In previous work, we proposed a set of static attributes that characterize input validation and
input sanitization code patterns. We showed that some of the proposed static attributes are
significant predictors of SQL injection and cross site scripting vulnerabilities. Static attributes
have the advantage of reflecting general properties of a program. Yet, dynamic attributes
collected from execution traces may reflect more specific code characteristics that are
complementary to static attributes. Hence, to improve our initial work, in this paper, we …

In previous work, we proposed a set of static attributes that characterize input validation and
input sanitization code patterns. We showed that some of the proposed static attributes are
significant predictors of web application vulnerabilities related to SQL injection and cross
site scripting. Static attributes have the advantage of reflecting general properties of a
program. Yet, dynamic attributes collected from execution traces may reflect more specific
code characteristics that are complementary to static attributes. Hence, to improve our initial …