The architecture and industry applications of web security in static and dynamic analysis

Purpose – The purpose of this paper is to propose a metadata‐driven approach and the associated technologies to deal with ever‐rising web security issue. The approach applies metadata techniques to envision semantic validation for new types of vulnerability.Design/methodology/approach – Token decomposition design was applied to move analysis work into abstract level. This novel approach can solve the issues by using a dual control method to perform vulnerability validation.Findings – Current analysis has been lack in metadata foundation, the vulnerability is invisible due to semantic obfuscation. This paper reflects the limitation of existing methods. It applies metadata‐driven approach to move physical and syntax analysis into semantic validation.Research limitations/implications – Currently, certain difficulties may be encountered in preparing benchmarking for dual control process before completing development work. However, this paper tries to create scenarios which can be a reference, to evaluate the ...

[1]  Benjamin Livshits,et al.  Improving software insecurity with precise static and runtime analysis , 2006 .

[2]  Mark Sherriff,et al.  Automated Fix Generator for SQL Injection Attacks , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[3]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[4]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[5]  Eva Söderström,et al.  Standards for information security and processes in healthcare , 2009, J. Syst. Inf. Technol..

[6]  R. Sekar,et al.  Practical Dynamic Taint Analysis for Countering Input Validation Attacks on Web Applications , 2005 .

[7]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[8]  L. Williams,et al.  Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components , 2007, Second International Conference on Internet Monitoring and Protection (ICIMP 2007).

[9]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[10]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[11]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[12]  Michael Gertz,et al.  Semantic integrity support in SQL:1999 and commercial (object-)relational database management systems , 2001, The VLDB Journal.

[13]  Michael Rosemann,et al.  Managing Knowledge in Enterprise Systems , 2001, PACIS.

[14]  Heather Hinton Security Patterns within a Service-Oriented Architecture , 2005 .

[15]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[16]  Eran Yahav,et al.  Static Specification Mining Using Automata-Based Abstractions , 2008, IEEE Trans. Software Eng..

[17]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[18]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.

[19]  Raymond Wu,et al.  Static and Dynamic Analysis for Web Security in Generic Format , 2009 .

[20]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.