Behind the patent: A way to proactively manage application security

By Kavitha Suresh Kumar and Ram Ramachandran

Application security poses a serious threat to digital-first organizations.

A 2024 report found that 92% of companies surveyed had experienced a breach in the past 12 months due to security vulnerabilities in applications developed in-house.¹ Meanwhile, the average cost of a single data incident is up 10%, now eclipsing US$4.8 million.²

After experimenting with numerous ways to improve software security, Kyndryl used its  experience with DevSecOps, AI and security tooling to create US12032706, a recently patented method and system for computing and predicting application security scores.³

Our invention, informally known as the ‘706 patent, is designed to provide a more efficient, comprehensive and proactive approach to managing security throughout the software development process.

How the ‘706 patent works

The method and system outlined in the ‘706 patent function like a health monitoring system for software applications. Similar to medical equipment that collects such metrics as heart rate, blood pressure, temperature and oxygen saturation to assess a person’s overall health, this invention:

• Integrates various DevSecOps tools that scan code, check for proper licensing and discover vulnerabilities in open-source packages
• Gathers additional data from external vulnerability databases and social media sites to identify problems based on reported issues
• Assigns weights to the aggregated data and applies a machine learning model to generate a predictive score that indicates the severity of each vulnerability
• Displays the information on a single dashboard to provide a unified view of all applications and their security score

With this enhanced information, developers and engineers can prioritize security issues based on the predictive score and address vulnerabilities in order of severity.

What makes the ‘706 patent unique

The most apparent difference between the method and system described in the ‘706 patent and other predictive analytics tools is the breadth and depth of data collection. No other devices or approaches combine information from external sources with internal data to identify vulnerabilities.

However, the attribute that truly differentiates the invention from traditional DevSecOps tools and strategies is what it does with the consolidated data—and how software development teams can use the information. The multi-source, weighted approach enables:

• Proactive security management. By aggregating data from numerous internal and external sources, organizations can identify and remediate security issues early in the software development process. This proactive security approach saves time and money while reducing the risk of critical vulnerabilities.
• Continuous security monitoring. Consolidating data onto a single dashboard enhances observability, allowing software teams to spot and correct security concerns more quickly than when using disparate observation tools. The invention also delivers real-time security alerts as part of the continuous integration and delivery (CI/CD) process.
• Predictive application maintenance. Using AI models to analyze historical patterns and predict potential security threats provides a more detailed and accurate assessment of an application’s security status. This capability can help organizations address current vulnerabilities and anticipate risks, improving their security resilience.

Potential use cases of the ‘706 patent

The method and system outlined in the ‘706 patent have many potential use cases, particularly in industries that place a premium on security and have short software development and release cycles. These sectors include:

• Financial services
• Healthcare
• Software development
• Manufacturing
• Energy and utility

In fact, Kyndryl software development teams are looking at using the invention with DevSecOps processes and our open integration platform, Kyndryl Bridge, to continuously monitor security applications within the CTO organization. Deployed in this manner, the integration could help establish predictable penetration test schedules, reduce the number of issues identified during security audits, and expedite the release of more secure code.

For example, when developing a SaaS application to provision cloud and on-premises infrastructure and manage cloud costs, a software team might discover several cross-site scripting vulnerabilities that could potentially be exploited. The method and system described in the ‘706 patent could, in turn, collect and analyze data and flag the issue as critical.

Based on the security score and severity rating, the software team could immediately deploy a patch to fix the vulnerability. The invention could then verify the issue had been mitigated and continue monitoring the application for new vulnerabilities.

A final word on the ‘706 patent

Identifying and mitigating application vulnerabilities before they can be exploited is a critical component of software development. The method and system detailed in the ‘706 patent can play a vital role in this process, helping software teams pinpoint security issues quickly and create a more resilient security posture.

Kavitha Suresh Kumar is a Director and Principal Software Architect at Kyndryl, and Ram Ramachandran is Head of Software Engineering in the CTO office of Kyndryl.

^{1 92% of companies experienced an application-related breach last year, Security, March 2024
2 Cost of a data breach report 2024, IBM, July 2024
3 US12032706: Application security scoring, Google Patents, July 2024}