Static and Dynamic Analysis for Web Security in Generic Format

摘要

Further to the milestone we achieved in flagging and logging by using generic abstract syntax format, we applied metadata messaging to identify individual node. In order to explore the concept of generic format, we are currently investigating security automaton, event based trigger, and their interference by means of node identification and state transfer. Our objective in web security is to move black box to white box in enterprise practices. In this paper, we explain how our approaches achieve the goal in terms of static and dynamic analysis. To better explain the framework and roadmap of analysis work, we describe our approaches by using macro and micro views individually. Macro view covers analysis of the abstract syntax structure and block identification are the key in flow tracking. Micro view includes node to node interference, the metadata messaging, security automaton we applied, and interoperability between event and node. The logging outputs produced by static analysis can be further developed for dynamic analysis. This bridge the static and dynamic analysis by using tracking and validation techniques. This can also build up the foundation of the web security governance.