Abstract: A system and a method to map attack paths in a visualization interface may include storing in a memory asset inventory indicating application assets, attack vector parameters configured to indicate vulnerabilities of one or more of the application assets, and asset mapping information. A processor may determine multiple vulnerable assets in the application assets based at least in part upon the attack vector parameters. Further, the processor may obtain security parameters from a security framework indicating one or more attack techniques, associate each of the vulnerable assets to one or more of the security parameters, and generate a visual interface showing the vulnerable assets and the security parameters. The processor may determine an attack path connecting the vulnerable assets based at least in part upon the asset mapping information, and map the attack path to the application layers and the security parameters in the visual interface.

Abstract: A system and a method to determine attack paths to application assets may include storing in a memory asset inventory indicating multiple application assets, multiple attack vector parameters configured to indicate vulnerabilities of one or more of the application assets, and asset mapping information configured to associate each of the application assets to one or more of the application layers. A processor may determine multiple vulnerable assets in the application assets based at least in part upon the attack vector parameters. Further, the processor may determine feasibility parameters that indicate a likelihood of the attack path to occur in the system, generate a visual interface showing the vulnerable assets, determine an attack path connecting the vulnerable assets based at least in part upon the asset mapping information, and map the attack path to the application layers in the visual interface based at least in part upon the feasibility parameters.

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.

Abstract: The present disclosure is directed to assessing API service security and may include the steps of identifying an API service called by an application based on information provided by an agent embedded within the application; collecting telemetry associated with the API service, the telemetry collected from one or more telemetry sources and indicating any deficiencies in the API service; generating a reputation score for the API service based on analysis of the collected telemetry; and transmitting the reputation score to at least one of the following: the agent embedded within the application, wherein the reputation score is associated with at least one policy having at least one policy action, and wherein the reputation score is operable to be used by the agent to invoke the at least one policy action relating to use of the API service by the application; or a continuous integration/continuous delivery pipeline associated with the application.

Abstract: A system of one embodiment allows for redirecting service and API calls for containerized applications in a computer network. The system includes a memory and a processor. The system processes a plurality of application workflows of a containerized application workload. The system then identifies at least one application workflow of the plurality of application workflows and at least one workflow-specific routing rule associated with the at least one application workflow. The system then determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. Then the system determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. The system then may communicate the at least one identified application workflow to the at least one proxy server using the at least one determined proxy server addresses.

Abstract: The present disclosure is directed to systems and methods for minimizing data exposure in API responses and includes the performance of operations and/or the steps of receiving, from a client, a request for a data object from an API, wherein the data object comprises one or more data elements; identifying a client type associated with the client; receiving, from the API, a response to the request from the client; and modifying the response based on the identified client type.

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

Abstract: The present disclosure is directed to systems and methods for vulnerability analysis using continuous application attestation, a method including receiving a load map associated with an application, the load map indicating loaded modules of the application; determining whether at least one notification is received indicating at least one update to the loaded modules of the application, wherein, if the at least one notification is received, the load map is updated based on the indicated at least one update, and wherein, if the at least one notification is not received, the load map is retained in an existing state; periodically retrieving call traces associated with the application, the call traces indicating executed modules of the application; and generating a continuous application attestation comprising at least a combination of the updated load map or the retained load map, and the retrieved call traces associated with the application at a given time.

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

Abstract: In one embodiment, an illustrative method may comprise: monitoring, by a process, a behavior of an application between one or more client devices and an application programming interface service; establishing, by the process, an application model of objects and functions within the application based on the behavior; and determining, by the process, an authorization logic of the application for the objects and functions based on the application model. In one embodiment, the illustrative method further comprises: testing one or more authorization approaches against the application to determine one or more discrepancies within the authorization logic indicative of faulty authorizations; and mitigating the one or more discrepancies.

Abstract: This disclosure describes techniques for dynamically changing a user authorization with a service provider during an ongoing user session. The changing user authorization may be used to address changing confidence in an identity of a user consuming a service provided by the service provider. The changing user authorization may also be used to adjust a scope of a service to which a user has access. The present techniques may allow single-sign-on type protocols to accomplish the flexible and dynamic change-of-authorization functionality of some traditional protocols to handle ongoing client-server sessions, rather than simply revoking authorization for access to the service. For this reason, the present techniques are able to integrate advantages of traditional protocols with newer, single-sign-on-type protocols.

