pith. sign in

arxiv: 2501.09191 · v1 · submitted 2025-01-15 · 💻 cs.SE · cs.CR

Detecting Vulnerabilities in Encrypted Software Code while Ensuring Code Privacy

Jorge Martins , David Dantas , Rafael Ramires , Bernardo Ferreira , Ib\'eria Medeiros This is my paper

Pith reviewed 2026-05-23 04:53 UTC · model grok-4.3

classification 💻 cs.SE cs.CR
keywords confidential code analysissearchable symmetric encryptionstatic code analysisvulnerability detectioncode privacyencrypted inverted indexsoftware securityPHP applications
0
0 comments X

The pith

Static analysis detects vulnerabilities in encrypted code by indexing its data and control flows without decryption.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a method for performing static code analysis on software that stays encrypted throughout the process. It combines searchable symmetric encryption with standard analysis techniques to construct an inverted index that encodes data and control flows. Security testers can then query this index to locate vulnerabilities while the original source remains inaccessible. The work also introduces the broader area of confidential code analysis as a new direction. Experimental results on PHP applications indicate that detection precision stays close to that of conventional non-private tools.

Core claim

By processing source code to build an encrypted inverted index that represents its data and control flows, static analysis tasks can be executed confidentially to discover vulnerabilities. This is achieved through the integration of searchable symmetric encryption, allowing the index to support queries without exposing the plaintext code. The resulting system achieves vulnerability detection precision comparable to standard static analysis tools.

What carries the argument

The encrypted inverted index, constructed via searchable symmetric encryption from the code's data and control flows, which permits confidential execution of static analysis queries.

If this is right

  • Security testing services can be offered without requiring disclosure of source code or intellectual property.
  • Other forms of code analysis beyond vulnerability detection can be adapted to operate on the same encrypted index structure.
  • The approach supports evaluation on both synthetic and real-world PHP web applications with results close to non-confidential baselines.
  • A modest average performance overhead of 42.7 percent is incurred relative to direct analysis.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The technique could be extended to languages other than PHP by reimplementing the flow-extraction step for their syntax and semantics.
  • Regulators might adopt requirements for confidential third-party audits in sectors where code exposure creates legal risk.
  • Cloud providers could host analysis services that accept only encrypted indexes, changing how companies procure security reviews.

Load-bearing premise

An encrypted index of data and control flows contains enough information for static analysis to locate vulnerabilities at accuracy levels close to those of unencrypted tools.

What would settle it

Apply the tool to a PHP application containing a vulnerability known to be found by standard static analyzers and verify whether the encrypted approach misses it or reports substantially more false positives.

Figures

Figures reproduced from arXiv: 2501.09191 by Bernardo Ferreira, David Dantas, Ib\'eria Medeiros, Jorge Martins, Rafael Ramires.

Figure 1
Figure 1. Figure 1: COCOA’s architecture. first is executed on the developer’s side and corresponds to protocol Encrypt (and hence only involves the developer). In contrast, the second is executed on the analyser’s side and corresponds to protocols Authorise and Analyse (thus involving both the developer and analyser). Nonetheless, the solution is transparent for both sides, i.e., developers only need to submit their code and… view at source ↗
Figure 2
Figure 2. Figure 2: Example of executing COCOA for the XSS vulnerability detection analysis task in PHP. 4.2 ITL Translator Given the LexToken stream outputted by the Lexer, the ITL Translator processes it to produce an ITL-token stream that maintains the logic, semantic, and data and control flows of the source code. The ITL must be simple and lightweight enough to enable static analysis and cryptographic techniques to be ca… view at source ↗
Figure 3
Figure 3. Figure 3: Storage space used by the source code and the encrypted data structure, in bytes. less or equal to 7 KB, like Samate. Nonetheless, by adding DET and RND encryptions, the index size grew by some frac￾tion due to the ciphertext expansion of these ciphers (e.g., 78 KB of source code to 49 KB of plaintext index and 188 KB of encrypted index in WackoPicko), and again by an order of magnitude with ORE (645 KB in… view at source ↗
read the original abstract

