US2016381060A1PendingUtilityA1

Systems and methods for aggregating asset vulnerabilities

28
Assignee: VERACODE INCPriority: Jun 23, 2015Filed: Jun 23, 2015Published: Dec 29, 2016
Est. expiryJun 23, 2035(~9 yrs left)· nominal 20-yr term from priority
H04L 61/1511H04L 63/1433H04L 67/02H04L 61/4511
28
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

In a system for determining vulnerabilities associated with a web property, a network accessible server associated with the property is identified. One or more software components/subsystems associated with that server and, optionally, one or more versions of that component/subsystem are identified. For the identified components and versions thereof, vulnerability information is obtained from a database and compiled to determine vulnerability of the web property, without requiring access to any code of the software components/subsystems.

Claims

exact text as granted — not AI-modified
Accordingly, we claim: 
     
         1 . A method of determining whether a set of assets of an entity has a weakness, the method comprising performing by a processor the steps of:
 identifying a set of assets comprising at least one network accessible server by scanning at least one domain or a subdomain identified by a name, using a domain scanner;   (a) receiving from a first asset in the set of assets a first set of responses to one or more queries, the first set of responses comprising a first set of attributes describing identity of one or more potentially vulnerable software components associated with the first asset;   (b) analyzing the first set of attributes to identify the one or more potentially vulnerable software components associated with the set of assets;   (c) obtaining, from a repository, vulnerability information on at least one of the one or more identified software components; and   (d) determining using the vulnerability information and without testing the one or more identified software components subsequent to the identification thereof whether the set of assets has a weakness.   
     
     
         2 . The method of  claim 1 , wherein the first asset comprises at least one of a web application server and a secure shell (SSH) server. 
     
     
         3 . The method of  claim 1 , wherein a response in the set of responses comprises at least one of a hypertext transfer protocol (HTTP) response and a banner. 
     
     
         4 . The method of  claim 1 , wherein each response in the set of responses is related to a respective user agent. 
     
     
         5 . The method of  claim 1 , wherein an attribute from the first set of attributes of software components comprises at least one of: a software component name attribute, a software component version attribute, and a unique identifier (ID) corresponding to a software component. 
     
     
         6 . The method of  claim 1 , wherein the repository comprises at least one of a software component properties database and a software component index. 
     
     
         7 . The method of  claim 1 , wherein obtaining information from a repository comprises transmitting at least one attribute of at least one identified software component to the repository. 
     
     
         8 . The method of  claim 1 , wherein:
 the set of responses comprises a first response comprising a software component name attribute and a version attribute, and a second response also comprising a software component name attribute and a version attribute; and   analyzing the first set of attributes comprises:
 designating as a first software component a software component corresponding to the name attribute in the first response; and 
 comparing the name attribute in the second response with the name attribute in the first response. 
   
     
     
         9 . The method of  claim 8 , wherein the name attribute in the second response does not match the name attribute in the first response, the method further comprising designating as a second software component a software component corresponding to the name attribute in the second response. 
     
     
         10 . The method of  claim 8 , wherein the name attribute in the second response matches the name attribute in the first response, the method further comprising associating the version attributes in the first and second responses with the first software component. 
     
     
         11 . The method of  claim 10 , further comprising identifying an older version of the first software component from at least one of the version attributes in the first and second responses. 
     
     
         12 . The method of  claim 10 , wherein obtaining information on at least one of the one or more software components comprises:
 receiving a first report on the first software component using the version attribute in the first response; and   receiving a second report on the first software component using the version attribute in the second response.   
     
     
         13 . The method of  claim 12 , wherein determining whether the set of assets has a weakness comprises evaluating if at least one of the first and second reports indicates a vulnerability associated with the first software component. 
     
     
         14 . The method of  claim 1 , further comprising:
 identifying an additional software component from the information received from the repository, the additional software component being implied by at least one of the one or more software components identified in step (b);   obtaining, from the repository, additional information on the identified additional software component; and   determining using the additional information whether the set of assets has a weakness.   
     
     
         15 . The method of  claim 1 , wherein the set of assets comprises a second asset, the method further comprising, prior to step (b):
 (e) receiving from the second asset a second set of responses to one or more queries, the second set of responses comprising a second set of attributes of one or more software components associated with the second asset; and   (f) adding to the first set of attributes the second set of attributes.   
     
