Among technologies for verifying reliability of a program, there is a method of finding out vulnerability whereby important information such as confidential information or personal information flows out to an outside (such as the Internet, a different program, a different file, or a database) due to the program.
In the conventional technology, the program is analyzed by paying attention to a data flow alone. Thus, a case where appropriately encrypted information is sent out to the outside is also erroneously detected as the vulnerability.
From a standpoint of a program developer, it is not desirable that the vulnerability be erroneously detected from the program that has been safely implemented. On the other hand, from a standpoint of a user, there is a need for checking whether or not important information of his own is appropriately being handled in the program.
Herein, “the important information is appropriately being handled” means that the following conditions are satisfied:                the important information is not output to the outside from the program still as a plaintext; and        when the important information is encrypted, a key used for the encryption is not hard-coded (constantized) within the program.        