. If the config data at block 604 is not SAST compliant
config data, the flow execution is transferred to the core engine 602 else the
flow execution is directed to the SAST at block 626. Thereafter, a plurality of
policies is scanned at block 628, a source code is scanned at block 630, a
source/sink analysis is performed at block 632, and customized remediations
are generated at block 634.
[054] In an embodiment, at block 636, the scan results may be
consolidated. The consolidated scanned results may be presented in form of
dashboards at block 638, as HTML scan reports at block 640, and as graphs
at block 642. Additionally, the consolidated scan results may be presented as
email scan reports at block 644 to relevant stakeholders.
[055] Referring now to FIG. 6C a flow diagram depicting functioning
of the OWASP test engine is illustrated at 600-3, in accordance with some
embodiments. With reference to FIG. 6C, at block 602 is illustrated the core
engine. At block 604, is illustrated the config data 604. If the config data is
not OWASP engine compliant, the flow execution is directed to the core
Docket No.: IIP-HCL-P0057
-16-
engine at block 602, else flow execution is directed to OWASP engine at
block 646. The OWASP engine at block 646 may receive a set of multiple
documents available at block 648 as input. Thereafter, the OWASP engine
performs a fuzzing operation at block 650, HTTP malicious request/response
operation at block 652, an API security operation at block 654, and provides
customized remediations at block 656.
[056] After completion of the operations, a consolidation of the scan
results is performed. The consolidated scan results may be presented in form
of dashboards at block 658, as HTML scan reports at block 660 and as
graphs at block 662. Further, at block 664, the scanned report may be
emailed to relevant stakeholders.
[057] Referring now to FIG. 7 an exemplary triggering of a security
assessment job by the system is illustrated at 700 in accordance with some
embodiments of the present disclosure. As is illustrated, the security
assessment job may be performed manually or may be triggered at
predefined intervals. For example, the job may be performed daily at certain
predefined intervals. In another example, the security testing device may
receive a set of predefined configuration parameters for performing
automated vulnerability assessment. The predefined configuration
parameters may include for example, URLs to targeted websites or software
that need to be assessed, type of scanner to be used, files to be excluded
from scanning, scanning modes, email address of stakeholders that need to
receive the vulnerability assessment report, and so forth.
[058] Referring now to FIG. 8 an exemplary vulnerability assessment
report dashboard is illustrated at 800, in accordance with some embodiments
of the present disclosure. As is illustrated, the vulnerability assessment report
may be prepared to be used by appropriate stakeholders such as, product
managers, security architects, and so forth. As shown, the vulnerability
assessment report may include, for example, a scan ID for an application,
URL of application or website, scanning date, duration. Further, the
vulnerability assessment report may include environment in which the
Docket No.: IIP-HCL-P0057
-17-
vulnerability test is performed, a build version, and a received vulnerability
score e.g., high, medium, or low.
[059] Referring now to FIG. 9 an exemplary vulnerability graph
generated by the security testing device is illustrated at 900, in accordance
with some embodiments of the present disclosure. As illustrated, the
vulnerability graph may illustrate a number of vulnerabilities determined on
an axis of the vulnerability graph (e.g., Y axis), and determined vulnerabilities
may be categorized and displayed as being in high, medium, or low category
on another axis of the vulnerability graph (e.g., X axis).
[060] In an embodiment, the users may be provided a choice to
execute a full set of OWASP standard vulnerability tests or select a set of test
cases or a particular test case to be executed while performing vulnerability
assessment. For example, the user may select test cases from security
assessment list that includes assessments such as cookiesecureattribute,
cookiehttponlyattribute, clickjacking, browsercacheweakness, and so forth. In
another example, after performing the vulnerability tests, a vulnerability
assessment report may be generated. The report may, for example, include
a summary having information related to application environment, application
build version, scan date and scan duration of the application. The report may
include a count of vulnerability issues encountered for the application. The
issues may be classified according to e.g., severity level as critical, high,
medium, low, and information. Further, a total count of each of the
vulnerability as found in the application may be presented. It may be
appreciated that while presenting the count of vulnerabilities, determined
false positives may be identified and removed from the list of vulnerabilities.
[061] As will be also appreciated, the above described techniques
may take the form of computer or controller implemented processes and
apparatuses for practicing those processes. The disclosure can also be
embodied in the form of computer program code containing instructions
embodied in tangible media, such as floppy diskettes, solid state drives, CDROMs, hard drives, or any other computer-readable storage medium,
Docket No.: IIP-HCL-P0057
-18-
wherein, when the computer program code is loaded into and executed by a
computer or controller, the computer becomes an apparatus for practicing the
invention. The disclosure may also be embodied in the form of computer
program code or signal, for example, whether stored in a storage medium,
loaded into and/or executed by a computer or controller, or transmitted over
some transmission medium, such as over electrical wiring or cabling, through
fiber optics, or via electromagnetic radiation, wherein, when the computer
program code is loaded into and executed by a computer, the computer
becomes an apparatus for practicing the invention. When implemented on a
general-purpose microprocessor, the computer program code segments
configure the microprocessor to create specific logic circuits.
[062] The disclosed methods and systems may be implemented on a
conventional or a general-purpose computer system, such as a personal
computer (PC) or server computer. Referring now to FIG. 10, an exemplary
computing system 1000 that may be employed to implement processing
functionality for various embodiments (e.g., as a SIMD device, client device,
server device, one or more processors, or the like) is illustrated. Those skilled
in the relevant art will also recognize how to implement the invention using
other computer systems or architectures. The computing system 1000 may
represent, for example, a user device such as a desktop, a laptop, a mobile
phone, personal entertainment device, DVR, and so on, or any other type of
special or general-purpose computing device as may be desirable or
appropriate for a given application or environment. The computing system
1000 may include one or more processors, such as a processor 1002 that
may be implemented using a general or special purpose processing engine
such as, for example, a microprocessor, microcontroller or other control logic.
In this example, the processor 1002 is connected to a bus 1004 or other
communication medium. In some embodiments, the processor 1002 may be
an Artificial Intelligence (AI) processor, which may be implemented as a
Tensor Processing Unit (TPU), or a graphical processor unit, or a custom
programmable solution Field-Programmable Gate Array (FPGA).
Docket No.: IIP-HCL-P0057
-19-
[063] The computing system 1000 may also include a memory 1006
(main memory), for example, Random Access Memory (RAM) or other
dynamic memory, for storing information and instructions to be executed by
the processor 1002. The memory 1006 also may be used for storing
temporary variables or other intermediate information during execution of
instructions to be executed by the processor 1002. The computing system
1000 may likewise include a read only memory (“ROM”) or other static
storage device coupled to bus 1004 for storing static information and
instructions for the processor 1002.
[064] The computing system 1000 may also include a storage
devices 1008, which may include, for example, a media drive 1010 and a
removable storage interface. The media drive 1010 may include a drive or
other mechanism to support fixed or removable storage media, such as a
hard disk drive, a floppy disk drive, a magnetic tape drive, an SD card port, a
USB port, a micro USB, an optical disk drive, a CD or DVD drive (R or RW),
or other removable or fixed media drive. A storage media 1012 may include,
for example, a hard disk, magnetic tape, flash drive, or other fixed or
removable medium that is read by and written to by the media drive 1010. As
these examples illustrate, the storage media 1012 may include a computerreadable storage medium having stored therein particular computer software
or data.
[065] In alternative embodiments, the storage devices 1008 may
include other similar instrumentalities for allowing computer programs or
other instructions or data to be loaded into the computing system 1000. Such
instrumentalities may include, for example, a removable storage unit 1014
and a storage unit interface 1016, such as a program cartridge and cartridge
interface, a removable memory (for example, a flash memory or other
removable memory module) and memory slot, and other removable storage
units and interfaces that allow software and data to be transferred from the
removable storage unit 1014 to the computing system 1000.
Docket No.: IIP-HCL-P0057
-20-
[066] The computing system 1000 may also include a
communications interface 1018. The communications interface 1018 may be
used to allow software and data to be transferred between the computing
system 1000 and external devices. Examples of the communications
interface 1018 may include a network interface (such as an Ethernet or other
NIC card), a communications port (such as for example, a USB port, a micro
USB port), Near field Communication (NFC), etc. Software and data
transferred via the communications interface 1018 are in the form of signals
which may be electronic, electromagnetic, optical, or other signals capable of
being received by the communications interface 1018. These signals are
provided to the communications interface 1018 via a channel 1020. The
channel 1020 may carry signals and may be implemented using a wireless
medium, wire or cable, fiber optics, or other communications medium. Some
examples of the channel 1020 may include a phone line, a cellular phone link,
an RF link, a Bluetooth link, a network interface, a local or wide area network,
and other communications channels.
