Abstract: Disclosed herein are various embodiments a code simplification system. An embodiment operates by determining that a software version of a coordinator node is different from a software version of one or more worker nodes. Commits by the one or more worker nodes to a database are disabled based on the determination that the software versions differ. An update is performed on each of the one or more worker nodes. An acknowledgement that the update on each of the one or more worker nodes has completed is received, and the commits to the database by the one or more worker nodes is enabled.

Abstract: Disclosed herein are various embodiments a code simplification system. An embodiment operates by determining that a software version of a coordinator node is different from a software version of one or more worker nodes, Commits by the one or more worker nodes to a database are disabled based on the determination that the software versions differ. An update is performed on each of the one or more worker nodes. An acknowledgement that the update on each of the one or more worker nodes has completed is received, and the commits to the database by the one or more worker nodes is enabled.

Abstract: In one aspect, a method for defining a group-based policy for access to computing resources by an application/container or a group of application/container, includes the step of with a credential server: specifying a computing resource; specifying a group name and a strong cryptographic identity associated with the group name. The method includes the step of specifying a policy for an application/container belonging to a specific group to access the set of resources belonging to another group. The method includes the step of with a handler process: reading a list of subnets for which authentication is to be enforced. The method includes the step of processing an initiate authentication request with an initiator of a new network connection or initiating a new authentication request with the initiator of the network connection.

Abstract: In one aspect, a method for preventing attacks on a web application server by monitoring and validating the API calls executed by the dynamic language code of web application is provided. The method includes the step of scanning the computer system for web applications and the location of dynamic language code or script files used by the web applications. The method includes the step of parsing all script files to identify API calls, the location of API calls, and arguments used in the API calls and storing them as rules.

Abstract: In another aspect, method useful for monitoring of an API/system call implemented by an application for generating disassembly of an executable binary of the application, includes the steps of scanning a computer system for an executable application. The method includes the step of scanning the computer system for a running process associated with the executable binary. The method includes the step of initiating an application programming interface (API) call monitoring method that associates an observed API/system call with the executable binary. The method includes the step of reporting a set of collected events to a local server.

Abstract: In one aspect, a computer-implemented method for monitoring and validating execution of an executable binary code, includes the step of, prior to beginning execution of the executable binary code, disassembling the executable binary code, listing all of application programming interfaces (API) or function calls in the executable binary code, generating a validation table for a type of each of the APIs or each of the function calls, a location of each of the APIs or each of the function calls, and a return address of each of the APIs or each of the function calls in the executable binary code, and listing in the validation table the type of each of the APIs or each of the function calls.

Abstract: In one aspect, a method for preventing attacks on a web application server by monitoring and validating the API calls executed by the dynamic language code of web application is provided. The method includes the step of scanning the computer system for web applications and the location of dynamic language code or script files used by the web applications. The method includes the step of parsing all script files to identify API calls, the location of API calls, and arguments used in the API calls and storing them as rules.

Abstract: In one aspect, a method useful for preventing exploitation of a vulnerability in an interpreted code by monitoring and validating an execution of the interpreted code in a script file by an application server, includes the step of generating a mapping for an incoming network connection to a specified script file to be executed by an application server. The computerized method includes the step of inserting a hook for monitoring an application programming interface (API) call or a privileged instruction executed by the application server. The computerized method includes the step of inserting a validation code configured to validate the API call or the privileged instruction executed by the interpreted code in a script.

Abstract: The disclosed invention is a new method and apparatus for the management of application/container process identity for authentication and enforcing group-based security policies. Identities and security policies are managed in the cloud. Strong cryptographic identities or digital certificates are provided to each application/container or group of applications/containers. Applications/containers use these digital certificates to mutually authenticate each other before providing access to their resources.

Abstract: The disclosed invention is a new method and apparatus for he management of application/container process identity for authentication and enforcing group-based security policies. Identities and security policies are managed in the cloud. Strong cryptographic identities or digital certificates are provided to each application/container or group of applications/containers. Applications/containers use these digital certificates to mutually authenticate each other before providing access o their resources.

