Ex Parte Sum et al

Patent Trial and Appeal Board

Mar 27, 2017

13780662 (P.T.A.B. Mar. 27, 2017)

United States Patent and Trademark Office
UNITED STATES DEPARTMENT OF COMMERCE
United States Patent and Trademark Office
Address: COMMISSIONER FOR PATENTS
P.O.Box 1450
Alexandria, Virginia 22313-1450
www.uspto.gov
APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO.
13/780,662 02/28/2013 Sam Ng Ming Sum 83138769 1072
56436 7590 03/29/2017
Hewlett Packard Enterprise
3404 E. Harmony Road
Mail Stop 79
Fort Collins, CO 80528
EXAMINER
KU, SHIUH-HUEI P
ART UNIT PAPER NUMBER
2128
NOTIFICATION DATE DELIVERY MODE
03/29/2017 ELECTRONIC
Please find below and/or attached an Office communication concerning this application or proceeding.
The time period for reply, if any, is set in the attached communication.
Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the
following e-mail address(es):
hpe.ip.mail@hpe.com
chris. mania @ hpe. com
PTOL-90A (Rev. 04/07)
UNITED STATES PATENT AND TRADEMARK OFFICE
BEFORE THE PATENT TRIAL AND APPEAL BOARD
Ex parte SAM NG MING SUM and MATIAS MADOU
Appeal 2016-005662
Application 13/780,6621
Technology Center 2100
Before BRADLEY W. BAUMEISTER, JON M. JURGOVAN, and
NABEEL U. KHAN, Administrative Patent Judges.
JURGOVAN, Administrative Patent Judge.
DECISION ON APPEAL
1 Appellants identify Hewlett Packard Enterprise Development, LP as
real party in interest. (App. Br. 1.)
Appeal 2016-005662
Application 13/780,662
STATEMENT OF THE CASE
Appellants seek review under 35 U.S.C. § 134(a) from a final
rejection of claims 1—15. We have jurisdiction under 35 U.S.C. § 6(b).
We affirm.2
CLAIMED INVENTION
The claims are directed to modifying execution of an application
under test so that a user has the privileges of a “power user” (i.e., a user with
the privileges of an administrator) when testing for security vulnerabilities.
(Spec., Abstract, 123.) Claim 1, reproduced below with argued limitations
shown in italics, is illustrative of the claimed subject matter:
1. A computing system comprising:
[(i)] a server hosting an application under test executing
in a real-time modifier; and
[(ii)] a computing device communicatively coupled to the
application under test that is caused to perform a security crawl
on the application under test logged in as a user,
[(iii)] wherein, during the security crawl, the real-time
modifier modifies an execution at runtime of the application
under test to act as if the user is a power user.
(Claims App’x.)
REJECTIONS
Claims 1,4, 10, and 13 stand rejected under 35 U.S.C. § 103(a) based
on Mason (US 6,826,716 B2, Nov. 30, 2004) and Vinuesa et al. (A Dynamic
2 Our Decision refers to the Specification (“Spec.”) filed Feb. 28, 2013, the
Final Office Action (“Final Act.”) mailed May 7, 2015, the Appeal Brief
(“App. Br.”) filed Nov. 9, 2015, the Examiner’s Answer (“Ans.”) mailed
Mar. 9, 2016, and the Reply Brief (“Reply Br.”) filed May 9, 2016.
2
Appeal 2016-005662
Application 13/780,662
Aspect Weaver of the .NET Platform, D.L. Hicks (Ed.): MIS 2003, LNCS
3002, pp. 197—212, 2004 © Springer-Verlag Berlin Heidelberg (2004)).
(Final Act. 7—16.)
Claims 2, 3, 5—9, 11, 12, 14, and 15 stand rejected under 35 U.S.C.
§ 103(a) based on Mason, Vinuesa, and Wunderlich (US 2009/0138589 Al,
published May 28, 2009). (Final Act. 16—31.)
ANAFYSIS
Claims 1, 4, 10, and 13
Argument Concerning Alleged Piecemeal Interpretation of Claims
Appellants argue the rejection improperly interprets claim 1 in
piecemeal fashion by picking apart the claim language into isolated
fragments without due regard to the meaning of the claim terminology as a
whole. (App. Br. 6—8 (citing Final Act. 9); Reply Br. 2.) In particular,
regarding element (iii) of claim 1, Appellants contend reliance on Mason
(2:31—40) to disclose “wherein, during the security crawl” and “under test to
act as if the user is a power user,” and reliance on Vinuesa (§ 6 System
Design, p. 205,11. 6—34) to disclose “the real-time modifier modifies an
execution at runtime of the application,” improperly picks apart the claim
language.
