Abstract: A secure secrets proxy is instantiated in a first computing environment and includes secure secrets proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache secrets data in a secure secrets cache outside the second computing environment. A virtual asset requests one or more secrets, triggering a process to authenticate the requesting virtual asset, gathering authorized secrets data representing secrets the virtual asset is allowed to have. The secure secrets proxy is provided data representing the requested secrets and stores that secrets data in the secure secrets cache of the proxy.

Abstract: A secure secrets proxy is instantiated in a first computing environment and includes secure secrets proxy authentication data for identifying itself to a secrets distribution management system in a second computing environment as a trusted virtual asset to receive and cache secrets data in a secure secrets cache outside the second computing environment. The secure secrets proxy requests one or more secrets to be cached and is then provided data representing the requested secrets in the secure secrets cache. The secure secrets proxy then receives secrets application request data from a second virtual asset instantiated in the first computing environment requesting one or more secrets be applied to second virtual asset data. The secure secrets proxy then obtains the required secrets from the secure secrets cache and coordinates the application of the secrets to the second virtual asset data.

Abstract: Virtual asset creation data used to create a virtual asset is generated through a virtual asset creation system that includes primary virtual asset data. Secondary authentication data is also generated. When the virtual asset is launched, the secondary authentication data is passed to the virtual asset from the virtual asset creation system. The primary virtual asset data and secondary authentication data from the virtual asset creation system and the virtual asset, and/or one or more other sources associated with the virtual asset, are then sent to a virtual asset validation system through different communication channels. If the primary virtual asset data and secondary authentication data from the two sources match, or have a defined threshold level of similarity, the status of the virtual asset is transformed to the status of validated virtual asset eligible to receive sensitive data.

Abstract: An analysis trigger monitoring system is provided in one or more virtual assets. One or more analysis trigger parameters, including security threat patterns, are defined and analysis trigger data is generated. The one or more analysis trigger monitoring systems are used to monitor at least a portion of the message traffic sent to, or sent from, the one or more virtual assets to detect any message including one or more of the one or more analysis trigger parameters. Any detected message is identified as a potential security threat and is assigned a threat score, which is provided to the virtual asset. A copy of at least a portion of any detected message including one or more of the one or more analysis trigger parameters is then transferred to one or more analysis systems for further analysis using a second communication channel.

Abstract: Secrets data representing one or more secrets required to access associated resources is provided along with secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of the secrets. When a requesting virtual asset submits secrets request data, virtual asset profile data associated with the requesting virtual asset is obtained. The requesting virtual asset profile data is then analyzed using at least one of the secrets distribution factors to authenticate the requesting virtual asset. The requesting virtual asset profile data is then analyzed using one or more of secrets distribution factors to determine what secrets the requesting virtual asset legitimately needs. Authorized secrets data for the requesting virtual asset representing one or more authorized secrets is then generated. The requesting virtual asset is then provided access to the authorized secrets data.

Abstract: Reference architecture pattern role data representing reference architecture pattern roles to be associated with entities taking part in the development, and/or deployment, and/or operation of an application is generated. Reference architecture pattern tier data representing reference architecture pattern tiers used to create, and/or deploy, and/or operate an application using the reference architecture pattern is generated. For each reference architecture pattern role at least one access and/or operational permission is associated with each reference architecture pattern tier. An entity is assigned one of the reference architecture pattern roles and for each reference architecture pattern tier, the entity is automatically provided the at least one access and/or operational permission associated with the reference architecture pattern role assigned to the entity.

Abstract: Asset security compliance data ensuring defined asset security policies are applied to the creation and/or operation of assets to be used to implement an application and application deployment security compliance data for ensuring compliance with one or more application deployment security policies associated with the deployment of assets used to implement the application is generated. The asset security compliance data is then used to ensure each asset used to implement the application is created and used in compliance with asset security policies and the application deployment security compliance data is used to ensure that each asset used to implement the application is deployed in compliance with the application deployment security policies.

Abstract: A virtual asset creation template associated with a class of virtual assets is identified and analyzed to identify and remedy vulnerabilities in the virtual asset creation template. If no vulnerability is identified in the virtual asset creation template, or once each vulnerability identified in the virtual asset creation template is remedied, each virtual asset of the virtual asset class generated using the virtual asset creation template is assigned an initial status of verified virtual asset. Instructions are generated for monitoring and detecting one or more trigger events in assets as well as instructions for implementing at least one responsive action associated with each of the one or more trigger events. Assets monitor and detect one or more trigger events and associated responsive actions are then performed upon the trigger event being detected.

Abstract: A service provider computing environment includes a service provider computing device, which receives tenant secrets policies from tenants. The tenants are tenants of multi-tenant assets of a service provider. One or more data security zones in which the multi-tenant assets are located are identified. A service provider secrets policy includes data security jurisdiction zone secrets policy data for the one or more data security jurisdiction zones. The data security jurisdiction zone secrets policy data is analyzed to determine allowed secrets data with respect to each of the identified data security jurisdiction zones. The service provider computing environment determines of the tenant secrets policies satisfy the requirements of the service provider secrets policy. If the tenant secrets policies satisfy the requirements of the service provider secrets policy, the service provider computing environment allows the tenant secrets policies to be applied to tenant data or information in the multi-tenant assets.

Abstract: A method and system for providing a security threat scoring service to identify and prioritize potential security threats to an online service. The method and system include determining security threat patterns, comparing traffic to the online system with the security threat patterns, and identifying portions of the traffic as a potential security threat. The method and system include assigning a threat score to the potential security threat, and providing the threat score to the online service to enable the online service to secure against the potential security threat.

