Abstract: Methods, systems, and computer-readable storage media for post-hoc analysis of access control decisions, where actions include receiving a request to analyze an access control request, for which an access control decision has been provided based on a policy, retrieving information associated with the access control request from a log, the information including a first security state version and a time, determining a time interval based on the time and an audit policy, retrieving information associated with at least a second security state version based on the time interval, and evaluating the access control request based on information of the first security state and information of the second security state to provide a post-hoc access control decision.

Abstract: Methods, systems, and computer-readable storage media for enforcing dynamic access control constraints of a plurality of access control policies, and actions include receiving a set of ordered policies, determining a set of active policies including one or more policies in the set of ordered policies, determining an access control decision based on at least a first policy in the set of active policies, the access control decision being based on determining whether one of a permit decision and a deny decision is inherited from a second policy in the set of ordered policies, and transmitting the access control decision for enforcement of the access control policy.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for evaluating access control constraints and include actions of receiving an access control request, obtaining a set of attributes based on an abstract evaluation of a policy, the set of attributes including one or more attributes that could be required to evaluate the access control request, requesting respective values of the one or more attributes in a batch request, receiving the respective values, and providing an access control decision based on the respective values and the policy.

Abstract: Methods, systems, and computer-readable storage media for post-hoc analysis of access control decisions, where actions include receiving a request to analyze an access control request, for which an access control decision has been provided based on a policy, retrieving information associated with the access control request from a log, the information including a first security state version and a time, determining a time interval based on the time and an audit policy, retrieving information associated with at least a second security state version based on the time interval, and evaluating the access control request based on information of the first security state and information of the second security state to provide a post-hoc access control decision.

Abstract: Methods, systems, and computer-readable storage media for analyzing security of dataflows in programs. In some implementations, actions include processing source code using static analysis to: identify one or more dataflows and one or more candidate sanitizers, each candidate sanitizer being associated with a respective dataflow, and provide an executable sub-program for each candidate sanitizer to provide one or more executable sub-programs, processing the one or more executable sub-programs using dynamic analysis to: execute the one or more executable sub-programs, and provide dynamic analysis results, providing combined results based on the static analysis and the dynamic analysis, the combined results including the dynamic analysis results, and assigning a priority to each result in the combined results.

Abstract: Methods, systems, and computer-readable storage media for analyzing source code of an application. In some implementations, actions include determining, for at least one procedure invoked by the source code, a procedure specification specifying one or more conditions under which one or more parameters of the procedure are exploitable according to a parameter security specification; performing static application security testing on the source code by using the procedure specification on reaching an invocation of the procedure in the source code, including: comparing one or more invoking parameters of the invocation of the procedure to the conditions of the procedure specification; and determining whether the invocation of the procedure is exploitable.

Abstract: Methods, systems, and computer-readable storage media for analyzing security of dataflows in programs. In some implementations, actions include processing source code using static analysis to: identify one or more dataflows and one or more candidate sanitizers, each candidate sanitizer being associated with a respective dataflow, and provide an executable sub-program for each candidate sanitizer to provide one or more executable sub-programs, processing the one or more executable sub-programs using dynamic analysis to: execute the one or more executable sub-programs, and provide dynamic analysis results, providing combined results based on the static analysis and the dynamic analysis, the combined results including the dynamic analysis results, and assigning a priority to each result in the combined results.

Abstract: Methods, systems, and computer-readable storage media for analyzing source code of an application. In some implementations, actions include determining a control flow graph of the application using the source code of the application; determining a plurality of source-sink pairs of exploitable data sources and exploitable data sinks; and determining, for each source-sink pair, whether the source-sink pair is potentially exploitable by: determining one or more conditions under which the invoking procedure passes the exploitable data source to the exploitable data sink of the invoked procedure; and determining, using the control flow graph, whether the conditions are met in at least one possible context of the application, and if so, determining that the source-sink pair is potentially exploitable.

Abstract: Implementations of the present disclosure are directed to statically checking conformance of a computer-implemented service at a source code level to requirements specified at a process level and include actions of receiving source code of the computer-implemented service, receiving one or more rules, the one or more rules being generated based on a mapping and including a set of technical requirements that can be checked on the source code level, the mapping associating the requirements with the source code, and processing the source code and the one or more rules using static code analysis (SCA) to generate a result, the result indicating whether the computer-implemented service conforms to the requirements.

Abstract: In an embodiment, a method is provided for prefetching attributes used in access control evaluation. In this method, an access control policy that comprises rules is retrieved. These rules further comprise parameters. At least one of the rules is categorized into a class from multiple classes based on at least one of the parameters. Here, the class is a grouping based on at least one of these parameters. An attribute associated with the at least one of these parameters is identified and this attribute is mapped to the class.

Abstract: The embodiments described herein provide various techniques for providing delegation assistance. Upon a request for delegation assistance, data from information sources are retrieved. Relationships are automatically identified relative to a requesting user based on the data from the information sources. The relationships are automatically ranked, and results of the ranking are provided to the requesting user. The user may then trigger delegation resolution based in part on the results of the ranking.