Software vulnerabilities continue to be the main cause of occurrence for cyber attacks. In an attempt to reduce them and improve software quality, software code analysis has emerged as a service offered by companies specialising in software testing. However, this service requires software companies to provide access to their software's code, which raises concerns about code privacy and intellectual property theft. This paper presents a novel approach to Software Quality and Privacy, in which testing companies can perform code analysis tasks on encrypted software code provided by software companies while code privacy is preserved. The approach combines Static Code Analysis and Searchable Symmetric Encryption in order to process the source code and build an encrypted inverted index that represents its data and control flows. The index is then used to discover vulnerabilities by carrying out static analysis tasks in a confidential way. With this approach, this paper also defines a new research field -- Confidential Code Analysis --, from which other types of code analysis tasks and approaches can be derived. We implemented the approach in a new tool called CoCoA and evaluated it experimentally with synthetic and real PHP web applications. The results show that the tool has similar precision as standard (non-confidential) static analysis tools and a modest average performance overhead of 42.7%.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes CoCoA, which combines static code analysis with searchable symmetric encryption (SSE) to process source code and construct an encrypted inverted index encoding its data and control flows. This index enables vulnerability discovery via confidential static analysis tasks without exposing plaintext code. The approach is evaluated on synthetic and real PHP web applications, reporting precision comparable to standard (non-confidential) tools and an average overhead of 42.7%. The manuscript also introduces 'Confidential Code Analysis' as a new research field.

Significance. If the central construction is sound, the work would establish a practical foundation for privacy-preserving code analysis services, addressing IP and confidentiality concerns when outsourcing vulnerability detection. The reported overhead is modest enough to suggest deployability for PHP applications, and the framing of a new subfield could stimulate follow-on research in secure computation applied to software engineering tasks.

major comments (2)
  1. [Approach description (abstract and §3)] The manuscript states that the encrypted inverted index 'represents its data and control flows' and supports 'static analysis tasks in a confidential way,' but provides no description of how tokenization or indexing preserves ordering, context, or transitive relations needed for iterative analyses such as taint tracking or reachability queries. Standard static analysis operates on explicit graph structures (CFGs, PDGs); an inverted index supports only term lookups. If flows are flattened without these relations, queries necessarily approximate, undermining the 'similar precision' claim. This assumption is load-bearing for the headline result.
  2. [Abstract and Evaluation section] Abstract and evaluation claim 'similar precision' and 42.7% overhead on synthetic and real PHP apps, yet supply no baselines, no breakdown of false-positive/negative rates attributable to encryption, and no discussion of how the SSE representation affects flow accuracy. Without these, the experimental claims cannot be assessed or reproduced.
minor comments (2)
  1. [Introduction] The boundaries of the newly defined field 'Confidential Code Analysis' are stated at a high level; a short paragraph distinguishing it from existing work in secure multi-party computation or homomorphic encryption applied to code would improve clarity.
  2. [Approach] Notation for the inverted index construction (e.g., how control-flow edges are tokenized) is introduced without an accompanying figure or small worked example, making the transition from plaintext flows to searchable tokens difficult to follow.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the constructive feedback on our manuscript. We address each major comment below, clarifying the technical approach and committing to revisions that strengthen the description and evaluation without altering the core claims.

read point-by-point responses

  1. Referee: [Approach description (abstract and §3)] The manuscript states that the encrypted inverted index 'represents its data and control flows' and supports 'static analysis tasks in a confidential way,' but provides no description of how tokenization or indexing preserves ordering, context, or transitive relations needed for iterative analyses such as taint tracking or reachability queries. Standard static analysis operates on explicit graph structures (CFGs, PDGs); an inverted index supports only term lookups. If flows are flattened without these relations, queries necessarily approximate, undermining the 'similar precision' claim. This assumption is load-bearing for the headline result.

