Determining coverage of dynamic security scans using runtime and static code analyses

Determining coverage of dynamic security scans using runtime and static code analyses

Example embodiments relate to assessing dynamic security scans using runtime analysis and static code analysis. In example embodiments, a system performs static code analysis of a web application to identify reachable code and/or data entry points, where the data entry points are used to determine a...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Mendelev, Kirill, Babcock, David John, Zhao, Lu, Sechman, Ronald Joseph
Format: Patent
Sprache:eng
Schlagworte:
CALCULATING
COMPUTING
COUNTING
ELECTRIC COMMUNICATION TECHNIQUE
ELECTRIC DIGITAL DATA PROCESSING
ELECTRICITY
PHYSICS
TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHICCOMMUNICATION
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Example embodiments relate to assessing dynamic security scans using runtime analysis and static code analysis. In example embodiments, a system performs static code analysis of a web application to identify reachable code and/or data entry points, where the data entry points are used to determine an attack surface size for the web application. At this stage, the system may initiate runtime monitoring for a dynamic security scan of the web application, where the runtime monitoring detects invocation of a statement at one of the data entry points. The invocation is logged as an invocation entry that comprises invocation parameters and/or code units that were executed in response to the invocation. The system may then determine an attack surface coverage of the dynamic security scan using the invocation entry and the attack surface size and/or a reachable code coverage using the invocation entry and the reachable code.