Selection of open-source web vulnerability scanner as testing tool in continuous software development

Tietoturva on kriittinen osa web sovelluksia ja haavoittuvuudet tulisi ennaltaehkäistä tai tunnistaa sekä korjata mahdollisimman aikaisin ohjelmiston kehitysprosessissa. Tämän tutkimuksen tarkoitus on määrittää kuinka hyvin avoimen lähdekoodin web sovellusten haavoittuvuustestaustyökalut sopivat kau...

Täydet tiedot

Bibliografiset tiedot
Päätekijä:	Riepponen, Mika
Muut tekijät:	Faculty of Information Technology, Informaatioteknologian tiedekunta, Information Technology, Informaatioteknologia, University of Jyväskylä, Jyväskylän yliopisto
Aineistotyyppi:	Pro gradu
Kieli:	eng
Julkaistu:	2024
Aiheet:	web vulnerability scanner web scanner dynamic application security testing dast development security operations devsecops continuous software development Software Engineering 601 tietoturva haavoittuvuus skannerit kyberturvallisuus ohjelmistokehitys data security vulnerability scanners cyber security software development
Linkit:	https://jyx.jyu.fi/handle/123456789/94465

_version_	1826225751078207488
author	Riepponen, Mika
author2	Faculty of Information Technology Informaatioteknologian tiedekunta Information Technology Informaatioteknologia University of Jyväskylä Jyväskylän yliopisto
author_facet	Riepponen, Mika Faculty of Information Technology Informaatioteknologian tiedekunta Information Technology Informaatioteknologia University of Jyväskylä Jyväskylän yliopisto Riepponen, Mika Faculty of Information Technology Informaatioteknologian tiedekunta Information Technology Informaatioteknologia University of Jyväskylä Jyväskylän yliopisto
author_sort	Riepponen, Mika
datasource_str_mv	jyx
description	Tietoturva on kriittinen osa web sovelluksia ja haavoittuvuudet tulisi ennaltaehkäistä tai tunnistaa sekä korjata mahdollisimman aikaisin ohjelmiston kehitysprosessissa. Tämän tutkimuksen tarkoitus on määrittää kuinka hyvin avoimen lähdekoodin web sovellusten haavoittuvuustestaustyökalut sopivat kaupallisen web sovelluksen testaukseen jatkuvassa ohjelmistokehitysprosessissa. Tarve tälle tutkimukselle tuli Secapp Oy yritykseltä. Arvioitavaksi valittiin kaksi avoimen lähdekoodin web haavoittuvuusskanneria, ZAP ja Wapiti. Nämä kaksi skanneria valittiin sen perusteella, että ne olivat ainoat viimeisimmistä tutkimuksista löytyneet avoimen lähdekoodin web haavoittuvuusskannerit, joissa oli komentorivi käyttöliittymä ja joita edelleen kehitettiin aktiivisesti. Kumpikin skanneri myötävaikutti kohteena olevan web sovelluksen tietoturvan parantamiseen. Kumpikaan skan- nereista ei tulosten perusteella sovellu integraatioputkessa ajettavaksi testiksi. Kumpaakin voidaan kuitenkin hyödyntää ajoittaisena automaattisena skannerina. ZAP tarjosi enemmän vaihtoehtoja mukauttaa skannausta, tärkeimpänä mahdollisuus luokitella skannauksen löydöksiä vääriksi positiviiksi ja kohdistaa skannaus vain ennalta määritettyyn listaan URL- osoitteita sen sijaan, että skanneri yrittäisi löytää niitä lisää. ZAP oli myös nopeampi, tarkempi löytämään oikeita haavoittuvuuksia, löysi enemmän eri haavoittuvuuksia ja oli parempi löytämään uusia sivuja crawler toiminnoillaan. Tulosten perusteella ZAP valittiin testaamaan kohteena oleva web sovellus pääversioiden julkaisujen välillä haavoittuvuuksien löytämiseksi. Security is a critical part of web applications and vulnerabilities should be prevented or identified and fixed as early in the development process as possible. The purpose of this study is to determine how well open-source web vulnerability scanners suit for testing commercial web application in continuous software development. The need for this study came from Secapp Oy. Two open-source web vulnerability scanners, ZAP and Wapiti, were chosen to be evaluated. These two scanners were chosen because they were the only open-source web vulnerability scanners found from the latest studies that had command-line interface and were still in active development. Both scanners contributed to improving the security of the target web application. Neither of the scanners was so fast that it could be included in the integration pipeline as a test. Both scanners can be utilized as periodical automated scanner. ZAP offered more customization options for the scan, most importantly possibility to flag scan findings as false positive and skip crawling phase and only scan listed URLs. ZAP was also faster, more precise, found wider set of vulnerabilties and had better crawling coverage. Based on the results ZAP was chosen to scan the target web application in between the releases to test each major version for vulnerabilities.
