Publicação

Evaluation of Static Analysis Tools in Detecting OWASP Top 10 Vulnerabilities

Ver documento

Detalhes bibliográficos
Resumo:The popularity of Web applications has been growing due to their ease of access through a simple Internet connection, benefiting countless business sectors, including online banking. However, they are often developed over tight schedules and therefore subject to deployment with critical vulnerabilities. The integration of SAST tools throughout the development cycle of a web application could precisely mitigate their presence. Given the transition from the OWASP Top 10 to the 2021 version, it is essential to assess whether the detection capacity can deal with this new set of risks. To compare the detection capacity of seven SAST tools against the categories of vulnerabilities covered by the OWASP Top 10, a benchmarking methodology was implemented and then applied to evaluate their performance. The workload built for this consists of three realistic web applications (WebGoat, JuiceShop and Mutillidae), two sets of synthetic test cases (Juliet Test Suite and OWASP Benchmark) and four open-source web applications developed in real contexts (Piwigo, Shopizer, PeerTube and Metafresh). By using this formulation, it is possible to concentrate a diverse sample of vulnerable instances that are representative of those in the OWASP Top 10, while exposing the SAST tools to the scalability and complexity of code characteristic of real web applications. In addition to an individual assessment of the SAST tools' detection capabilities, the impact of their combined use on the final performance was also analyzed and an analogy was made with the agreement level of the tools involved. To this end, the implementation of the most common strategy of combining the tools' outputs was also accompanied by the development and application of a new approach where, unlike this one, it is the tool with the best performance against a given issue that has the greatest weight on the results merge. Since different SAST tools provide different outputs, besides being able to benefit from their combination, characterizing them based on a set of metrics reflecting scenarios with distinct requirements (criticality and budget) will allow the respective tools to be assigned to the context that best matches their effectiveness. To understand in which scenario the analyzed web application fits and, consequently, to use the ranking obtained for it, a strategy was formulated to verify its criticality level. This research also included an assessment of the SAST tools' usability level.
Autores principais:Marçal, Inês Martins
Assunto:web application OWASP Top 10 static analysis tools benchmarking performance evaluation Aplicação Web OWASP Top 10 ferramentas de análise estática benchmarking avaliação de performance
Ano:2024
País:Portugal
Tipo de documento:dissertação de mestrado
Tipo de acesso:acesso aberto
Instituição associada:Universidade de Coimbra
Idioma:inglês
Origem:Estudo Geral - Universidade de Coimbra
Descrição
Resumo:The popularity of Web applications has been growing due to their ease of access through a simple Internet connection, benefiting countless business sectors, including online banking. However, they are often developed over tight schedules and therefore subject to deployment with critical vulnerabilities. The integration of SAST tools throughout the development cycle of a web application could precisely mitigate their presence. Given the transition from the OWASP Top 10 to the 2021 version, it is essential to assess whether the detection capacity can deal with this new set of risks. To compare the detection capacity of seven SAST tools against the categories of vulnerabilities covered by the OWASP Top 10, a benchmarking methodology was implemented and then applied to evaluate their performance. The workload built for this consists of three realistic web applications (WebGoat, JuiceShop and Mutillidae), two sets of synthetic test cases (Juliet Test Suite and OWASP Benchmark) and four open-source web applications developed in real contexts (Piwigo, Shopizer, PeerTube and Metafresh). By using this formulation, it is possible to concentrate a diverse sample of vulnerable instances that are representative of those in the OWASP Top 10, while exposing the SAST tools to the scalability and complexity of code characteristic of real web applications. In addition to an individual assessment of the SAST tools' detection capabilities, the impact of their combined use on the final performance was also analyzed and an analogy was made with the agreement level of the tools involved. To this end, the implementation of the most common strategy of combining the tools' outputs was also accompanied by the development and application of a new approach where, unlike this one, it is the tool with the best performance against a given issue that has the greatest weight on the results merge. Since different SAST tools provide different outputs, besides being able to benefit from their combination, characterizing them based on a set of metrics reflecting scenarios with distinct requirements (criticality and budget) will allow the respective tools to be assigned to the context that best matches their effectiveness. To understand in which scenario the analyzed web application fits and, consequently, to use the ranking obtained for it, a strategy was formulated to verify its criticality level. This research also included an assessment of the SAST tools' usability level.