    Authors: We thank the referee for this observation. Our construction tokenizes source code into flow elements that include both term occurrences and explicit path/position annotations (e.g., control-flow edge labels and data-dependency identifiers) before encryption; SSE queries are then composed as sequences of lookups that reconstruct reachability and taint propagation without materializing the full graph in plaintext. This design choice is described at a high level in §3 but, as the referee correctly notes, lacks the formal tokenization rules and query-composition algorithm needed to verify preservation of ordering and transitivity. We will therefore expand §3 with a precise specification of the indexing procedure, including pseudocode for flow encoding and an example of how a taint query is realized via multiple SSE operations. This revision will make the soundness argument explicit while preserving the reported precision numbers. revision: yes

  2. Referee: [Abstract and Evaluation section] Abstract and evaluation claim 'similar precision' and 42.7% overhead on synthetic and real PHP apps, yet supply no baselines, no breakdown of false-positive/negative rates attributable to encryption, and no discussion of how the SSE representation affects flow accuracy. Without these, the experimental claims cannot be assessed or reproduced.

    Authors: We agree that the current evaluation section is insufficiently detailed for independent assessment. The 'similar precision' result was obtained by running CoCoA and a standard non-encrypted analyzer (PHPStan configured for the same vulnerability patterns) on identical inputs and comparing detected vulnerabilities; however, we did not report per-vulnerability confusion matrices, isolate the contribution of the SSE layer to any false positives/negatives, or provide the exact list of synthetic and real applications with their sizes. We will revise the evaluation section to include (1) a table of precision, recall, and F1 scores for both tools, (2) a breakdown of discrepancies attributable to encryption versus analysis approximations, and (3) a reproducibility subsection listing the benchmark programs, vulnerability categories, and hardware used for the 42.7% overhead measurement. These additions will directly address the referee's concerns. revision: yes

Circularity Check

0 steps flagged

No circularity: new construction with independent evaluation

full rationale

The paper presents an original construction that combines static code analysis with searchable symmetric encryption to produce an encrypted inverted index encoding data and control flows, then evaluates the resulting CoCoA tool on synthetic and real PHP applications for precision and overhead. No equations, fitted parameters, or self-citation chains appear in the provided text that would reduce the central claim (comparable precision via the index) to its own inputs by definition. The result is framed as a new field definition rather than a re-derivation, and the reported metrics are empirical measurements, not predictions forced by prior fits or self-referential definitions.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No free parameters, axioms, or invented entities are identifiable from the abstract alone; the work relies on standard assumptions of searchable symmetric encryption security and the sufficiency of flow-based indices for static analysis.

pith-pipeline@v0.9.0 · 5751 in / 1078 out tokens · 22798 ms · 2026-05-23T04:53:20.609524+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

65 extracted references · 65 canonical work pages

  1. [1]

    Fastore open source repository.https://github.com/ kevinlewi/fastore, 2016

    work page 2016

  2. [2]

    https://github

    Currentcost open source repository. https://github. com/r45635/CurrentCost2NRF-Public, 2023

    work page 2023

  3. [3]

    https://github.com/ digininja/DVWA, 2023

    Dvwa open source repository. https://github.com/ digininja/DVWA, 2023

    work page 2023

  4. [4]

    https://github.com/ nk-o/ghost-framework/blob/master/ghost.php, 2023

    Ghost open source repository. https://github.com/ nk-o/ghost-framework/blob/master/ghost.php, 2023

    work page 2023

  5. [5]

    https://github

    Peruggia open source repository. https://github. com/Sakartu/peruggia, 2023

    work page 2023

  6. [6]

    https://w3techs.com/technologies/overview/ programming_language/, 2023

    W3Techs - Web Technology Surveys. https://w3techs.com/technologies/overview/ programming_language/, 2023

    work page 2023

  7. [7]

    https://github

    Wackopicko open source repository. https://github. com/adamdoupe/WackoPicko, 2023

    work page 2023

  8. [8]

    https://sourceforge

    Zipec open source repository. https://sourceforge. net/projects/zipec/, 2023

    work page 2023

  9. [9]

