Abstract: A method, product and system for selective encryption in a mobile device. The method comprising: selectively encrypting requests issued by the mobile device, wherein said selectively encrypting comprises: obtaining a request issued by an application executed by the mobile device, the request having one or more characteristics, the request has a destination; determining, based on the one or more characteristics, whether to encrypt the request; and in response to a determination to encrypt the request, re-routing the request to be transmitted to the destination through a secure channel; whereby the request is encrypted regardless of the destination being a priori associated with the secure channel.

Abstract: A system for eliminating false reports of security vulnerabilities when testing computer software, including a taint analysis engine configured to identify a tainted variable v in a computer application, a data mapping identification engine configured to identify a variable x within the application that holds data derived from v, where x is in a different format than v, an AddData identification engine configured to identify an AddData operation within the application that is performed on x, a signature identification engine configured to identify a Sign operation within the application that is performed on the results of the AddData operation on x, a signature comparison identification engine configured to identify an operation within the application that compares the results of the Sign operation with another value.

Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.

Abstract: A method of determining suitable insertion points for inserting string sanitizers in a computer code is provided herein. The method includes the following stages: obtaining: (i) a computer code associated with a data flow of externally supplied data, from one or more sources to one or more sinks, (ii) locations of the sources, and (iii) locations of the sinks; building a graph representing control paths, data paths and semantic relationships between the control paths and the data paths of the computer code; associating all tainted data paths on the graph, being data paths that go from sources to sinks and do not include a sanitizer; and determining, on the tainted data paths, potential control paths suitable for sanitizer insertion.

Abstract: Embodiments of the invention generally relate to injection context based static analysis of computer software applications. Embodiments of the invention may include selecting a sink within a computer software application, tracing a character output stream leading to the sink within the computer software application, determining an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, identifying any actions that have been predefined in association with the identified injection context, and providing a report of the actions.

Abstract: A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library.

Abstract: Preventing Cross-Site Request Forgery security attacks on a server in a client-server environment. In one aspect, this comprises embedding a nonce and a script in all responses from the server to the client wherein, when executed, the script adds the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce sent by the server to the client. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value differs from the value previously sent. Server-side aspects might be embodied in the server or a proxy.

Abstract: A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics, and blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics.

Abstract: Preventing Cross-Site Request Forgery (CSRF) security attacks on a server in a client-server environment comprises: embedding a nonce and a script in all responses from the server to the client, the script adapted for executing to add the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value is not the same as the value previously sent by the server. Server-side aspects might be embodied in the server or a proxy between the server and the client.

Abstract: Identifying a security vulnerability in a computer software application by identifying at least one source in a computer software application, identifying at least one sink in the computer software application, identifying at least one input to any of the sinks, determining whether the input derives its value directly or indirectly from any of the sources, determining a set of possible values for the input, and identifying a security vulnerability where the set of possible values for the input does not match a predefined specification of legal values associated with the sink input.

Abstract: A computer implemented method for automatically fixing a security vulnerability in a source code is disclosed. The method includes obtaining identification of code that sends tainted data to corresponding sink code in the source code; and automatically fixing the vulnerability by automatically performing code modification which is selected from the group of code modifications consisting of: code motion and code duplication. Also disclosed are computer program product and data processing system.

Abstract: A computer program product for crawling URLs that are encoded and highly dynamic, the computer program product includes a non-transitory computer readable storage medium having computer readable program code embodied therewith. The computer readable program code includes computer readable program code configured to retrieve navigational state information corresponding to a URL and compare the navigational state information to previously stored navigational state information corresponding to one or more previously visited URLs. The computer readable program code also includes computer readable program code configured to determine if the URL has been previously visited and retrieve content associated with the URL if the URL has not been previously visited.

Abstract: A method includes retrieving navigational state information corresponding to a URL; analyzing which navigational state to consider for page identification; comparing the navigational state information to previously stored navigational state information corresponding to one or more previously visited URLs; determining if the URL has been previously visited; and retrieving content associated with the URL if the URL has not been previously visited.

Abstract: A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser (308), the method comprising: monitoring all incoming traffic (310), generated by the web browser, and outgoing traffic (326) generated by a server (318) to form monitored traffic; determining whether a unique element, defined in a configuration file, is matched with an input value of the monitored traffic to form a matched input value; responsive to a determination that the unique element is matched with an input value of the monitored traffic, saving the matched input value, determining whether an output contains the matched input value in an expected location; responsive to a determination that the output contains the matched input value in an expected location, encoding the matched input value using a respective definition from the configuration file; and returning the output (330) to the requester.

Abstract: Testing a computer software application by identifying a sink in the computer software application, identifying a source associated with the sink in the application, identifying an entry point associated with the source in the application, where the source is configured to receive input provided externally to the application via the entry point, determining a sink type represented by the sink, and providing to a testing application information identifying the entry point and in association with the sink type.

Abstract: Identifying a security breach caused when a computer-based software application uses a computer-based web browser application, including identifying at least one function within a computer-based software application that causes a computer-based web browser application to access data from a source that is external to the software application, at least partially replacing the data with malicious content that is configured to cause a predefined action to occur when the malicious content is accessed by the web browser application, where the predefined action is associated with a known security breach when the predefined action occurs subsequent to the malicious content being accessed by the web browser application, causing the software application to perform the function, and determining whether the predefined action is performed.

Abstract: A method of determining suitable insertion points for inserting string sanitizers in a computer code is provided herein. The method includes the following stages: obtaining: (i) a computer code associated with a data flow of externally supplied data, from one or more sources to one or more sinks, (ii) locations of the sources, and (iii) locations of the sinks; building a graph representing control paths, data paths and semantic relationships between the control paths and the data paths of the computer code; associating all tainted data paths on the graph, being data paths that go from sources to sinks and do not include a sanitizer; and determining, on the tainted data paths, potential control paths suitable for sanitizer insertion.

Abstract: A transformation tree for an object model (OM) is defined. The transformation tree has nodes interconnected by edges, where each node is connected to at most one other tree node. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. A transformation graph for the OM is constructed by simulating the transformation tree. The transformation graph has nodes interconnected by edges, and is a directed graph in which each node is connected to one or more other nodes. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. Crawling-oriented actions are performed in relation to the OM by being performed in relation to the transformation graph.

Abstract: A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library.

Abstract: A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library.