Abstract: A method and system for the storage of data in compliance with territorial privacy laws while retaining data sovereignty. The method generally comprises splitting input data into clusters and anonymising the clustered data. Information relating to the anonymised data clusters may then be split and stored separately in data shards. The anonymization and splitting of the data prevents the restoration of the input data without access to all of the data shards. Also a method and system for decoding data anonymised by the method.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving an application developed by a first vendor. Processing the application, by performing a byte-code analysis of the application, to: identify a plurality of software components used by the application that were developed by vendors other than the first vendor, and provide a list of third-party software components associated with the application, the list including each of the identified software components. determining, for each software component included in the list, whether the software component has a vulnerability and, if so, selectively providing code to correct the vulnerability of the software component.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for determining optimal fix locations for security vulnerabilities in computer-readable code. Implementations include actions of identifying data flows from respective sources to respective sinks in computer-executable code based on information associated with the computer-executable code, determining vulnerability information of the sources, the sinks, and the data flows based on information of vulnerable sources and sinks stored in a database, and providing a graph representation of the code for display, the graph representation depicting the data flows from the respective sources to the respective sinks with the vulnerability information.

Abstract: Implementations for managing mobile devices associated with enterprise operations include actions of receiving a request to access information regarding a mobile application for download to and installation on a mobile device of a user, the request including an enterprise identifier, receiving a tenant-specific configuration based on the identifier, the tenant-specific configuration including criteria for mobile applications to be available for download to and installation on mobile devices associated with the enterprise, transmitting a request for a list of available mobile applications to an application and certification database, the request including the tenant-specific configuration, receiving the list of available mobile applications, which includes a subset of mobile applications of a superset of mobile applications, the subset of mobile applications being provided based on the tenant-specific configuration, and providing graphical representations of each mobile application in the list of available mob

Abstract: Methods, systems, and computer-readable storage media for enforcing dynamic access control constraints of a plurality of access control policies, and actions include receiving a set of ordered policies, determining a set of active policies including one or more policies in the set of ordered policies, determining an access control decision based on at least a first policy in the set of active policies, the access control decision being based on determining whether one of a permit decision and a deny decision is inherited from a second policy in the set of ordered policies, and transmitting the access control decision for enforcement of the access control policy.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving source code and an indication that a portion of the source code is insecure. Receiving an annotation to the source code that identifies the indication as being a false positive indication. The annotation includes a logical statement showing that the portion of the source code is not insecure, where the logical statement can be executed by a processor to prove that the portion of the source code is not insecure. Processing the annotation to determine whether the logical statement proves that the portion of the source code is not insecure. In response to determining that the logical statement proves that the portion of the source code is not insecure, retaining the annotation in the source code, and removing the indication that the portion of the source code is insecure.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for accessing an electronic access control model and data indicating results of access control requests that have been processed in accordance with an access control policy of the electronic access control model. Identifying a plurality of partitions in the electronic access control model, where each partition represents one or more access criteria of the electronic access control model that, taken together, define a computer executable access privilege. For each partition, determining a number of access control requests processed based on the partition based on the data, assigning an access type to the partition, determining whether modification of a policy underlying the partition would improve the electronic access control model based on the access type of the partition and the number of access control requests processed based on the partition, and, if so, selectively modifying the policy.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving results from security testing of source code, each result indicating a potential security vulnerability of the source code, displaying graphical representations of the results to a user, and, by a fix recommendation generator: receiving user input indicating a result of the results, receiving a set of code clones, each code clone being provided based on at least a snippet of the source code underlying the result, receiving a set of repairs, each repair being associated with a code clone, and mitigating a previously determined security vulnerability, and providing a set of fix recommendations based on the set of code clones, the set of repairs, and similarity metrics, each similarity metric indicating a similarity between the at least a snippet of the source code and a respective code clone.

Abstract: Methods, systems, and computer-readable storage media for analyzing access control violations of a computer-implemented process. Implementations include actions of receiving a request including violation data indicating an access control violation that occurred during execution of the computer-implemented process, requesting a process model from a process model database, the process model including a computer-readable representation of the computer-implemented process, and a task corresponding to the access control violation, processing the task and the process model to provide correlation data including one or more of grouped violations, a set of granted accesses, and a set of violations, and transmitting the correlation data to a client-side computing device for display to a user.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for determining optimal fix locations for security vulnerabilities in computer-readable code. Implementations include actions of identifying data flows from respective sources to respective sinks in computer-executable code based on information associated with the computer-executable code, determining vulnerability information of the sources, the sinks, and the data flows based on information of vulnerable sources and sinks stored in a database, and providing a graph representation of the code for display, the graph representation depicting the data flows from the respective sources to the respective sinks with the vulnerability information.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for receiving results from security testing of source code, each result indicating a potential security vulnerability of the source code, displaying graphical representations of the results to a user, and, by a fix recommendation generator: receiving user input indicating a result of the results, receiving a set of code clones, each code clone being provided based on at least a snippet of the source code underlying the result, receiving a set of repairs, each repair being associated with a code clone, and mitigating a previously determined security vulnerability, and providing a set of fix recommendations based on the set of code clones, the set of repairs, and similarity metrics, each similarity metric indicating a similarity between the at least a snippet of the source code and a respective code clone.

