Solution-centric reporting of security warnings

Assignee

• International Business Machines Corporation · US

Inventors

• Stephen D. Teilhet · Milford, US
• Kristofer A. Duer · Manchester, US
• John Peyton · Arlington, US
• Omer Tripp · Herzliya, IL

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L67/02
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A new paradigm for security analysis is provided by transitioning code analysis reporting from the problem space (the warnings themselves), to a solution space (potential solutions to the identified problems). Thus, instead of reporting raw findings to the user, the automated system as described here outputs proposed solutions to eliminate the defects identified in the security analysis. A consequence of this approach is that the report generated by the analysis tool is much more consumable, and thus much more actionable. Preferably, the report provides the user with one or more candidate location(s) at which to apply a fix to an identified security problem. These locations preferably are identified by processing overlapping nodes to identify one or more solution groupings that represent an API for a sanitization fix. The report also includes one or more recommendations for the fix, and preferably the report is generated on a per-vulnerability type basis.