polito.it
Politecnico di Torino (logo)

Evaluation of Static Security Analysis Tools on Open Source Distributed Applications

Vincenzo Di Stasio

Evaluation of Static Security Analysis Tools on Open Source Distributed Applications.

Rel. Riccardo Sisto. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

[img]
Preview
PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (4MB) | Preview
Abstract:

The use of static security analysis tools is becoming common practice in distributed application development in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The aim of the thesis is to evaluate some static security analysis tools by applying them to a significant set of distributed open-source applications. However, distinct tools provide different results depending on factors such as the complexity of the code under analysis and the application scenario, thus missing some of the vulnerabilities while reporting false problems. While some benchmarks already exist for evaluating these tools, they are not well aligned with the latest web development techniques. The work consists in identifying some relevant and modern open source projects to use as benchmarks. Then, some of the static safety analysis tools were tested on the selected projects and the results on their performance were collected, following the evaluation methodology suggested by OWASP. The results of this work have been obtaining using widely acceptable metrics to classify them. The selected open source projects are based on the JavaScript and Python languages.

Relatori: Riccardo Sisto
Anno accademico: 2022/23
Tipo di pubblicazione: Elettronica
Numero di pagine: 91
Soggetti:
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: Nuovo ordinamento > Laurea magistrale > LM-32 - INGEGNERIA INFORMATICA
Aziende collaboratrici: NON SPECIFICATO
URI: http://webthesis.biblio.polito.it/id/eprint/24514
Modifica (riservato agli operatori) Modifica (riservato agli operatori)