[067] The computing system 1000 may further include Input/Output
(I/O) devices 1022. Examples may include, but are not limited to a display,
keypad, microphone, audio speakers, vibrating motor, LED lights, etc. The
I/O devices 1022 may receive input from a user and also display an output of
the computation performed by the processor 1002. In this document, the
terms “computer program product” and “computer-readable medium” may be
used generally to refer to media such as, for example, the memory 1006, the
storage devices 1008, the removable storage unit 1014, or signal(s) on the
channel 1020. These and other forms of computer-readable media may be
involved in providing one or more sequences of one or more instructions to
the processor 1002 for execution. Such instructions, generally referred to as
“computer program code” (which may be grouped in the form of computer
programs or other groupings), when executed, enable the computing system
1000 to perform features or functions of embodiments of the present
invention.
Docket No.: IIP-HCL-P0057
-21-
[068] In an embodiment where the elements are implemented using
software, the software may be stored in a computer-readable medium and
loaded into the computing system 1000 using, for example, the removable
storage unit 1014, the media drive 1010 or the communications interface
1018. The control logic (in this example, software instructions or computer
program code), when executed by the processor 1002, causes the processor
1002 to perform the functions of the invention as described herein.
[069] Thus, the disclosed method and system try to overcome the
technical problem of identifying common requirements from applications. The
method and system provide a significant reduction in application portfolio
optimization assessment. Further, the method and system provide for cost
and effort optimization in identifying commonalities and uniqueness across
heterogeneous monolith applications. Further, the method and system
accelerate time to market by generating intelligent insights and help in making
informed decisions on transformation roadmap.
[070] As will be appreciated by those skilled in the art, the techniques
described in the various embodiments discussed above are not routine, or
conventional, or well understood in the art. The techniques discussed above
provide for identifying vulnerabilities and security risks in an application. The
techniques first receive application data from the application and a set of test
configuration parameters from a user. The set of test configuration
parameters includes a set of vulnerability scan parameters and a set of
security test parameters. The techniques may then identify a set of
vulnerabilities in the application data through at least one scanning technique.
The at least one scanning technique is based on the set of vulnerability scan
parameters. The techniques may then identify a set of security risks in the
application data using a security test framework upon identifying the set of
vulnerabilities. The security test framework may be based on the set of
security test parameters. The technique may then add each of the set of
vulnerabilities and the set of security risks to a list of threats associated with
Docket No.: IIP-HCL-P0057
-22-
the application. Further, the technique may identify a set of valid threats and
a set of false positive threats from the list of threats using a debugging tool.
[071] In light of the above mentioned advantages and the technical
advancements provided by the disclosed method and system, the claimed
steps as discussed above are not routine, conventional, or well understood
in the art, as the claimed steps enable the following solutions to the existing
problems in conventional technologies. Further, the claimed steps clearly
bring an improvement in the functioning of the device itself as the claimed
steps provide a technical solution to a technical problem.
[072] The specification has described method and system for
identifying vulnerabilities and security risks in an application. The illustrated
steps are set out to explain the exemplary embodiments shown, and it should
be anticipated that ongoing technological development will change the
manner in which particular functions are performed. These examples are
presented herein for purposes of illustration, and not limitation. Further, the
boundaries of the functional building blocks have been arbitrarily defined
herein for the convenience of the description. Alternative boundaries can be
defined so long as the specified functions and relationships thereof are
appropriately performed. Alternatives (including equivalents, extensions,
variations, deviations, etc., of those described herein) will be apparent to
persons skilled in the relevant art(s) based on the teachings contained herein.
Such alternatives fall within the scope and spirit of the disclosed
embodiments.
