Modern platforms, and in particular cloud, mobile and web technologies, are all subject to security threats, as they are exposed to unexpected interactions with other software (e.g., other mobile apps on the same device or other cloud services on the same cluster) as well as open access by users (e.g., website visits from all over the world). At the same time, the scale and complexity of modern software systems complicate both manual and automated forms of security auditing.
Manual auditing is prohibitive, as current software systems typically consist of millions of lines of code. These often include third-party libraries as well as platform code. Moreover, beyond the core software, there are external configuration files, databases, web services, and the like. Reasoning about all the possible security-relevant execution scenarios, and analyzing the threats due to each of these scenarios and the correctness and completeness of the defenses installed in response to the involved threats, is hardly a tractable task for a manual auditor.
The same holds true for static verification tools. These are challenged by the scale of the system, which mandates approximate rather than fully precise analysis, leading in turn to an excess of false warnings. Added to that is the problem of accounting for external resources, which static analysis is typically not aware of.
Further, static analyses are unable to analyze dynamically generated code, which is characteristic of client-side JavaScript, web frameworks as well as evasive mobile apps that utilize dynamic code loading for IP protection purposes.
Moreover, dynamic testing tools are faced with the difficult task of deciding which test inputs to attempt. Brute-force enumeration of all possible payloads is prohibitive and unacceptable, whereas focused testing using only a small subset of all available payloads results in poor coverage, and often also nondeterminism if the choice of payloads to fire is probabilistic.