Abstract: Identifying security vulnerabilities related to inter-process communications by identifying within the instructions of a computer software application an object creation location configured to create an inter-process communications object, identifying within the instructions of the computer software application a location of an inter-process communications method, determining whether a path exists for an inter-process communications object created at the object creation location to propagate to the inter-process communications method, classifying with a classification selected from a plurality of predefined classifications, any of the inter-process communications object, the object creation location, and the location of the inter-process communications method, and reporting as a security vulnerability the classified inter-process communications object, object creation location, or location of the inter-process communications method if the path exists and if the classification is predefined to indicate that re

Abstract: Identifying security vulnerabilities related to inter-process communications by identifying within the instructions of a computer software application an object creation location configured to create an inter-process communications object, identifying within the instructions of the computer software application a location of an inter-process communications method, determining whether a path exists for an inter-process communications object created at the object creation location to propagate to the inter-process communications method, classifying with a classification selected from a plurality of predefined classifications, any of the inter-process communications object, the object creation location, and the location of the inter-process communications method, and reporting as a security vulnerability the classified inter-process communications object, object creation location, or location of the inter-process communications method if the path exists and if the classification is predefined to indicate that re

Abstract: Crawling computer-based documents by performing static analysis on a computer-based document to identify within the computer-based document one or more execution vectors, where each execution vector includes a computer program segment including a call to an entity that is external to the computer-based document, and one or more additional computer program segments whose execution precedes and leads ultimately to execution of the computer program segment that includes the call to the entity, and causing any of the computer program segments in any of the execution vectors to be executed during a crawling of the computer-based document, and any computer program segment within the computer-based document that is excluded from the execution vectors to be excluded from execution during the crawling of the computer-based document.

Abstract: Crawling computer-based documents by performing static analysis on a computer-based document to identify within the computer-based document one or more execution vectors, where each execution vector includes a computer program segment including a call to an entity that is external to the computer-based document, and one or more additional computer program segments whose execution precedes and leads ultimately to execution of the computer program segment that includes the call to the entity, and causing any of the computer program segments in any of the execution vectors to be executed during a crawling of the computer-based document, and any computer program segment within the computer-based document that is excluded from the execution vectors to be excluded from execution during the crawling of the computer-based document.

Abstract: Crawling computer-based documents by performing static analysis on a computer-based document to identify within the computer-based document one or more execution vectors, where each execution vector includes a computer program segment including a call to an entity that is external to the computer-based document, and one or more additional computer program segments whose execution precedes and leads ultimately to execution of the computer program segment that includes the call to the entity, and causing any of the computer program segments in any of the execution vectors to be executed during a crawling of the computer-based document, and any computer program segment within the computer-based document that is excluded from the execution vectors to be excluded from execution during the crawling of the computer-based document.

Abstract: Crawling computer-based documents by performing static analysis on a computer-based document to identify within the computer-based document one or more execution vectors, where each execution vector includes a computer program segment including a call to an entity that is external to the computer-based document, and one or more additional computer program segments whose execution precedes and leads ultimately to execution of the computer program segment that includes the call to the entity, and causing any of the computer program segments in any of the execution vectors to be executed during a crawling of the computer-based document, and any computer program segment within the computer-based document that is excluded from the execution vectors to be excluded from execution during the crawling of the computer-based document.

Abstract: A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

Abstract: A computer implemented method for automatically fixing a security vulnerability in a source code is disclosed. The method includes obtaining identification of code that sends tainted data to corresponding sink code in the source code; and automatically fixing the vulnerability by automatically performing code modification which is selected from the group of code modifications consisting of: code motion and code duplication.

Abstract: A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

Abstract: A novel and useful mechanism and method for assessing the vulnerability of web applications while browsing the application. As a user interacts with the web application, HTTP requests are sent from the browser to the web server. Each HTTP request is analyzed to determine if its associated elements need testing. Vulnerability assessment tests are sent to the server. Test results are then returned to the browser, where they are analyzed, displayed and/or stored in a log file.

