Please use this identifier to cite or link to this item:
http://hdl.handle.net/10609/131946
Title: | Integración de analizadores automáticos de código |
Author: | Fernández Román, Urko |
Tutor: | Caparrós, Joan |
Others: | Pérez-Solà, Cristina |
Abstract: | This essay aims to study different SAST, DAST, IAST and SCA tools mentioned in the OWASP website. Three different complementing tools are selected, offering a way to integrate them within the development and deployment cycle of a WordPress-based website built with open source components by a small team. The goal is to find a solution that doesn't impact the workflow of the development process, doesn't require a high learning curve, and significantly educes the number of vulnerabilities. To achieve the objective, the work is divided into two parts, first analysing the strengths and weaknesses, performance and the way in which various tools present their results. We then proceed to integrate the selected tools into the SDLC, implementing a methodology to reduce false positives through a pragmatic strategy of learning good security practices in an iterative way. The proposed solution is composed entirely of open source tools backed by OWASP itself: ASST (SAST), ZAP (DAST) and Dependency-Check (SCA). There's also a proposal of how to integrate each tool in the different phases and how to take advantage of their results in a process of continuous improvement. As an example, the results of analyses on a real website developed a year and a half ago in WordPress are shown. Despite the obvious differences in functionality and integration capabilities between powerful commercial tools and these open source solutions, the latter have proven to be able to adapt to the context with great potential for improvement and learning opportunities. |
Keywords: | OWASP SDLC bugs |
Document type: | info:eu-repo/semantics/masterThesis |
Issue Date: | 1-Jun-2021 |
Publication license: | http://creativecommons.org/licenses/by-nc-sa/3.0/es/ |
Appears in Collections: | Trabajos finales de carrera, trabajos de investigación, etc. |
Files in This Item:
File | Description | Size | Format | |
---|---|---|---|---|
ufernandezrTFM0621memoria.pdf | Memoria del TFM | 4,55 MB | Adobe PDF | View/Open |
Share:
This item is licensed under a Creative Commons License