Determining coverage of dynamic security scans using runtime and static code analyses

Assignee

• Micro Focus LLC · US

Inventors

• Kirill Mendelev · Alpharetta, US
• Lu Zhao · Zhejiang, CN
• David J. Babcock · Spokane Valley, US
• Ronald Joseph Sechman · Alpharetta, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/168
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Example embodiments relate to assessing dynamic security scans using runtime analysis and static code analysis. In example embodiments, a system performs static code analysis of a web application to identify reachable code and/or data entry points, where the data entry points are used to determine an attack surface size for the web application. At this stage, the system may initiate runtime monitoring for a dynamic security scan of the web application, where the runtime monitoring detects invocation of a statement at one of the data entry points. The invocation is logged as an invocation entry that comprises invocation parameters and/or code units that were executed in response to the invocation. The system may then determine an attack surface coverage of the dynamic security scan using the invocation entry and the attack surface size and/or a reachable code coverage using the invocation entry and the reachable code.