Abstract: In one aspect, a method for defining a group-based policy for access to computing resources by an application/container or a group of application/container, includes the step of with a credential server: specifying a computing resource; specifying a group name and a strong cryptographic identity associated with the group name. The method includes the step of specifying a policy for an application/container belonging to a specific group to access the set of resources belonging to another group. The method includes the step of with a handler process: reading a list of subnets for which authentication is to be enforced. The method includes the step of processing an initiate authentication request with an initiator of a new network connection or initiating a new authentication request with the initiator of the network connection.

Abstract: In one aspect, a computer-implemented method for monitoring and validating execution of an executable binary code, includes the step of, prior to beginning execution of the executable binary code, disassembling the executable binary code, listing all of application programming interfaces (API) or function calls in the executable binary code, generating a validation table for a type of each of the APIs or each of the function calls, a location of each of the APIs or each of the function calls, and a return address of each of the APIs or each of the function calls in the executable binary code, and listing in the validation table the type of each of the APIs or each of the function calls

Abstract: In one aspect, a method useful for preventing exploitation of a vulnerability in an interpreted code by monitoring and validating an execution of the interpreted code in a script file by an application server, includes the step of generating a mapping for an incoming network connection to a specified script file to be executed by an application server. The computerized method includes the step of inserting a hook for monitoring an application programming interface (API) call or a privileged instruction executed by the application server. The computerized method includes the step of inserting a validation code configured to validate the API call or the privileged instruction executed by the interpreted code in a script.

Abstract: In one aspect, a method useful for monitoring and validating execution of executable binary code, includes the step of disassembling an executable binary code of an application. The method includes the step of detecting and obtaining location and type of an application programming interface (API) call, system call, and privileged instruction that is executed by the executable binary code. The method includes the step of detecting and obtaining return address from an Al call and system call. The method includes the step of validating location of the API call system call, and privileged instruction. The method includes the step of validating return from the API call and system call.

Abstract: In another aspect, method useful for monitoring of an API/system call implemented by an application for generating disassembly of an executable binary of the application, includes the steps of scanning a computer system for an executable application. The method includes the step of scanning the computer system for a running process associated with the executable binary. The method includes the step of initiating an application programming interface (API) call monitoring method that associates an observed API/system call with the executable binary. The method includes the step of reporting a set of collected events to a local server.

Abstract: The disclosed invention is a new method and apparatus for using a white-list to authenticate active contents in web pages and removing all unauthorized active content received in the web pages. A computer system receives plurality of web pages from a web server. Web pages are scanned for plurality of active contents. A database includes attributes of plurality of active content that are permitted on the web page. A web page filtering components compares active content in web pages with the entries in the database. Any unauthorized active content in the page is removed. The modified web page is sent to the intended destination.

Abstract: The disclosed invention is a new method and apparatus for detecting and removing virus from a computing device based on a web or network service. Virus is detected by transmitting the attributes and behavior of application modules on a computing device to another computing device via a web service, where it is analyzed. After the item has been classified, that information is sent back to the computing device along with the instructions on how the remove the virus. Along with the instructions on virus remediation a clean copy of the file or a network location of the clean copy can be sent.

Abstract: The disclosed invention is a new method and apparatus for detecting and removing virus from a computing device based on a web or network service. Virus is detected by transmitting the attributes and behavior of application modules on a computing device to another computing device via a web service, where it is analyzed. After the item has been classified, that information is sent back to the computing device along with the instructions on how the remove the virus. Along with the instructions on virus remediation a clean copy of the file or a network location of the clean copy can be sent.

Abstract: The disclosed invention is a new method and apparatus for protecting applications from local and network attacks. This method also detects and removes malware and is based on creating a sandbox at application and kernel layer. By monitoring and controlling the behavior and access privileges of the application and only selectively granting access, any attacks that try to take advantage of the application vulnerabilities are thwarted.

Abstract: The disclosed invention is a new method and apparatus to achieve end-to-end secure communication over public and private networks. The method can provide security to all networked applications without any modifications to the applications. The method is compatible with other networking protocols, such as, network address translation (NAT), Internet control message protocol (ICMP), and all quality of service (QoS) protocols that operate up to the transport layer. Secure communication system based on other protocols such as IPSec cannot achieve end-to-end security, while remaining compatible with networking protocols such as NAT and ICMP.