     
         16 . The method of  claim 15 , further comprising:
 receiving, in memory, a list of resources; and   scanning each resource in the list using a resource scanner configured to provide domain and subdomain names, to obtain a list of names, each name being a domain name or a subdomain name associated with an entity, wherein:   identifying the set of assets comprises scanning using the domain scanner a domain or subdomain associated with each name in the list of names; and   determining whether the set of assets has a weakness comprises, prior to step (b), repeating steps (e) and (f) for each asset in the set of assets.   
     
     
         17 . The method of  claim 16 , wherein a resource in the list of resources comprises one of a domain name, an Internet protocol (IP) address, and a CIDR block. 
     
     
         18 . The method of  claim 16 , wherein resource scanning comprises at least one of:
 port scanning, idle scanning, domain name service (DNS) lookup, and subdomain brute-forcing.   
     
     
         19 . A system for determining whether a set of assets of an entity has a weakness, comprising:
 a first processor; and   a first memory in electrical communication with the first processor, the first memory comprising instructions which, when executed by a processing unit comprising at least one of the first processor and a second processor, program the processing unit to:   identify a set of assets comprising at least one network accessible server by scanning at least one domain or a subdomain identified by a name, using a domain scanner;   (a) receive from a first asset in the set of assets a first set of responses to one or more queries, the first set of responses comprising a first set of attributes describing identity of one or more potentially vulnerable software components associated with the first asset;   (b) analyze the first set of attributes to identify the one or more potentially vulnerable software components associated with the set of assets;   (c) obtain, from a repository, vulnerability information on at least one of the one or more identified software components; and   (d) determine using the vulnerability information and without testing the one or more identified software components subsequent to the identification thereof whether the set of assets has a weakness.   
     
     
         20 . The system of  claim 19 , wherein the instructions program the processing unit to:
 transmit the queries to the first asset; and   determine from the received first set of responses if the first asset includes a web application server or a secure shell (SSH) server.   
     
     
         21 . The system of  claim 20 , wherein:
 the instructions program the processing unit to transmit at least one of the queries according to a user agent; and   at least one response in the set of responses is related to the user agent.   
     
     
         22 . The system of  claim 19 , wherein an attribute from the first set of attributes of software components comprises at least one of: a software component name attribute, a software component version attribute, and a unique identifier (ID) corresponding to a software component. 
     
     
         23 . The system of  claim 19 , wherein to obtain information from a repository, the instructions program the processing unit to transmit at least one attribute of at least one identified software component to the repository. 
     
     
         24 . The system of  claim 19 , wherein:
 the set of responses comprises a first response comprising a software component name attribute and a version attribute, and a second response also comprising a software component name attribute and a version attribute; and   to analyze the first set of attributes, the instructions program the processing unit to:
 designate as a first software component a software component corresponding to the name attribute in the first response; and 
 compare the name attribute in the second response with the name attribute in the first response. 
   
     
     
         25 . The system of  claim 24 , wherein:
 the name attribute in the second response does not match the name attribute in the first response; and   the instructions program the processing unit to designate as a second software component a software component corresponding to the name attribute in the second response.   
     
     
         26 . The system of  claim 24 , wherein:
 the name attribute in the second response matches the name attribute in the first response; and   the instructions program the processing unit to associate the version attributes in the first and second responses with the first software component.   
     
     
         27 . The system of  claim 26 , wherein the instructions program the processing unit to identify an older one of the version attributes in the first and second responses. 
     
     
         28 . The system of  claim 26 , wherein to obtain information on at least one of the one or more software components, the instructions program the processing unit to:
 receive a first report on the first software component using the version attribute in the first response; and   receive a second report on the first software component using the version attribute in the second response.   
     
     
         29 . The system of  claim 28 , wherein to determine whether the set of assets has a weakness, the instructions program the processing unit to evaluate if at least one of the first and second reports indicates a vulnerability associated with the first software component. 
     
     
         30 . The system of  claim 19 , wherein the instructions program the processing unit to:
 identify an additional software component from the information received from the repository, the additional software component being implied by at least one of the one or more software components identified in step (b);   obtain, from the repository, additional information on the identified additional software component; and   determine using the additional information whether the set of assets has a weakness.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.