We disagree with Appellants’ argument. Instead, we find the
Examiner considered the claim language as a whole, and the cited teachings
of the references logically connect with one another to render the claims
obvious. (Final Act. 8—16.)
In particular, Mason discloses testing of web applications to verify
their security. (1:12—17.) Mason also discloses that a “role” or “security
3
Appeal 2016-005662
Application 13/780,662
role” is a classification of the type of identity required to access a protected
resource. (2:31—32.) When an application is deployed or installed in
Mason, an administrator maps actual users and/or groups to the roles.
(2:34—36.) These teachings are relevant to the claimed invention because
the Specification states “a power user is a user that has access to one or more
administrative functions.” (Spec. 123.) Importantly, Mason states that user
identification and user password for a role are passed to the test code at
runtime to enable it to access a software resource of the application under
test. (Abstract, 8:20—27.) Appellants do not acknowledge or address this
finding in their briefs.
Consequently, the Examiner shows that Mason “modifies an
execution at runtime of the application under test” by passing the user
identification and a user password for the role to the test code so that it can
test the application. Because that role may be that of an administrator (i.e., a
“power user”), all that remained for the Examiner to show the rest of the
argued claim limitation existed in the prior art is a disclosure of a “real-time
modifier.” For this teaching, the Examiner relies on Vinuesa, which states
“using the .NET platform: 1, the profiling API can be used, employing the
two interfaces IcorProfilerCallback and IcorProfilerCallbacklnfo. At
runtime, the execution engine would call the system through the
IcorProfilerCallback and the system would inspect the executing code.”
(Final Act. 9.) Thus, Vinuesa’s interfaces equate to the claimed “real-time
modifier [that] modifies an execution at runtime of the application.” We
ascertain no error in the Examiner’s rejection.
4
Appeal 2016-005662
Application 13/780,662
Argument Concerning Alleged Mischaracterization of Mason
Appellants also argue the Examiner mischaracterizes Mason. (App.
Br. 8—9; Reply Br. 2—5.) In particular, Appellants state Mason discloses that
when an application is deployed or installed, an administrator maps actual
users and/or groups to roles. {Id. (citing Mason 2:31—40).) Appellants argue
“the cited portion of Mason says nothing whatsoever about a ‘security
crawl’” and therefore fails to disclose “wherein, during the security crawl,
the real-time modifier,” as claimed. Appellants further argue “the cited
portion of Mason says nothing whatsoever about being ‘under test,’ or about
modifying an application ‘to act as if the user is [a] power user.’” {Id. at 9.)
(Emphasis omitted).
We disagree with Appellants’ arguments. Regarding Appellants’
argument concerning Mason’s alleged failing to disclose a “security crawl,”
as the Examiner notes, Mason discloses testing of web applications to verily
their security. (Final Act. 8—9; Ans. 7; Mason 1:12—17.) Appellants fail to
establish that a person of ordinary skill would not have considered testing to
verify application security to encompass a “security crawl” or explain how a
“security crawl” is something different.
Regarding the “under test” limitation of the claims, Appellants’
argument likewise fails because Mason discloses that user identification and
a user password for a role are passed to the test code at runtime to enable it
to access a software resource of the application under test. (Final Act. 8—9;
Ans. 7 (citing Mason 8:20-27).)
Argument Concerning Alleged Lack of Sufficient Rationale for Combination
Appellants further contend the rejection lacks sufficient rationale to
make the proposed combination of Mason and Vinuesa. (App. Br. 9-11;
5
Appeal 2016-005662
Application 13/780,662
Reply Br. 5—6.) Specifically, Appellants argue the Examiner admits that
Mason fails to disclose the claimed limitation of “the real-time modifier
modifies an execution at runtime of the application,” and therefore relies on
Vinuesa for this teaching. (App. Br. 6 (citing Final Act. 9)) (Emphasis
omitted). Appellants state the Examiner’s rationale to combine Mason with
Vinuesa is “to provide the capability of adapting to runtime emerging
requirements.” {Id. at 10 (citing Final Act. 10).) (Emphasis omitted.)
Appellants contend the Examiner’s rationale to combine the references,
therefore, is to modify Mason to include the missing subject matter
(i.e., runtime adaptation of an application) because this would provide the
missing subject matter (“the capability of adapting to runtime emerging
requirements.”) Appellants argue this is circular reasoning and is not a valid
rationale to combine the references. {Id.)