    Efficient and flexible discovery of php application vulnerabilities

    Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi. Efficient and flexible discovery of php application vulnerabilities. In Proceed- ings of the IEEE European Symposium on Security and Privacy, pages 334–349, 2017

    work page 2017

  10. [10]

    A tutorial on software obfuscation

    Sebastian Banescu and Alexander Pretschner. A tutorial on software obfuscation. volume 108 of Advances in Computers, pages 283–353. Elsevier, 2018

    work page 2018

  11. [11]

    Ply (python lex-yacc)

    David Beazley. Ply (python lex-yacc). https://www. dabeaz.com/ply/

    work page

  12. [12]

    Jutla, Hugo Krawczyk, Marcel-Catalin Rosu, and Michael Steiner

    David Cash, Joseph Jaeger, Stanislaw Jarecki, Charan- jit S. Jutla, Hugo Krawczyk, Marcel-Catalin Rosu, and Michael Steiner. Dynamic searchable encryption in very-large databases: Data structures and implementa- tion. In Proceedings of the Annual Network and Dis- tributed System Security Symposium, NDSS 2014, San Diego, California, USA, February. The Inte...

    work page 2014

  13. [13]

    Diagnosing software faults using multiverse analysis

    Prantik Chatterjee, Abhijit Chatterjee, José Campos, Rui Abreu, and Subhajit Roy. Diagnosing software faults using multiverse analysis. In In Proceedings of the 29th International Joint Conference on Artificial Intelligence (IJCAI), page 1629–1635, 2021

    work page 2021

  14. [14]

    Chess and G

    B. Chess and G. McGraw. Static analysis for security. IEEE Security & Privacy, 2(6):76–79, 2004

    work page 2004

  15. [15]

    Secure multiparty computation

    Ronald Cramer, Ivan Bjerre Damgård, et al. Secure multiparty computation. Cambridge University Press, 2015

    work page 2015

  16. [16]

    Searchable symmetric encryption: improved definitions and efficient constructions

    Reza Curtmola, Juan Garay, Seny Kamara, and Rafail Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions. In Proceedings of the 13th ACM conference on Computer and commu- nications security, pages 79–88, 2006

    work page 2006

  17. [17]

    CVE Details

    CVE. CVE Details. https://www.cvedetails.com/ browse-by-date.php, 2023

    work page 2023

  18. [18]

    Simulation of built- in PHP features for precise static code analysis

    Johannes Dahse and Thorsten Holz. Simulation of built- in PHP features for precise static code analysis. In Pro- ceedings of the Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February. The Internet Society, 2014

    work page 2014

  19. [19]

    Insecure software is eating the world: Pro- moting cybersecurity in an age of ubiquitous software embedded systems

    John Daley. Insecure software is eating the world: Pro- moting cybersecurity in an age of ubiquitous software embedded systems. Stanford Technology Law Review, 19(3), 2017

    work page 2017

  20. [20]

    FIE on firmware: Finding vulnera- bilities in embedded systems using symbolic execution

    Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. FIE on firmware: Finding vulnera- bilities in embedded systems using symbolic execution. In Samuel T. King, editor, In Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August, pages 463–478. USENIX Association, 2013

    work page 2013

  21. [21]

    Leopard: identify- ing vulnerable code for vulnerability assessment through program metrics

    Xiaoning Du, Bihuan Chen, Yuekang Li, Jianmin Guo, Yaqin Zhou, Yang Liu, and Yu Jiang. Leopard: identify- ing vulnerable code for vulnerability assessment through program metrics. In Joanne M. Atlee, Tevfik Bultan, and Jon Whittle, editors, In Proceedings of the 41st In- ternational Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May,...

    work page 2019

  22. [22]

    Evans and D

    D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42–51, 2002

    work page 2002

  23. [23]

    Ottenstein, and Joe D

    Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren. The program dependence graph and its use in optimiza- tion. ACM Transactions on Programming Languages and Systems, 9(3):319–349, jul 1987

    work page 1987

  24. [24]

