{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:05:36Z","timestamp":1754157936646,"version":"3.41.2"},"reference-count":23,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2010,5,4]],"date-time":"2010-05-04T00:00:00Z","timestamp":1272931200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010,5,4]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>The purpose of this paper is to propose a metadata\u2010driven approach and the associated technologies to deal with ever\u2010rising web security issue. The approach applies metadata techniques to envision semantic validation for new types of vulnerability.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>Token decomposition design was applied to move analysis work into abstract level. This novel approach can solve the issues by using a dual control method to perform vulnerability validation.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Current analysis has been lack in metadata foundation, the vulnerability is invisible due to semantic obfuscation. This paper reflects the limitation of existing methods. It applies metadata\u2010driven approach to move physical and syntax analysis into semantic validation.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Research limitations\/implications<\/jats:title><jats:p>Currently, certain difficulties may be encountered in preparing benchmarking for dual control process before completing development work. However, this paper tries to create scenarios which can be a reference, to evaluate the semantic validation.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>In consideration of the optimized control and vulnerability rate, Structural Query Language (SQL) injection is taken as an example in demonstration. This approach targets large enterprise and high complexity, and the research intends to impact industry to generate common practices such as metadata standards and development tools.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>This paper contributes originality in applying metadata strategy to envision semantic structure. It further favours the service industry in building up portfolio foundation in component\u2010based technologies. As the new type of vulnerability can be precisely specified, it can minimize business impact and achieve efficient vulnerability detection.<\/jats:p><\/jats:sec>","DOI":"10.1108\/13287261011042912","type":"journal-article","created":{"date-parts":[[2010,5,8]],"date-time":"2010-05-08T07:06:55Z","timestamp":1273302415000},"page":"105-119","source":"Crossref","is-referenced-by-count":1,"title":["The architecture and industry applications of web security in static and dynamic analysis"],"prefix":"10.1108","volume":"12","author":[{"given":"Raymond","family":"Wu","sequence":"first","affiliation":[]},{"given":"Masayuki","family":"Hisada","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2022012720060743900_b1","unstructured":"Anley, C. (2002), \u201cAdvanced SQL injection in SQL server applications\u201d, white paper, Next Generation Security (NGS) Software, Sutton, available at: www.ngssoftware.com\/papers\/advanced_sql_injection.pdf"},{"key":"key2022012720060743900_b2","doi-asserted-by":"crossref","unstructured":"Buehrer, G., Weide, B. and Sivilotti, P. (2005), \u201cUsing parse tree validation to prevent SQL injection attacks\u201d, Proceedings of the 5th international Workshop on Software Engineering and Middleware, Lisbon, ACM Press, New York, NY, pp. 106\u201013.","DOI":"10.1145\/1108473.1108496"},{"key":"key2022012720060743900_b3","doi-asserted-by":"crossref","unstructured":"Chan, R. and Rosemann, M. (2001), \u201cManaging knowledge in enterprise systems\u201d, Journal of Systems and Information Technology (JOSIT), Vol. 5 No. 2, pp. 37\u201054.","DOI":"10.1108\/13287260180000765"},{"key":"key2022012720060743900_b4","doi-asserted-by":"crossref","unstructured":"Christensen, A., M\u00f8ller, A. and Schwartzbach, M. (2003), \u201cPrecise analysis of string expressions\u201d, Proceedings of the International Static Analysis Symposium (SAS'03), San Diego, CA, pp. 1\u201018.","DOI":"10.1007\/3-540-44898-5_1"},{"key":"key2022012720060743900_b5","doi-asserted-by":"crossref","unstructured":"Dysart, F. and Sherriff, M. (2007), Automated Fix Generator for SQL Injection Attacks, University of Virginia, Charlottesville, VA.","DOI":"10.1109\/ISSRE.2008.44"},{"key":"key2022012720060743900_b6","unstructured":"Gegick, M. and Williams, L. (2009), \u201cToward the use of automated static analysis alerts for early identification of vulnerability\u2010 and attack\u2010prone components\u201d, research paper, North Carolina State University, Raleigh, NC."},{"key":"key2022012720060743900_b7","unstructured":"Gould, C., Su, Z. and Devanbu, P. (2004), \u201cStatic checking of dynamically generated queries in database applications\u201d, Proceedings of the 26th International Conference on Software Engineering (ICSE 2004), Edinburgh, pp. 645\u201054."