Abstract: A method and system for automating threat model generation for an application includes identifying components of an application, receiving security information that identifies whether security measures were implemented within the application to secure the application against security threats, determining whether the security measures sufficiently address security risks associated with the security threats, and providing a threat model that includes a report that identifies components of the application that have been sufficiently (or insufficiently) secured from the security threats, according to one embodiment. In one embodiment, determining whether the security measures sufficiently address the security risks can include transmitting first queries, receiving responses to the first queries, and transmitting subsequent queries based at least in part on the responses to the first queries.

Abstract: A hypervisor includes an analysis trigger monitoring system. One or more analysis trigger parameters are defined and analysis trigger data representing the analysis trigger parameters is generated. The analysis trigger data is then provided to the analysis trigger monitoring system and the analysis trigger monitoring system is used to monitor at least a portion of the message traffic sent to, and/or sent from, a virtual asset controlled by the hypervisor to detect any message including one or more of the one or more analysis trigger parameters. A copy of at least a portion of any detected message including one or more of the one or more analysis trigger parameters is then transferred to one or more analysis systems for further analysis.

Abstract: An analysis trigger monitoring system is provided in one or more virtual assets. One or more analysis trigger parameters are defined and analysis trigger data is generated. The analysis trigger monitoring systems are used to monitor at least a portion of the message traffic sent to, or sent from, the one or more virtual assets to detect any message including one or more of the one or more analysis trigger parameters. A copy of at least a portion of any detected message including one or more of the one or more analysis trigger parameters is then transferred to one or more analysis systems for further analysis using a second communication channel.

Abstract: One or more relevant scanners used to identify asset vulnerabilities are identified, obtained, and logically arranged for deployment on an asset in accordance with a vulnerability management policy and a scanner deployment policy such that the relevant scanners are deployed at, or before, a determined ideal time to minimize the resources necessary to correct the vulnerabilities, if found. The relevant scanners are then automatically deployed in accordance with the scanner deployment policy and, if a vulnerability is identified, one or more associated remedies or remedy procedures are applied to the asset. At least one of the one or more relevant scanners are then re-deployed on the asset to determine if the identified vulnerability has been corrected and, if the vulnerability is not corrected at, or before, a defined time, protective measures are automatically taken.

Abstract: Instructions for monitoring and detecting one or more trigger events in assets used to implement an application are generated. Instructions for implementing at least one responsive action associated with each of the one or more trigger events is generated. At least part of instructions for monitoring and detecting the one or more trigger events is provided to an asset used to implement the application. The at least part of the instructions for monitoring and detecting the one or more trigger events are used by the asset to detect a trigger event. The instructions for implementing the at least one responsive action associated with each of the one or more trigger events is then used to automatically implement the at least one responsive action associated with the detected trigger event.

Abstract: Reference architecture pattern role data representing reference architecture pattern roles to be associated with entities taking part in the development, and/or deployment, and/or operation of an application is generated. Reference architecture pattern tier data representing reference architecture pattern tiers used to create, and/or deploy, and/or operate an application using the reference architecture pattern is generated. For each reference architecture pattern role at least one access and/or operational permission is associated with each reference architecture pattern tier. At least one entity is assigned one of the reference architecture pattern roles and for each reference architecture pattern tier, the at least one entity is automatically provided the at least one access and/or operational permission associated with the reference architecture pattern role assigned to the entity.

Abstract: Virtual resource specific discovery agents are instantiated in a first computing environment including internal resource specific data collection logic for directing and allowing the virtual resource specific discovery agents to collect data from a specific resource, or resource type, assigned to the virtual resource specific discovery agents. The virtual resource specific discovery agents then collect data from the specific resource, or resource type, assigned to the virtual resource specific discovery agents and provide the data collected from the specific resource, or resource types to a computing environment modeling system. The computing environment modeling system then transforms the data into description data for the computing environment indicating a state of the first computing environment at a given time.

Abstract: An application is implemented in the production environment in which the application will be used. Two or more backend systems are used to implement different versions of the application using the production environment in which the application will actually be used and accessed. Actual user data is received. A first portion of the actual user data is routed and processed in the production environment using a first version of the application and a first backend system of the two or more backend systems. A second portion of the actual user data is also routed and processed in the production environment but using a second version of the application and a second backend system of the two or more backend systems. The results data is then analyzed to evaluate the various versions of the application in the production environment.

Abstract: A virtual asset creation template associated with a class of virtual assets is identified and analyzed to identify any vulnerabilities in the virtual asset creation template. If one or more vulnerabilities are identified in the virtual asset creation template, an appropriate remedy for each identified vulnerability identified in the virtual asset creation template is applied. If no vulnerability is identified in the virtual asset creation template, or once each vulnerability identified in the virtual asset creation template is remedied, each virtual asset of the virtual asset class generated using the virtual asset creation template is assigned an initial status of verified virtual asset.

Abstract: A service provider computing environment includes a service provider secrets policy. A service provider computing device receives tenant secrets policies from tenants. The tenants are tenants of multi-tenant assets of a service provider. The service provider computing environment determines of the tenant secrets policies satisfy the requirements of the service provider secrets policy. If the tenant secrets policies satisfy the requirements of the service provider secrets policy, the service provider computing environment allows the tenant secrets policies to be applied to tenant data or information in the multi-tenant assets.