Configuring the static security analysis of a conventional Web application can be a complex task at least for the reason that it requires a number of activities to be performed. For example, the activities can include identifying the application entry points; identifying so-called “sources”, which are the points in the program that have the potential to introduce tainted values (in integrity problems) of confidential values (in confidentiality problems) into the program; identifying so-called “sinks”, which are security-sensitive points in the program that may use tainted values and/or that may release information computed based on confidential values; and identifying so-called “downgraders” which are the program points intended to eliminate taint from values. The downgraders may be referred to as “sanitizers” that can, for example, obfuscate confidential data before it is released (“declassifiers”).
Problems can arise due to the fact that one or more of these activities may be manually performed. This typically requires that the person performing these activities be highly skilled.
The manual performance of these activities can also result in errors that can result in one or more application security vulnerabilities being overlooked.
If these activities are performed automatically (algorithmically) the algorithm may, for example, classify all identified text input fields in views generated by the application as being sources, and all text display fields as being sinks. In this case the task of the person who must analyze the output of the analyzer becomes complicated and prone to error.