[073] Furthermore, one or more computer-readable storage media
may be utilized in implementing embodiments consistent with the present
disclosure. A computer-readable storage medium refers to any type of
physical memory on which information or data readable by a processor may
be stored. Thus, a computer-readable storage medium may store instructions
for execution by one or more processors, including instructions for causing
the processor(s) to perform steps or stages consistent with the embodiments
described herein. The term “computer-readable medium” should be
Docket No.: IIP-HCL-P0057
-23-
understood to include tangible items and exclude carrier waves and transient
signals, i.e., be non-transitory. Examples include random access memory
(RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard
drives, CD ROMs, DVDs, flash drives, disks, and any other known physical
storage media.
[074] It is intended that the disclosure and examples be considered
as exemplary only, with a true scope and spirit of disclosed embodiments
being indicated by the following claims.

CLAIMS
What is claimed is:
1. A method (300) for identifying vulnerabilities and security risks in an
application, the method comprising:
receiving (302), by a security testing device (200), application data
from the application and a set of test configuration parameters from a user,
wherein the set of test configuration parameters comprises a set of
vulnerability scan parameters and a set of security test parameters;
identifying (304), by the security testing device (200), a set of
vulnerabilities in the application data through at least one scanning
technique, wherein the at least one scanning technique is based on the
set of vulnerability scan parameters;
identifying (306), by the security testing device (200), a set of
security risks in the application data using a security test framework upon
identifying the set of vulnerabilities, wherein the security test framework is
based on the set of security test parameters;
adding(308), by the security testing device (200), each of the set of
vulnerabilities and the set of security risks to a list of threats associated
with the application; and
identifying (310), by the security testing device (200), a set of valid
threats and a set of false positive threats from the list of threats using a
debugging tool.
2. The method (300) of claim 1, further comprising removing (312) the set
of false positive threats from the list of threats.
3. The method (300) of claim 1, further comprising:
assigning (314) a risk score to each of the set of vulnerabilities; and
Docket No.: IIP-HCL-P0057
-25-
determining (316) a risk classification for each of the set of
vulnerabilities based on the risk score.
4. The method (300) of claim 3, further comprising determining (318) one
or more remediations for each of the set of vulnerabilities, wherein the one
or more remediations are pre-defined steps for the user to fix each of the
set of vulnerabilities.
5. The method (300) of claim 4, further comprising generating (320) a
security test report of the application, wherein the security test report
comprises the set of vulnerabilities, the risk classification corresponding to
each of the set of vulnerabilities, and the one or more remediations for
each of the set of vulnerabilities.
6. The method (300) of claim 1, wherein the application data from the
application and the set of test configuration parameters from a user, are
received (322) through a Continuous Integration/Continuous Delivery
(CI/CD) pipeline.
7. The method (300) of claim 1, wherein the set of security test parameters
corresponds to one or more Open Web Application Security Project
(OWASP) standard tests.
8. The method (300) of claim 1, wherein the at least one scanning
technique is based on an active vulnerability scanning technique, a
passive vulnerability scanning technique, or a combination thereof, and
wherein the security test framework is a Dynamic Application Security
Testing (DAST) framework, a Static Application Security Testing (SAST)
framework, or a combination thereof.
Docket No.: IIP-HCL-P0057
-26-
9. A system (100) for identifying vulnerabilities and security risks in an
application, the system (100) comprising:
a security testing device (102) comprising a processor (104) and a
memory communicatively coupled to the processor (104), wherein the
memory stores processor-executable instructions, which, on execution,
causes the processor (104) to:
receive (302) application data from the application and a set
of test configuration parameters from a user, wherein the set of test
configuration parameters comprises a set of vulnerability scan
parameters and a set of security test parameters;
identify (304) a set of vulnerabilities in the application data
through at least one scanning technique, wherein the at least one
scanning technique is based on the set of vulnerability scan
parameters;
identify (306) a set of security risks in the application data
using a security test framework upon identifying the set of
vulnerabilities, wherein the security test framework is based on the
set of security test parameters;
add (308) each of the set of vulnerabilities and the set of
security risks to a list of threats associated with the application; and
identify (310) a set of valid threats and a set of false positive
threats from the list of threats using a debugging tool.
10. The system (100) of claim 9, wherein the processor (104) is further
configured to remove the set of false positive threats from the list of
threats.