Abstract: Methods, systems, and computer-readable storage media for analyzing access control violations of a computer-implemented process. Implementations include actions of receiving a request including violation data indicating an access control violation that occurred during execution of the computer-implemented process, requesting a process model from a process model database, the process model including a computer-readable representation of the computer-implemented process, and a task corresponding to the access control violation, processing the task and the process model to provide correlation data including one or more of grouped violations, a set of granted accesses, and a set of violations, and transmitting the correlation data to a client-side computing device for display to a user.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving source code and an indication that a portion of the source code is insecure. Receiving an annotation to the source code that identifies the indication as being a false positive indication. The annotation includes a logical statement showing that the portion of the source code is not insecure, where the logical statement can be executed by a processor to prove that the portion of the source code is not insecure. Processing the annotation to determine whether the logical statement proves that the portion of the source code is not insecure. In response to determining that the logical statement proves that the portion of the source code is not insecure, retaining the annotation in the source code, and removing the indication that the portion of the source code is insecure.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for receiving an application developed by a first vendor. Processing the application, by performing a byte-code analysis of the application, to: identify a plurality of software components used by the application that were developed by vendors other than the first vendor, and provide a list of third-party software components associated with the application, the list including each of the identified software components. determining, for each software component included in the list, whether the software component has a vulnerability and, if so, selectively providing code to correct the vulnerability of the software component.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for accessing an electronic access control model and data indicating results of access control requests that have been processed in accordance with an access control policy of the electronic access control model. Identifying a plurality of partitions in the electronic access control model, where each partition represents one or more access criteria of the electronic access control model that, taken together, define a computer executable access privilege. For each partition, determining a number of access control requests processed based on the partition based on the data, assigning an access type to the partition, determining whether modification of a policy underlying the partition would improve the electronic access control model based on the access type of the partition and the number of access control requests processed based on the partition, and, if so, selectively modifying the policy.

Abstract: Implementations for managing mobile devices associated with enterprise operations include actions of receiving a request to access information regarding at least one mobile application for download to and installation on a mobile device of a user, the request including an identifier associated with an enterprise, receiving a tenant-specific configuration based on the identifier, the tenant-specific configuration including criteria for mobile applications to be available for download to and installation on mobile devices associated with the enterprise, transmitting a request for a list of available mobile applications to an application and certification database, the request including the tenant-specific configuration, receiving the list of available mobile applications, which includes a subset of mobile applications of a superset of mobile applications, the subset of mobile applications being provided based on the tenant-specific configuration, and providing graphical representations of each mobile applicatio

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for evaluating access control constraints and include actions of receiving an access control request, obtaining a set of attributes based on an abstract evaluation of a policy, the set of attributes including one or more attributes that could be required to evaluate the access control request, requesting respective values of the one or more attributes in a batch request, receiving the respective values, and providing an access control decision based on the respective values and the policy.

Abstract: Methods, systems, and computer-readable storage media for analyzing source code of an application. In some implementations, actions include determining, for at least one procedure invoked by the source code, a procedure specification specifying one or more conditions under which one or more parameters of the procedure are exploitable according to a parameter security specification; performing static application security testing on the source code by using the procedure specification on reaching an invocation of the procedure in the source code, including: comparing one or more invoking parameters of the invocation of the procedure to the conditions of the procedure specification; and determining whether the invocation of the procedure is exploitable.

Abstract: Implementations of the present disclosure are directed to statically checking conformance of a computer-implemented service at a source code level to requirements specified at a process level and include actions of receiving source code of the computer-implemented service, receiving one or more rules, the one or more rules being generated based on a mapping and including a set of technical requirements that can be checked on the source code level, the mapping associating the requirements with the source code, and processing the source code and the one or more rules using static code analysis (SCA) to generate a result, the result indicating whether the computer-implemented service conforms to the requirements.

Abstract: In an embodiment, a method is provided for prefetching attributes used in access control evaluation. In this method, an access control policy that comprises rules is retrieved. These rules further comprise parameters. At least one of the rules is categorized into a class from multiple classes based on at least one of the parameters. Here, the class is a grouping based on at least one of these parameters. An attribute associated with the at least one of these parameters is identified and this attribute is mapped to the class.