    Merlin: Multi-language web vulner- ability detection

    Alexandra Figueiredo, Tatjana Lide, David Matos, and Miguel Correia. Merlin: Multi-language web vulner- ability detection. In In Proceedings of the IEEE 19th International Symposium on Network Computing and Applications (NCA), pages 1–9, 2020. 14

    work page 2020

  25. [25]

    A fully homomorphic encryption scheme

    Craig Gentry. A fully homomorphic encryption scheme. Stanford university, 2009

    work page 2009

  26. [26]

    Effi- cient graph encryption scheme for shortest path queries

    Esha Ghosh, Seny Kamara, and Roberto Tamassia. Effi- cient graph encryption scheme for shortest path queries. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security , pages 516– 525, 2021

    work page 2021

  27. [27]

    Web Application Obfusca- tion

    Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, and David Lindsay. Web Application Obfusca- tion. Syngress, 2011

    work page 2011

  28. [28]

    Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, and Sy-Yen Kuo. Verifying web applica- tions using bounded model checking. In In Proceedings of the 2004 International Conference on Dependable Systems and Networks, DSN ’04, 2004

    work page 2004

  29. [29]

    Securing web ap- plication code by static analysis and runtime protection

    Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web ap- plication code by static analysis and runtime protection. In Stuart I. Feldman, Mike Uretsky, Marc Najork, and Craig E. Wills, editors, In Proceedings of the 13th inter- national conference on World Wide Web, New York, NY, USA, May, pages 40–52. ACM, 2004

    work page 2004

  30. [30]

    Dependency-based extraction of con- ditional statements for understanding business rules

    Takashi Ishio. Dependency-based extraction of con- ditional statements for understanding business rules. IEICE Transactions on Information and Systems, E99- D:1117–1126, 04 2016

    work page 2016

  31. [31]

    Precise alias analysis for static detection of web applica- tion vulnerabilities

    Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise alias analysis for static detection of web applica- tion vulnerabilities. In Vugranam C. Sreedhar and Steve Zdancewic, editors, Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security, Ottawa, Ontario, Canada, June 10, 2006, pages 27–36. ACM, 2006

    work page 2006

  32. [32]

    Laporte and Alain April

    Claude Y . Laporte and Alain April. Software quality assurance. John Wiley & Sons, 2018

    work page 2018

  33. [33]

    Software quality factors and soft- ware quality metrics to enhance software quality assur- ance

    Ming-Chang Lee. Software quality factors and soft- ware quality metrics to enhance software quality assur- ance. British Journal of Applied Science & Technology, 4(21):3069–3095, 2014

    work page 2014

  34. [34]

    Order-revealing encryp- tion: New constructions, applications, and lower bounds

    Kevin Lewi and David J Wu. Order-revealing encryp- tion: New constructions, applications, and lower bounds. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1167– 1178, 2016

    work page 2016

  35. [35]

    Are static analysis violations really fixed?: a closer look at realistic usage of sonarqube

    Diego Marcilio, Rodrigo Bonifácio, Eduardo Monteiro, Edna Dias Canedo, Welder Pinheiro Luz, and Gustavo Pinto. Are static analysis violations really fixed?: a closer look at realistic usage of sonarqube. In Yann-Gaël Guéhéneuc, Foutse Khomh, and Federica Sarro, editors, In Proceedings of the 27th International Conference on Program Comprehension, Montreal...

    work page 2019

  36. [36]

    DEKANT: a static analysis tool that learns to detect web application vulnerabilities

    Ibéria Medeiros, Nuno Ferreira Neves, and Miguel Cor- reia. DEKANT: a static analysis tool that learns to detect web application vulnerabilities. In Andreas Zeller and Abhik Roychoudhury, editors, Proceedings of the 25th International Symposium on Software Testing and Anal- ysis, Saarbrücken, Germany, July, pages 1–11. ACM, 2016

    work page 2016

  37. [37]

    Detecting and removing web application vulner- abilities with static analysis and data mining

    Iberia Medeiros, Nuno Ferreira Neves, and Miguel Cor- reia. Detecting and removing web application vulner- abilities with static analysis and data mining. IEEE Transactions on Reliability, 65(1):54–69, 2016

    work page 2016

  38. [38]

