Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities
作者机构:Escuela Superior de Ingeniería y TecnologíaUniversidad Internacional de La RiojaLa Rioja26006Spain
出 版 物:《Computers, Materials & Continua》 (计算机、材料和连续体(英文))
年 卷 期:2020年第64卷第9期
页 面:1555-1577页
核心收录:
学科分类:0831[工学-生物医学工程(可授工学、理学、医学学位)] 0808[工学-电气工程] 0809[工学-电子科学与技术(可授工学、理学学位)] 08[工学] 0805[工学-材料科学与工程(可授工学、理学学位)] 0701[理学-数学] 0801[工学-力学(可授工学、理学学位)] 0812[工学-计算机科学与技术(可授工学、理学学位)]
基 金:Software Engineering and Security
主 题:Web application benchmark security vulnerability Security Analysis Static Tools assessment methodology false positive false negative precision f-measure
摘 要:To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as *** compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is *** information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security *** the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten ***,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten *** results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.
维普期刊数据库