Methods, systems, and computer-readable storage media for analyzing source code of an application. In some implementations, actions include determining, for at least one procedure invoked by the source code, a procedure specification specifying one or more conditions under which one or more parameters of the procedure are exploitable according to a parameter security specification; performing static application security testing on the source code by using the procedure specification on reaching an invocation of the procedure in the source code, including: comparing one or more invoking parameters of the invocation of the procedure to the conditions of the procedure specification; and determining whether the invocation of the procedure is exploitable.