Abstract: Testing computer software applications is implemented by probing a computer software application to determine the presence in the computer software application of any data-checking features, and applying a rule to the data-checking features that are determined to be present in the computer software application, thereby producing a testing set of inputs. The testing set includes any sets of inputs that were used to test sets of data-checking software, where each of the sets of data-checking software includes one or more data sanitizers and/or data validators, and where the rule is configured to produce the testing set to include one or more of the sets of inputs when the rule is applied to any of the data-checking features. The computer software application is tested using the testing set.

Abstract: Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

Abstract: Call graph construction systems that utilize computer hardware are presented including: a processor; a candidate pool configured for representing a number of calls originating from a root node of a computer software application; an importance value assigner configured for assigning an importance value for any of the number of calls represented in the candidate pool; a candidate selector configured for selecting from the number of calls represented in the candidate pool for inclusion in a call graph based on a sufficient importance value; and an importance value adjuster configured for adjusting the importance value of any call represented in the call graph.

Abstract: Preparing a computer software application for static analysis by identifying a control flow within a model portion of a computer software application having a model-view-controller architecture, where the control flow passes a value to a controller portion of the computer software application, analyzing a declarative specification of the controller portion of the computer software application to identify a view to which the controller portion passes control based on the value, and synthesizing a method within the computer software application, where the method calls the view.

Abstract: Crawling computer-based documents by performing static analysis on a computer-based document to identify within the computer-based document one or more execution vectors, where each execution vector includes a computer program segment including a call to an entity that is external to the computer-based document, and one or more additional computer program segments whose execution precedes and leads ultimately to execution of the computer program segment that includes the call to the entity, and causing any of the computer program segments in any of the execution vectors to be executed during a crawling of the computer-based document, and any computer program segment within the computer-based document that is excluded from the execution vectors to be excluded from execution during the crawling of the computer-based document.

Abstract: Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.

Abstract: Testing computer software applications is implemented by probing a computer software application to determine the presence in the computer software application of any data-checking features, and applying a rule to the data-checking features that are determined to be present in the computer software application, thereby producing a testing set of inputs. The testing set includes any sets of inputs that were used to test sets of data-checking software, where each of the sets of data-checking software includes one or more data sanitizers and/or data validators, and where the rule is configured to produce the testing set to include one or more of the sets of inputs when the rule is applied to any of the data-checking features. The computer software application is tested using the testing set.

Abstract: A method for distributed static analysis of computer software applications, includes: statically analyzing instructions of a computer software application; identifying at least one entry point in the computer software application; assigning a primary agent to statically analyze the computer software application from the entry point; assigning a secondary agent to statically analyze a call site encountered by the primary agent and produce a static analysis summary of the call site; and presenting results of any of the static analyzes via a computer-controlled output device.

Abstract: A method, computer program product, and system for transforming unit tests is described. A unit test associated with one or more software units is identified. A first input parameter of the unit test is identified. A substitute parameter value is determined, wherein the substitute parameter value is associated with a security test for the one or more software units. A value of the first input parameter in the unit test is replaced with the substitute parameter value. The unit test including the substitute parameter value is implemented for the one or more software units. A first security issue associated with the one or more software units is identified, based upon, at least in part, replacing the first input parameter of the unit test with the substitute parameter value and implementing the unit test including the substitute parameter value.

Abstract: A method, computer program product, and system for transforming unit tests is described. A unit test associated with one or more software units is identified. A first input parameter of the unit test is identified. A substitute parameter value is determined, wherein the substitute parameter value is associated with a security test for the one or more software units. A value of the first input parameter in the unit test is replaced with the substitute parameter value. The unit test including the substitute parameter value is implemented for the one or more software units. A first security issue associated with the one or more software units is identified, based upon, at least in part, replacing the first input parameter of the unit test with the substitute parameter value and implementing the unit test including the substitute parameter value.