Abstract: This disclosure describes techniques including, by a domain name service (DNS), receiving a name resolution request from a client computing device and, by the DNS, providing a nonce to the client computing device, wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce. This disclosure further describes techniques include a method of validating a connection request from a client computing device, including receiving the connection request, the connection request including a nonce. The techniques further include determining that the nonce is a valid nonce. The techniques further include, based at least in part on determining that the nonce is a valid nonce, authorizing the connection request and disabling the nonce.

Abstract: The present disclosure is directed to systems and methods for clientless virtual private network (VPN) roaming with 802.1x authentication and includes one or more processors and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more components to perform operations including, receiving, at a local proxy, an 802.1x communication including authentication information from a remote device wirelessly connected to a visited network, wherein the remote device requests access to an enterprise network; authenticating the remote device with the enterprise network using the authentication information; establishing an encrypted tunnel between the visited network and the enterprise network; and transmitting data between the remote device and the enterprise network through the encrypted tunnel.

Abstract: According to some embodiments, a method is performed by a distributed cloud-native application. The method comprises receiving a request from a user to perform an operation. The user is associated with a risk profile. The method further comprises determining a call path through the distributed cloud-native application to perform the operation and classifying a risk level associated with the determined call path based on a distributed call graph. The distributed call graph comprises a risk value for each call path through the distributed cloud-native application and each call path comprises one or more distributed cloud-native application components. The risk value is based on a weakness rating associated with each component in the call path. The method further comprises determining the risk level associated with the determined call path is acceptable based on the risk profile associated with the user and performing the operation.

Abstract: According to some embodiments, a method comprises: obtaining an application programming interface (API) specification for an API service; performing one or more tests on the API service to determine an amount of deviation between the API service and the API specification; and determining a deviation score based on the amount of deviation between the API service and the API specification. The method may include transmitting the deviation score to a scoring agent.

Abstract: The present disclosure is directed to systems and methods for vulnerability analysis using continuous application attestation, a method including receiving a load map associated with an application , the load map indicating loaded modules of the application; determining whether at least one notification is received indicating at least one update to the loaded modules of the application, wherein, if the at least one notification is received, the load map is updated based on the indicated at least one update, and wherein, if the at least one notification is not received, the load map is retained in an existing state; periodically retrieving call traces associated with the application, the call traces indicating executed modules of the application; and generating a continuous application attestation comprising at least a combination of the updated load map or the retained load map, and the retrieved call traces associated with the application at a given time.

Abstract: Techniques for utilizing an enterprise traffic interception service (TIS) to enforce policies that mandate how clients access software as a service (SaaS) offered by service providers and selectively intercept enterprise network traffic utilizing a domain name service (DNS) and a single sign-on (SSO) service on a per-client per-service basis. The TIS may include a DNS server, an identity provider service, a TLS inspecting proxy, and/or a policy server. The DNS server may handle requests to resolve an address of a service, and identify a policy, stored in the policy server, to redirect the client based on the identity of the client and the service. The identity provider service may later query the policy server during client authorization for the service to verify that the client request is in line with the policy and allow or deny access to the service.

Abstract: An example method is provided in one example embodiment and may include receiving traffic associated with at least one of a mobile network and a Gi-Local Area Network (data-plane), wherein the traffic comprises one or more packets; determining a classification of the traffic to a service chain, wherein the service chain comprises one or more service functions associated at least one of one or more mobile network services and one or more data-plane services; routing the traffic through the service chain; and routing the traffic to a network using one of a plurality of egress interfaces, wherein each egress interface of the plurality of egress interfaces is associated with at least one of the one or more mobile network services and the one or more data-plane services.

Abstract: Techniques for using a single sign-on (SSO) service as a software defined networking (SDN) controller for a virtual private network environment. The techniques disclosed herein may include receiving, at a first authentication service, first data including a first request to authenticate a user of a client device to access an application. The techniques may also include sending, to the client device, second data representing a second request configured to prompt a second authentication service to authenticate the user of the client device. Additionally, the first authentication service may receive an indication that the user was authenticated by the second authentication service and determine, based at least in part on an attribute associated with at least one of the client device or the application, whether the client device is to access the application using an unsecured connection or, alternatively, access the application using a secured connection.