},{"key":"key2022012720060743900_b8","doi-asserted-by":"crossref","unstructured":"Halfond, G. and Orso, A. (2005), \u201cAMNESIA: analysis and monitoring for neutralizing SQL\u2010injection attacks\u201d, ASE, Long Beach, CA.","DOI":"10.1145\/1101908.1101935"},{"key":"key2022012720060743900_b9","unstructured":"Hinton, H., Hondo, M. and Hutchison, B. (2005), \u201cSecurity patterns within a service\u2010oriented architecture\u201d, IBM SOA Journal, available at: www.ibm.com\/websphere\/developer\/services (accessed November)."},{"key":"key2022012720060743900_b10","doi-asserted-by":"crossref","unstructured":"Huang, Y., Huang, S., Lin, T. and Tsai, C. (2003), \u201cWeb application security assessment by fault injection and behavior monitoring\u201d, Proceedings of the 12th International World Wide Web Conference, Budapest, pp. 148\u201059.","DOI":"10.1145\/775152.775174"},{"key":"key2022012720060743900_b11","doi-asserted-by":"crossref","unstructured":"Kosuga, Y., Kono, K. and Hanaoka, M. (2007), \u201cSania: syntactic and semantic analysis for automated testing against SQL injection\u201d, 23rd Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, pp. 107\u201017.","DOI":"10.1109\/ACSAC.2007.20"},{"key":"key2022012720060743900_b12","doi-asserted-by":"crossref","unstructured":"Liu, A. and Yuan, Y. (2009), \u201cA stavrou, SQLProb: a proxy\u2010based architecture towards preventing SQL injection attacks\u201d, SAC, Honolulu, HI, 8\u201012 March.","DOI":"10.1145\/1529282.1529737"},{"key":"key2022012720060743900_b13","unstructured":"Livshits, B. (2006), \u201cImproving software security with precise static and runtime analysis\u201d, PhD thesis, Stanford University, available at: http:\/\/suif.stanford.edu\/\u223clivshits\/papers\/pdf\/thesis.pdf"},{"key":"key2022012720060743900_b14","unstructured":"Pietraszek1, T. and Berghe, C. (2004), Defending against Injection Attacks through Context\u2010Sensitive String Evaluation, IBM Zurich Research Laboratory, R\u00fcschlikon and Katholieke Universiteit, Leuven, available at: http:\/\/tadek.pietraszek.org\/publications\/pietraszek05_defending.pdf"},{"key":"key2022012720060743900_b15","doi-asserted-by":"crossref","unstructured":"Shoham, S. et al. (2007), \u201cStatic specification mining using automata\u2010based abstractions\u201d, ISSTA, pp. 174\u201084.","DOI":"10.1145\/1273463.1273487"},{"key":"key2022012720060743900_b16","doi-asserted-by":"crossref","unstructured":"S\u00f6derstr\u00f6m, E., \u00c5hlfeldt, R. and Eriksson, N. (2009), \u201cStandards for information security and processes in healthcare\u201d, Journal of Systems and Information Technology, Vol. 11 No. 3, pp. 295\u2010308.","DOI":"10.1108\/13287260910983650"},{"key":"key2022012720060743900_b17","unstructured":"TCS, IBM and EDS (2007), \u201cAbstract syntax tree metamodel (ASTM)\u201d, OMG document."},{"key":"key2022012720060743900_b18","unstructured":"Turker, K. and Gertz, M. (1999), \u201cSemantic integrity support in SQL\u201099 and commercial (object\u2010) relational database management systems\u201d, Swiss Federal Institute of Technology (ETH), Zurich."},{"key":"key2022012720060743900_b19","doi-asserted-by":"crossref","unstructured":"Wassermann, G. and Su, Z. (2008), \u201cStatic detection of cross\u2010site scripting vulnerabilities\u201d, ICSE, pp. 171\u201080.","DOI":"10.1145\/1368088.1368112"},{"key":"key2022012720060743900_b20","unstructured":"Wu, R. (2007), \u201cService design and automata theory\u201d, International Conference on Enterprise Information System and Web Technologies (EISSWT\u201007), Orlando, FL, pp. 53\u20107."},{"key":"key2022012720060743900_b21","unstructured":"Wu, R., Hisada, H. and Ranaweera, R. (2009a), \u201cStatic analysis of web security in generic syntax format\u201d, The 2009 International Conference on Internet Computing (ICOMP 2009), Las Vegas, NV, pp. 58\u201063."},{"key":"key2022012720060743900_b22","doi-asserted-by":"crossref","unstructured":"Wu, R., Hisada, M. and Ranaweera, R. (2009b), \u201cStatic and dynamic analysis for web security in generic format\u201d, ICGS3 International Conference on Global Security, Safety and Sustainability, London.","DOI":"10.1007\/978-3-642-04062-7_25"},{"key":"key2022012720060743900_b23","unstructured":"Xu, W., Bhatkar, S. and Sekar, R. (2006), Practical Dynamic Taint Analysis for Countering Input Validation Attacks on Web Applications, Stony Brook University, available at: http:\/\/seclab.cs.sunysb.edu\/seclab\/pubs\/seclab\u201005\u201004.pdf"}],"container-title":["Journal of Systems and Information Technology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/13287261011042912","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/13287261011042912\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/13287261011042912\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:24:18Z","timestamp":1753403058000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/jsit\/article\/12\/2\/105-119\/246452"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2010,5,4]]},"references-count":23,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2010,5,4]]}},"alternative-id":["10.1108\/13287261011042912"],"URL":"https:\/\/doi.org\/10.1108\/13287261011042912","relation":{},"ISSN":["1328-7265"],"issn-type":[{"type":"print","value":"1328-7265"}],"subject":[],"published":{"date-parts":[[2010,5,4]]}}}