logo SBA

ETD

Archivio digitale delle tesi discusse presso l’Università di Pisa

Tesi etd-07042022-195433


Tipo di tesi
Tesi di laurea magistrale
Autore
APARO, CARMELO
URN
etd-07042022-195433
Titolo
Security Analysis of Java Web Applications within Continuous Integration/Continuous Delivery Pipeline
Dipartimento
INGEGNERIA DELL'INFORMAZIONE
Corso di studi
COMPUTER ENGINEERING
Relatori
relatore Prof.ssa Bernardeschi, Cinzia
relatore Prof. Lettieri, Giuseppe
relatore Dott. Lucattini, Fabio
Parole chiave
  • applications security testing
  • continuous integration/continuous delivery
  • devsecops
  • secure software development life cycle
Data inizio appello
22/07/2022
Consultabilità
Non consultabile
Data di rilascio
22/07/2062
Riassunto
Applications Security Testing tools are one of the resources most widely used by developers to guarantee the security of applications. Tools implement static and dynamic vulnerability detection and it is not possible to identify a single tool that is able to find all the vulnerabilities.
The main objective of this thesis is to develop a modular and scalable system to integrate different tools inside a Continuous Integration/Continuous Delivery Pipeline. Docker containerization and tools stateless execution allow parallelism and replication. As a result of the analysis of a web application, the system execution produces as output a unique JSON report that contains all the vulnerabilities found by the tools executed, with a risk score associated to each vulnerability.
For implementation, two Application Security Testing tools, OWASP ZAP and SonarQube, have been integrated using the Gitlab platform for applying DevOps methodology to Java Web application analysis. Results on the OWASP Benchmark test suite confirm a consistent improvement of the security analysis and allow comparison of tools accuracy by vulnerability category.
File