Dalarna University's logo and link to the university's website

du.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • chicago-author-date
  • chicago-note-bibliography
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Framework and Tools for IT Security within Logistics and Infrastructure oriented Operations: With a focus on Static Application Security Testing
Dalarna University, School of Information and Engineering.
Dalarna University, School of Information and Engineering.
2022 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesis
Abstract [en]

Static Application Security Testing Tools (SAST) is a security tool that claims to help with security in an IT system. Static Application Security Testing tools are technical solutions that operate within the continuous integration of the system. The tool uses frameworks such as OWASP and CWE to detect common vulnerabilities in the codebase by analysing code in the building and testing phase of continuous integration. The problem with SAST tools is that there are many different beliefs surrounding them. Some say they are crucial for security, while some believe they are less helpful and can even inhibit projects by introducing false positives. This thesis determines if SAST tools are an effective solution to security problems within in an IT system. The focus was on logistics- and infrastructure-oriented operations, which the partner company Triona operates within.

We use literature review to look at previously similarly conducted research combined with interviews with experienced people within the fields. This gives qualitative results that coupled with previous research can be generalized.

The results show that SAST tools are effective tools if used responsibly. Both the literature and interviews conclude that SAST tools are not enough on their own to satisfy the security requirements but must be combined with responsible use of the tools as well as code reviews and other types of testing. SAST tools are also shown to have some problems, mainly false positives, and false negatives. There are also problems related to the implementation of the tools. These problems are costs that comes with implementation, as well as the time spent on it. Other problems are bad communication with developer teams that led to developers not knowing what to do in case of errors shown by the tool. Interviews conducted provides information that SAST tools are not only tools for security but also helps with manageability of code bases. 

Place, publisher, year, edition, pages
2022.
Keywords [en]
SAST, Continuous integration, SonarQube, OWASP, CWE, Security tools
National Category
Information Systems
Identifiers
URN: urn:nbn:se:du-42403OAI: oai:DiVA.org:du-42403DiVA, id: diva2:1692520
External cooperation
Triona
Subject / course
Informatics
Available from: 2022-09-02 Created: 2022-09-02 Last updated: 2022-09-02Bibliographically approved

Open Access in DiVA

fulltext(805 kB)242 downloads
File information
File name FULLTEXT01.pdfFile size 805 kBChecksum SHA-512
a8ab8af7eb656c98431d57fd92f57cfbc14c767a3c99712a87467e4d0ddb4e04d031a7489a7d815addda252f63e1455815bf33494bb27f4bd2de627224d548d3
Type fulltextMimetype application/pdf

By organisation
School of Information and Engineering
Information Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 242 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 412 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • chicago-author-date
  • chicago-note-bibliography
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf