Deriving Static Security Testing from Runtime Security Protection for Web Applications

Context: Static Application Security Testing (SAST) and Runtime Protection (RASP) are important complementary techniques used for detecting enforcing application-level security policies in web applications. Inquiry: The current state of the art, however, does not allow a safe efficient combination SAST RASP based on shared set policies, forcing developers to reimplement maintain same their enforcement code both tools. Approach: In this work, we present novel technique deriving from an existing mechanism by using two-phase abstract interpretation approach component that avoids duplicating effort specifying implementing semantics. enforces instrumenting base program trap security-relevant operations execute required policy code. static analysis is then obtained first statically analyzing without any traps. results phase second detect trapped abstractly associated unaltered Knowledge: Splitting into two phases enables running each with specific configuration, rendering tractable while maintaining sufficient precision. Grounding: We validate applicability our it dynamically enforce range found related work. Our experiments suggest can enable faster more precise violation detection compared full instrumented application under single configuration. Importance: Deriving equivalent semantics across dynamic contexts which verified during software development lifecycle. Moreover, require analysis.