it's an interesting topic, definitely worth a read but i think the
research falls very short for usefulness. AFAICT, all the security
issues addressed are variations of unsanitized string interpolations.
the detecting method is roughly taint variable propagation, which
isn't too different in dynamic languages (vs static ones).