Framework for security assessments in web applications
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2023 |
| Tipo de documento: | Dissertação |
| Idioma: | eng |
| Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| Texto Completo: | http://hdl.handle.net/10773/41043 |
Resumo: | Web applications are widely used today, and as a result, the security of those solutions is essential to their smooth operation. Although application security practices and tools used to detect and mitigate vulnerabilities were initially manual, automation developments in the software development lifecycle have paved the way for the integration of security concerns and testing within this cycle. By examining the current solutions and concepts connected with these practices and merging various components to create a more rich analysis of web applications, this thesis concentrates its effort on the problems and opportunities of this integration. Different solutions exist for different problems, and the combination of results is imperative to produce a homogenous look inside the security problems of a web application. This combination is not always trivial, as even with the same structured languages providing a comprehensive output, the transformation of these results is still dependent on a specific understanding of who produced them. This issue is addressed by standards like the Static Analysis Results Interchange Format (SARIF), which aim to generate a comprehensive and repeatable result regardless of the analysis instrument used. In order to produce vulnerability insights into web applications, the work produced by this thesis will orchestrate a variety of tools. This orchestrator will be designed with the understanding that it must be easy to use, adaptable to a variety of environments, and provide a clear interface for the addition of new application security solutions. The EHDEN portal serves as a validation point for the work developed as a web application with an extensive development history and few security considerations, making it possible to evaluate the performance of the work developed and discuss the virtues and shortcomings of this integrated approach. |
| id |
RCAP_5da00e6cd6ba67afda83980bcf80cfad |
|---|---|
| oai_identifier_str |
oai:ria.ua.pt:10773/41043 |
| network_acronym_str |
RCAP |
| network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository_id_str |
7160 |
| spelling |
Framework for security assessments in web applicationsApplication securityVulnerability assesmentStatic analysis results interchange formatContinuous integration and contnuous deliveryDockerWeb applications are widely used today, and as a result, the security of those solutions is essential to their smooth operation. Although application security practices and tools used to detect and mitigate vulnerabilities were initially manual, automation developments in the software development lifecycle have paved the way for the integration of security concerns and testing within this cycle. By examining the current solutions and concepts connected with these practices and merging various components to create a more rich analysis of web applications, this thesis concentrates its effort on the problems and opportunities of this integration. Different solutions exist for different problems, and the combination of results is imperative to produce a homogenous look inside the security problems of a web application. This combination is not always trivial, as even with the same structured languages providing a comprehensive output, the transformation of these results is still dependent on a specific understanding of who produced them. This issue is addressed by standards like the Static Analysis Results Interchange Format (SARIF), which aim to generate a comprehensive and repeatable result regardless of the analysis instrument used. In order to produce vulnerability insights into web applications, the work produced by this thesis will orchestrate a variety of tools. This orchestrator will be designed with the understanding that it must be easy to use, adaptable to a variety of environments, and provide a clear interface for the addition of new application security solutions. The EHDEN portal serves as a validation point for the work developed as a web application with an extensive development history and few security considerations, making it possible to evaluate the performance of the work developed and discuss the virtues and shortcomings of this integrated approach.As aplicações web tornaram-se amplamente utilizadas, pelo que os aspetos relacionados com a segurança são cada vez mais importantes para o seu bom funcionamento. Embora as práticas e as ferramentas de segurança usadas para detetar e mitigar vulnerabilidades nestas aplicações fossem inicialmente manuais, a crescente automação no ciclo de vida de desenvolvimento de software abriu caminho para a integração das funções de segurança e de testes dentro desse fluxo. Ao examinar as soluções e conceitos atuais relacionados com essas práticas e ao combinar vários componentes para criar um conjunto mais rico de aplicações web, esta dissertação centra-se nos problemas e oportunidades dessa integração. Diferentes soluções existem para diferentes problemas, sendo a combinação de resultados imprescindível para produzir um ponto único de análise