Systems and methods for fixing application vulnerabilities through a correlated remediation approach

摘要

The invention relates to a system and method for fixing application vulnerabilities through a correlated remediation approach. This invention involves identifying application vulnerabilities through dynamic and static assessment of an application. The vulnerability instances reported in the static assessment are fixed using standard code fixes. The assessment results obtained from the static and the dynamic assessment are then correlated to identify how many vulnerability instances reported in the static assessment are fixed by the standard code fixes. If a vulnerability instance reported in the dynamic assessment corresponds to more than one vulnerability instance reported in the static assessment then the shortest and most cost effective path to fix the vulnerability instance is determined. These results are stored in a graph database and based on the graph database the application vulnerabilities are fixed. An inference engine can be used to identify the correct fix for an application vulnerability.

主权项

1. A method for fixing application vulnerabilities, comprising:
identifying, by a computing device, one or more application vulnerabilities through a first dynamic security assessment and a static security assessment of an application; fixing, by the computing device, at least one of a first set of vulnerability instances reported in the static security assessment based on a secure coding practice; running, by the computing device, a plurality of other dynamic security assessments to identify one or more of a second set of vulnerability instances reported in the first dynamic security assessment that have been fixed by the fixing of the at least one of the first set of vulnerability instances reported in the static security assessment; identifying, by the computing device, one or more of a third set of vulnerability instances reported in the plurality of other dynamic security assessments that correspond to the at least one of the first set of vulnerability instances reported in the static security assessment by correlating one or more results of the plurality of other dynamic security assessments and the static security assessment; determining, by the computing device, a shortest path to fix the one or more application vulnerabilities when one or more of the third set of vulnerability instances reported in the plurality of other dynamic security assessments correspond to at least one of the first set of vulnerability instances reported in the static security assessment; and fixing, by the computing device, the one or more application vulnerabilities based on the correlation and the shortest path to fix the one or more application vulnerabilities.