Abstract
This paper focuses on reverse engineering web application for security mechanisms detection in the current design and thereby presents a security evaluation method for web application taking consideration of potential threats, security features provided by the detected security mechanisms and user's security objectives. Based on our previous work on risk assessment for web applications, evaluation of current security implementation is conducted combining core security structure detection and security knowledge checklist matching. Reverse engineering techniques have been used to extract system models from source code based on which security relevant artefacts are identified and matched with built security artefacts base. The paper describes the general structure of the proposed method.