The present description relates to application code security analysis, and more specifically, to scan time reduction in application security scanning.
In static security analysis of application code, the application code is parsed into an intermediate program representation, and program analysis is done to detect the entry of tainted data into the application and its flow via intermediate variable assignments, function calls, etc. This intermediate representation could be analyzed to show that data originating from an external source (like a web page) is passed through consecutive function calls until it ends up in a SQL Query. If none of the intermediate function calls properly validate the passed data, the application can be vulnerable to a SQL Injection attack.