que abarque os diversos problemas de segurança de uma aplicação web. Essa combinação nem sempre é trivial, pois mesmo com um formato baseado numa estrutura conhecida, a transformação desses resultados ainda depende de um entendimento específico de quem os produziu. Esta questão é abordada por normas como o Static Analysis Results Interchange Format (SARIF), que visa gerar um resultado abrangente e reprodutível, independentemente do instrumento de análise utilizado. Com a finalidade de produzir conhecimento sobre vulnerabilidades de aplicações web, o trabalho desenvolvido ao longo desta dissertação irá permitir orquestrar uma variedade de ferramentas. Este orquestrador será projetado com o objetivo de que deve ser fácil de usar, de ser adaptável a uma variedade de ambientes e de fornecer uma interface clara para a adição de novas soluções de análise de segurança. Para validação do trabalho desenvolvido será usado o portal do projeto EHDEN, uma aplicação web com vários anos de desenvolvimento mas com poucas considerações de segurança. Pertendese desta forma avaliar o desempenho do trabalho desenvolvido e discutir as virtudes e deficiências desta abordagem integrada.2024-03-12T14:46:35Z2023-07-06T00:00:00Z2023-07-06info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10773/41043engCruz, Dinis Barroqueiroinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-03-18T01:48:16Zoai:ria.ua.pt:10773/41043Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T04:02:09.064109Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
| dc.title.none.fl_str_mv |
Framework for security assessments in web applications |
| title |
Framework for security assessments in web applications |
| spellingShingle |
Framework for security assessments in web applications Cruz, Dinis Barroqueiro Application security Vulnerability assesment Static analysis results interchange format Continuous integration and contnuous delivery Docker |
| title_short |
Framework for security assessments in web applications |
| title_full |
Framework for security assessments in web applications |
| title_fullStr |
Framework for security assessments in web applications |
| title_full_unstemmed |
Framework for security assessments in web applications |
| title_sort |
Framework for security assessments in web applications |
| author |
Cruz, Dinis Barroqueiro |
| author_facet |
Cruz, Dinis Barroqueiro |
| author_role |
author |
| dc.contributor.author.fl_str_mv |
Cruz, Dinis Barroqueiro |
| dc.subject.por.fl_str_mv |
Application security Vulnerability assesment Static analysis results interchange format Continuous integration and contnuous delivery Docker |
| topic |
Application security Vulnerability assesment Static analysis results interchange format Continuous integration and contnuous delivery Docker |
| description |
Web applications are widely used today, and as a result, the security of those solutions is essential to their smooth operation. Although application security practices and tools used to detect and mitigate vulnerabilities were initially manual, automation developments in the software development lifecycle have paved the way for the integration of security concerns and testing within this cycle. By examining the current solutions and concepts connected with these practices and merging various components to create a more rich analysis of web applications, this thesis concentrates its effort on the problems and opportunities of this integration. Different solutions exist for different problems, and the combination of results is imperative to produce a homogenous look inside the security problems of a web application. This combination is not always trivial, as even with the same structured languages providing a comprehensive output, the transformation of these results is still dependent on a specific understanding of who produced them. This issue is addressed by standards like the Static Analysis Results Interchange Format (SARIF), which aim to generate a comprehensive and repeatable result regardless of the analysis instrument used. In order to produce vulnerability insights into web applications, the work produced by this thesis will orchestrate a variety of tools. This orchestrator will be designed with the understanding that it must be easy to use, adaptable to a variety of environments, and provide a clear interface for the addition of new application security solutions. The EHDEN portal serves as a validation point for the work developed as a web application with an extensive development history and few security considerations, making it possible to evaluate the performance of the work developed and discuss the virtues and shortcomings of this integrated approach. |
| publishDate |
2023 |
| dc.date.none.fl_str_mv |
2023-07-06T00:00:00Z 2023-07-06 2024-03-12T14:46:35Z |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
| format |
masterThesis |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10773/41043 |
| url |
http://hdl.handle.net/10773/41043 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf |
| dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
| instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| instacron_str |
RCAAP |
| institution |
RCAAP |
| reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| repository.mail.fl_str_mv |
|
| _version_ |
1799138193903190016 |