Abstract
The growing use of digital technologies and the increasing connectivity of systems makecyber security an important component in the maintenance, development and testing
of software products. However, the consideration of non-functional requirements, such
as cyber security, represents a major challenge for organisations. Especially in agile
software development, the implementation of security measures is difficult, as project
requirements are constantly changing. This thesis introduces the DevSecOps concept,
which is an extension of DevOps to integrate security practices into the development process. Particular attention is paid to the sub-area of automated security testing. The aim
of this thesis is to analyse requirements for security testing tools from the open-source
sector. Tools from the areas of Software Composition Analysis (SCA), Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are
being evaluated and compared based on those requirements. In addition, the results of
the tools are compared with each other as part of a benchmark analysis. For the SCA
analysis, the tools Dependency-Check, OSV-Scanner, Trivy and Dep-Scan are analysed
with the help of a self-developed benchmark. The SAST tools SonarQube, Horusec, Insider, VisualCodeGrepper, Sast-Scan, Semgrep and Bearer, as well as the DAST tools
Zed Attack Proxy, Arachni and Wapiti are evaluated with the OWASP benchmark.
Based on the analysis of the requirements and the benchmark tests, Dependency-Check
can be recommended in the area of software composition analysis. The SAST tool with
the best results in both analyses is SonarQube. For the tools in the category of Dynamic
Application Security Testing, Zed Attack Proxy can be recommended for practical use
due to its good results.
| Date of Award | 2024 |
|---|---|
| Original language | German (Austria) |
| Supervisor | Gabriel Kronberger (Supervisor) |