    Stat- ically detecting vulnerabilities by processing program- ming languages as natural languages

    Ibéria Medeiros, Nuno Neves, and Miguel Correia. Stat- ically detecting vulnerabilities by processing program- ming languages as natural languages. IEEE Transac- tions on Reliability, 71(2):1033–1056, 2022

    work page 2022

  39. [39]

    Mendonca and I

    P. Mendonca and I. Pinto. Impact of PHP obfuscation on static analysis. Technical report, 2019

    work page 2019

  40. [40]

    Grecs: Graph encryption for approximate short- est distance queries

    Xianrui Meng, Seny Kamara, Kobbi Nissim, and George Kollios. Grecs: Graph encryption for approximate short- est distance queries. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 504–517, 2015

    work page 2015

  41. [41]

    Towards web application security by automated code correction

    Ricardo Morgado, Ibéria Medeiros, and Nuno Neves. Towards web application security by automated code correction. In Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Soft- ware Engineering, pages 86–96, April 2020

    work page 2020

  42. [42]

    The secret to Calibre software quality – Ana- Cov, our in-house code coverage analysis tool

    Mustafa Naeem, Ahmed Tahoon, Omar Ragi, and Reem El-Adawi. The secret to Calibre software quality – Ana- Cov, our in-house code coverage analysis tool. https: //blogs.sw.siemens.com/calibre/2024/03/07/ \the-secret-to-calibre-software-quality-\ anacov-our-in-house-code-coverage-\ analysis-tool/, 2024

    work page 2024

  43. [43]

    The tricky aftermath of source code leaks

    Lily Hay Newman. The tricky aftermath of source code leaks. https://www.wired.com/story/ source-code-leak-dangers/ , 2016

    work page 2016

  44. [44]

    Principles of program analysis

    Flemming Nielson, Hanne Riis Nielson, and Chris Han- kin. Principles of program analysis. Springer, 1999

    work page 1999

  45. [45]

    SAMATE - Software Assurance Metrics and Tool Evaluation

    NIST. SAMATE - Software Assurance Metrics and Tool Evaluation. https://samate.nist.gov/, 2023

    work page 2023

  46. [46]

    php- SAFE: A security analysis tool for OOP web application 15 plugins

    Paulo Nunes, José Fonseca, and Marco Vieira. php- SAFE: A security analysis tool for OOP web application 15 plugins. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, June 2015

    work page 2015

  47. [47]

    Mini- mum security requirements for federal information and information systems

    National Institute of Standards and Technology. Mini- mum security requirements for federal information and information systems. Technical Report Federal Infor- mation Processing Standards Publications (FIPS PUBS) 200, U.S. Department of Commerce, Washington, D.C., 2006

    work page 2006

  48. [48]

    Yaml ain’t markup language

    Clark Evans Oren Ben-Kiki and Ingy döt Net. Yaml ain’t markup language. https://yaml.org/

    work page

  49. [49]

    Ernst, Deric Pang, and Benjamin Keller

    Spencer Pearson, José Campos, René Just, Gordon Fraser, Rui Abreu, Michael D. Ernst, Deric Pang, and Benjamin Keller. Evaluating and improving fault local- ization. In In Proceedings of the 39th IEEE/ACM Inter- national Conference on Software Engineering (ICSE), pages 609–620, May 2017

    work page 2017

  50. [50]

    On the adequacy of static analysis warnings with respect to code smell prediction

    Fabiano Pecorelli, Savanna Lujan, Valentina Lenarduzzi, Fabio Palomba, and Andrea De Lucia. On the adequacy of static analysis warnings with respect to code smell prediction. Empirical Software Engineering, 27(3):64, 2022

    work page 2022

  51. [51]

    White-box Testing

    QAMentor. White-box Testing. https: //www.qamentor.com/testing-coverage/ functional-testing/white-box-testing/ , 2024

    work page 2024

  52. [52]

    An empirical analysis of prac- titioners’ perspectives on security tool integration into devops

    Roshan Namal Rajapakse, Mansooreh Zahedi, and Muhammad Ali Babar. An empirical analysis of prac- titioners’ perspectives on security tool integration into devops. In Proceedings of the 15th ACM/IEEE Interna- tional Symposium on Empirical Software Engineering and Measurement (ESEM), Oct 2021

    work page 2021

  53. [53]

    Application Security Assessment - Detecting and Remediating App Vulnerabili- ties

    ScienceSoft. Application Security Assessment - Detecting and Remediating App Vulnerabili- ties. https://www.scnsoft.com/security/ assessment/applications, 2024

    work page 2024

  54. [54]

    Wagner, and Adrian Perrig

    Dawn Xiaodong Song, David A. Wagner, and Adrian Perrig. Practical techniques for searches on encrypted data. In 2000 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May , pages 44–55. IEEE Computer Society, 2000

    work page 2000

  55. [55]

    srcprotector - php code obfuscator

    srcProtector. srcprotector - php code obfuscator. http: //phpobfuscator.net/, 2014

    work page 2014

  56. [56]

    Path oram: an extremely simple oblivious ram protocol

    Emil Stefanov, Marten van Dijk, Elaine Shi, T-H Hubert Chan, Christopher Fletcher, Ling Ren, Xiangyao Yu, and Srinivas Devadas. Path oram: an extremely simple oblivious ram protocol. Journal of the ACM (JACM), 65(4):1–26, 2018

    work page 2018

  57. [57]

    Check Point Research Re- ports Highest Increase of Global Cyber At- tacks seen in last two years – a 30Attacks

    Check Point Team. Check Point Research Re- ports Highest Increase of Global Cyber At- tacks seen in last two years – a 30Attacks. https://blog.checkpoint.com/research/ check-point-research-reports-highest-\ increase-of-global-cyber-attacks-seen-in-\ last-two-years-a-30-increase-in-q2-2024-\ global-cyber-attacks/, 2024

    work page 2024

  58. [58]

    CoCoA tool and materials

    CoCoA team. CoCoA tool and materials. https:// github.com/iberiam/CoCoA, 2024

    work page 2024

  59. [59]

    Taj: effective taint analysis of web applications

    Omer Tripp, Marco Pistoia, Stephen J Fink, Manu Srid- haran, and Omri Weisman. Taj: effective taint analysis of web applications. ACM Sigplan Notices, 44(6):87–97, 2009

    work page 2009

  60. [60]

    OW ASP Top 10.https://owasp.org/ Top10/, 2021

    Andrew van der Stock, Brian Glas, Neil Smithline, and Torsten Gigler. OW ASP Top 10.https://owasp.org/ Top10/, 2021

    work page 2021

  61. [61]

    State of Software Security 2023

    Veracode. State of Software Security 2023. An- nual Report on the State of Application Security. https://info.veracode.com/rs/790-ZKW-291/ images/Veracode_State_of_Software_Security_ 2023.pdf, 2023

    work page 2023

  62. [62]

    Veracode Company Website

    Veracode. Veracode Company Website. https://www. veracode.com/, 2024

    work page 2024

  63. [63]

    Yakpro - php obfuscator

    YAKPro. Yakpro - php obfuscator. https://www. php-obfuscator.com/, 2021

    work page 2021

  64. [64]

    Modeling and discovering vulnerabilities with code property graphs

    Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. Modeling and discovering vulnerabilities with code property graphs. In In Proceedings of the IEEE Symposium on Security and Privacy , pages 590–604, 2014

    work page 2014

  65. [65]

    Welcome {$user} to XXX

    Fiorella Zampetti, Simone Scalabrino, Rocco Oliveto, Gerardo Canfora, and Massimiliano Di Penta. How open source projects use static code analysis tools in contin- uous integration pipelines. In In Proceedings of the 14th IEEE/ACM International Conference on Mining Software Repositories (MSR), pages 334–344, 2017. 16 A Task Knowledge Database for SQLi and...

    work page 2017