first_indexed	2024-04-25T20:01:01Z
format	Pro gradu
free_online_boolean	1
fullrecord	[{"key": "dc.contributor.advisor", "value": "Frantti, Tapio", "language": null, "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Riepponen, Mika", "language": null, "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2024-04-25T06:06:36Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2024-04-25T06:06:36Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2024", "language": null, "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/94465", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Tietoturva on kriittinen osa web sovelluksia ja haavoittuvuudet tulisi ennaltaehk\u00e4ist\u00e4 tai tunnistaa sek\u00e4 korjata mahdollisimman aikaisin ohjelmiston\nkehitysprosessissa. T\u00e4m\u00e4n tutkimuksen tarkoitus on m\u00e4\u00e4ritt\u00e4\u00e4 kuinka hyvin avoimen l\u00e4hdekoodin web sovellusten haavoittuvuustestausty\u00f6kalut sopivat kaupallisen web sovelluksen testaukseen jatkuvassa ohjelmistokehitysprosessissa. Tarve t\u00e4lle tutkimukselle tuli Secapp Oy yritykselt\u00e4. Arvioitavaksi valittiin kaksi avoimen l\u00e4hdekoodin web haavoittuvuusskanneria,\nZAP ja Wapiti. N\u00e4m\u00e4 kaksi skanneria valittiin sen perusteella, ett\u00e4 ne olivat ainoat viimeisimmist\u00e4 tutkimuksista l\u00f6ytyneet avoimen l\u00e4hdekoodin web haavoittuvuusskannerit, joissa\noli komentorivi k\u00e4ytt\u00f6liittym\u00e4 ja joita edelleen kehitettiin aktiivisesti. Kumpikin skanneri my\u00f6t\u00e4vaikutti kohteena olevan web sovelluksen tietoturvan parantamiseen. Kumpikaan skan-\nnereista ei tulosten perusteella sovellu integraatioputkessa ajettavaksi testiksi. Kumpaakin voidaan kuitenkin hy\u00f6dynt\u00e4\u00e4 ajoittaisena automaattisena skannerina. ZAP tarjosi enemm\u00e4n\nvaihtoehtoja mukauttaa skannausta, t\u00e4rkeimp\u00e4n\u00e4 mahdollisuus luokitella skannauksen l\u00f6yd\u00f6ksi\u00e4 v\u00e4\u00e4riksi positiviiksi ja kohdistaa skannaus vain ennalta m\u00e4\u00e4ritettyyn listaan URL-\nosoitteita sen sijaan, ett\u00e4 skanneri yritt\u00e4isi l\u00f6yt\u00e4\u00e4 niit\u00e4 lis\u00e4\u00e4. ZAP oli my\u00f6s nopeampi, tarkempi l\u00f6yt\u00e4m\u00e4\u00e4n oikeita haavoittuvuuksia, l\u00f6ysi enemm\u00e4n eri haavoittuvuuksia ja oli\nparempi l\u00f6yt\u00e4m\u00e4\u00e4n uusia sivuja crawler toiminnoillaan. Tulosten perusteella ZAP valittiin testaamaan kohteena oleva web sovellus p\u00e4\u00e4versioiden julkaisujen v\u00e4lill\u00e4 haavoittuvuuksien\nl\u00f6yt\u00e4miseksi.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Security is a critical part of web applications and vulnerabilities should be prevented or identified and fixed as early in the development process as possible. The purpose\nof this study is to determine how well open-source web vulnerability scanners suit for testing commercial web application in continuous software development. The need for this\nstudy came from Secapp Oy. Two open-source web vulnerability scanners, ZAP and Wapiti, were chosen to be evaluated. These two scanners were chosen because they were the only\nopen-source web vulnerability scanners found from the latest studies that had command-line interface and were still in active development. Both scanners contributed to improving the\nsecurity of the target web application. Neither of the scanners was so fast that it could be included in the integration pipeline as a test. Both scanners can be utilized as periodical\nautomated scanner. ZAP offered more customization options for the scan, most importantly possibility to flag scan findings as false positive and skip crawling phase and only scan listed\nURLs. ZAP was also faster, more precise, found wider set of vulnerabilties and had better crawling coverage. Based on the results ZAP was chosen to scan the target web application\nin between the releases to test each major version for vulnerabilities.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Miia Hakanen (mihakane@jyu.fi) on 2024-04-25T06:06:36Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2024-04-25T06:06:36Z (GMT). No. of bitstreams: 0\n Previous issue date: 2024", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "48", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "web vulnerability scanner", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "web scanner", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "dynamic application security testing", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "dast", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "development security operations", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "devsecops", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "continuous software development", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Selection of open-source web vulnerability scanner as testing tool in continuous software development", "language": null, "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202404253092", "language": null, "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Software Engineering", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.copyright", "value": "\u00a9 The Author(s)", "language": null, "element": "rights", "qualifier": "copyright", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": null, "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "haavoittuvuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "skannerit", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "ohjelmistokehitys", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "data security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "vulnerability", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "scanners", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "software development", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}]
id	jyx.123456789_94465
language	eng
last_indexed	2025-02-18T10:54:45Z
main_date	2024-01-01T00:00:00Z
main_date_str	2024
online_boolean	1
online_urls_str_mv	{"url":"https:\/\/jyx.jyu.fi\/bitstreams\/ce0b9c03-eea2-403b-9137-057b73c77876\/download","text":"URN:NBN:fi:jyu-202404253092.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate	2024
record_format	qdc
source_str_mv	jyx
spellingShingle	Riepponen, Mika Selection of open-source web vulnerability scanner as testing tool in continuous software development web vulnerability scanner web scanner dynamic application security testing dast development security operations devsecops continuous software development Software Engineering 601 tietoturva haavoittuvuus skannerit kyberturvallisuus ohjelmistokehitys data security vulnerability scanners cyber security software development
title	Selection of open-source web vulnerability scanner as testing tool in continuous software development
title_full	Selection of open-source web vulnerability scanner as testing tool in continuous software development
title_fullStr	Selection of open-source web vulnerability scanner as testing tool in continuous software development Selection of open-source web vulnerability scanner as testing tool in continuous software development
title_full_unstemmed	Selection of open-source web vulnerability scanner as testing tool in continuous software development Selection of open-source web vulnerability scanner as testing tool in continuous software development
title_short	Selection of open-source web vulnerability scanner as testing tool in continuous software development
title_sort	selection of open source web vulnerability scanner as testing tool in continuous software development
title_txtP	Selection of open-source web vulnerability scanner as testing tool in continuous software development
topic	web vulnerability scanner web scanner dynamic application security testing dast development security operations devsecops continuous software development Software Engineering 601 tietoturva haavoittuvuus skannerit kyberturvallisuus ohjelmistokehitys data security vulnerability scanners cyber security software development
topic_facet	601 Software Engineering continuous software development cyber security dast data security development security operations devsecops dynamic application security testing haavoittuvuus kyberturvallisuus ohjelmistokehitys scanners skannerit software development tietoturva vulnerability web scanner web vulnerability scanner
url	https://jyx.jyu.fi/handle/123456789/94465 http://www.urn.fi/URN:NBN:fi:jyu-202404253092
work_keys_str_mv	AT riepponenmika selectionofopensourcewebvulnerabilityscannerastestingtoolincontinuoussoftwaredevel

Selection of open-source web vulnerability scanner as testing tool in continuous software development

Samankaltaisia teoksia