Application Security Testing (*AST) is a corner stone of secure software development or a Security Development Life Cycle (SDLC). To improve the efficiency and effectiveness of security testing we research on hybrid approaches: combining dynamic, static, and interactive testing as well as testing of hybrid applications.

Application Security Testing

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) as well as more recently Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) are widely used to improve the security of software products [1]. In fact, they are a corner stone of a comprehensive security testing strategy [2]. While we, in the context of HOL-TestGen, we also work on (formal) model-based security testing approaches, we also work on more applied Dynamic and Static Code Analysis (DASCA) topics. In particular, we research hybrid application security testing approaches. Here, hybrid refers both to combining static, dynamic, and interactive security testing approaches as well as approaches target the security of hybrid or polyglot applications (i.e., applications written in multiple programming languages). As another line of research, and as a key-enabler for successful software security programs in SecDevOps and Cloud-development scenarios, we are interested in approaches combining application security testing and runtime self-protection.


A first prototypical implementation of our analysis for hybrid Android apps is available as free software in our git repository.

Important Publications

1. Brucker, A. D. and Sodan, U. “Deploying Static Application Security Testing on a Large ScaleGI sicherheit 2014 228, (2014): 91–101. URL:

2. Bachmann, R. and Brucker, A. D. “Developing Secure Software: A Holistic Approach to Security TestingDatenschutz und Datensicherheit (DuD) 38, no. 4 (2014): 257–261. doi:10.1007/s11623-014-0102-0, URL:

3. Felderer, M., Büchler, M., Johns, M., Brucker, A. D., Breu, R., and Pretschner, A. “Security Testing: A SurveyAdvances in Computers 101, (2016): 1–51. doi:10.1016/bs.adcom.2015.11.003, URL:

4. Brucker, A. D. and Herzberg, M. “On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache Cordova NationInternational symposium on engineering secure software and systems (essos) (2016): 72–88. doi:10.1007/978-3-319-30806-7_5, URL:

5. Dashevskyi, S., Brucker, A. D., and Massacci, F. “A Screening Test for Disclosed Vulnerabilities in FOSS ComponentsIEEE Trans. Software Eng. (2018): URL: