Applications Security Testing tools are one of the resources most widely used by developers to guarantee the security of applications. Tools implement static and dynamic vulnerability detection and it is not possible to identify a single tool that is able to find all the vulnerabilities.
The main objective of this thesis is to develop a modular and scalable system to integrate different tools inside a Continuous Integration/Continuous Delivery Pipeline. Docker containerization and tools stateless execution allow parallelism and replication. As a result of the analysis of a web application, the system execution produces as output a unique JSON report that contains all the vulnerabilities found by the tools executed, with a risk score associated to each vulnerability.
For implementation, two Application Security Testing tools, OWASP ZAP and SonarQube, have been integrated using the Gitlab platform for applying DevOps methodology to Java Web application analysis. Results on the OWASP Benchmark test suite confirm a consistent improvement of the security analysis and allow comparison of tools accuracy by vulnerability category.