We disagree with Appellants’ argument. Mason and Vinuesa both
teach the desirability of modifying execution of an application at runtime
(Mason 8:20-27; Vinuesa Abstract 11. 2-4), which logically links the
references together. It makes manifest sense that providing the capability to
adapt to runtime requirements, as taught by both references, would have
been a desirable feature to a person of ordinary skill, and that these teachings
provide sufficient rationale to combine the references.
In sum, there was “an apparent reason to combine the known elements
in the fashion claimed.” KSRInt’l Co. v. Teleflex Inc., 550 U.S. 398, 417—
18 (2007). We find the Examiner provides “some articulated reasoning with
some rational underpinning to support the legal conclusion of obviousness.”
Id. at 418 (quoting In re Kahn, 441 F.3d 977, 988 (Fed. Cir. 2006)).
6
Appeal 2016-005662
Application 13/780,662
Claims 2, 3, 5, 6, 9, 11, 12, 14 and 15
Appellants submit the same arguments for patentability of claims 2, 3,
5, 6, 9, 11, 12, 14, and 15 as asserted for independent claims 1,4, 10, and 13,
arguing the addition of Wunderlich does not cure the alleged deficiencies of
Mason and Vinuesa. Because we find Mason and Vinuesa are not deficient,
Wunderlich is not needed to cover any deficiency, so we sustain the
rejection of these dependent claims for the reasons stated with respect to the
independent claims.
Claim 7
Claim 7 recites “wherein the computing device further includes a
crawl module to perform another security crawl with the user not acting as
the power user, wherein during the other security crawl, a second set of links
is generated.” The Examiner acknowledges Mason and Vinuesa do not
disclose this feature, but relies on Wunderlich for this teaching. (Final
Act. 22.) Wunderlich does indeed disclose that “the application main menu
106 is role based and users may only view links and menus for which they
have permission.” (Wunderlich 117.) Appellants again argue Wunderlich
does not disclose a “security crawl,” much less “another security crawl with
the user not acting as the power user.” (App. Br. 13, Reply Br. 6—8.)
(Emphasis omitted.) Appellants also argue Wunderlich says nothing
regarding “wherein during the other security crawl, a second set of links is
generated.” (App. Br. 13.) (Emphasis omitted.)
We do not agree with Appellants’ arguments. As previously noted,
Mason discloses testing of applications to verily their security.
(Mason 1:14—17.) Appellants do not explain why Mason’s teaching would
not encompass a “security crawl” or how a “security crawl” would have
7
Appeal 2016-005662
Application 13/780,662
been understood to be something different. Further, Mason teaches passing
user identification and user password appropriate for a role (i.e., user or
administrator (2:31—40)) as parameters to the Java test code at run time.
(8:20—27.) Reading these disclosures, the person of ordinary skill in the art
would have realized that testing the entire application requires testing parts
accessible by users, administrators, and any other defined role having a set
of privileges limiting access to aspects of the application under test. Thus,
we find this argument unpersuasive.
Regarding the claimed limitation of generating a second set of links
during a security crawl, Wunderlich’s teaching that users may only view
links according to the particular role using credentials (i.e., user
identification and user password) (117) combined with Mason’s teaching to
pass appropriate credentials at run time to enable test code to test protected
software resources (8:20-27), is sufficient to at least suggest the claimed
limitation. Again, a person of ordinary skill in the art would have
understood that in order to test an entire application, parts of it protected
under credentials of users in various roles would need to be provided.
Accordingly, we are not persuaded that the Examiner errs.
Claim 8
Claim 8 recites “wherein the computing device further includes a link
analysis module to determine which of the first set of links is not available in
the other security crawl.” For this feature, the Examiner relies on
Wunderlich. (Final Act. 23 (citing Wunderlich 132, Fig. 2).) Appellants
argue that “Wunderlich says nothing whatsoever about a ‘security crawl,’
much less determining “which of the first set of links is not available in the
other security crawl.” (App. Br. 14.)
8
Appeal 2016-005662
Application 13/780,662
As noted, Appellants have not explained why Mason’s testing of
applications to verify their security does not encompass a “security crawl,”
as claimed. (App. Br. 13—14, Reply Br. 8.) Moreover, Wunderlich’s
teaching that users may only view links according to the particular role using
credentials (i.e., user identification and user password) (117) combined with
Mason’s teaching to pass appropriate credentials at run time to enable test
code to test protected software resources (8:20—27), is sufficient to at least
suggest the claimed limitation. Thus, we are not persuaded by Appellants’
arguments that the Examiner’s errs in the rejection.
DECISION
The Examiner’s rejections of claims 1—15 under 35 U.S.C. § 103(a) is
affirmed.
No time period for taking any subsequent action in connection with
this appeal may be extended under 37 C.F.R. § 1.136(a)(l)(iv).
AFFIRMED
9