Software Security Assessment and Analysis using OWASP ASVS
Shaees, Shamoil (2022)
Shaees, Shamoil
2022
Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. Only for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2022-12-05
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202211248628
https://urn.fi/URN:NBN:fi:tuni-202211248628
Tiivistelmä
Currently, web applications are widely used because web applications are accessible from anywhere at any time through the internet. This makes web application attractive target for malicious attackers. Moreover, web applications possess many 3rd party libraries and components which may inherit vulnerabilities if source and integrity of source code are not verified. Therefore, security of web applications cannot be neglected and there is a need to verify application implementation according to certain rules or checklist defined by different security standards.
There are multiple standards developed by different organizations for verifying web applications or product security, but finding the relevant standard that is applicable to the application that is under test is difficult. In this master’s thesis work, one of the initial goals was to perform research on different security standards and find the relevant standard that fulfils the M-Files web application security verification needs. The OWASP ASVS standard was found to be the most relevant standard for the M-Files web verification. The aims for this thesis work were, finding the relevant ASVS controls and verification approaches for verifying the M-Files web implementation, verify how effective M-Files web implementation is against ASVS requirements, draw a comparison among different security standards and lastly define how ASVS guide can be used as a secure coding guideline or for code review.
In this thesis work, the M-Files web application was verified against the OWASP ASVS requirements. M-Files web application is an extension of the M-Files desktop application and large number of customers prefer to use M-Files web due to its ease of accessibility from anywhere. In this thesis work, initially 13 ASVS control requirements for level 1 that were applicable to the M-Files web were verified and additional verification for level 2 requirements was done due to the high demand from stakeholders and customers. Verification of M-Files web application implementation was done depending on the requirement type and description, what type of vulnerability is referred by this requirement and how it can be tested. Used testing methods for this verification includes source code review, manual testing, and automated testing.
During the verification and testing, 16 issues were found within M-Files web implementation according to the OWASP ASVS level 1 requirements and 15 issues were found for level 2 requirements. These issues were reported to the relevant development teams and as a result some fixes were done within M-Files web implementation. Moreover, several improvement action points were proposed as a result of this thesis work to improve the existing security level and continuous development of the M-Files web. Overall M-Files web application security is in good state. The M-Files web is fulfilling around 83% of ASVS requirements for level 1 and around 78% for level 2. With further improvements in upcoming releases, this number will keep on increasing.
There are multiple standards developed by different organizations for verifying web applications or product security, but finding the relevant standard that is applicable to the application that is under test is difficult. In this master’s thesis work, one of the initial goals was to perform research on different security standards and find the relevant standard that fulfils the M-Files web application security verification needs. The OWASP ASVS standard was found to be the most relevant standard for the M-Files web verification. The aims for this thesis work were, finding the relevant ASVS controls and verification approaches for verifying the M-Files web implementation, verify how effective M-Files web implementation is against ASVS requirements, draw a comparison among different security standards and lastly define how ASVS guide can be used as a secure coding guideline or for code review.
In this thesis work, the M-Files web application was verified against the OWASP ASVS requirements. M-Files web application is an extension of the M-Files desktop application and large number of customers prefer to use M-Files web due to its ease of accessibility from anywhere. In this thesis work, initially 13 ASVS control requirements for level 1 that were applicable to the M-Files web were verified and additional verification for level 2 requirements was done due to the high demand from stakeholders and customers. Verification of M-Files web application implementation was done depending on the requirement type and description, what type of vulnerability is referred by this requirement and how it can be tested. Used testing methods for this verification includes source code review, manual testing, and automated testing.
During the verification and testing, 16 issues were found within M-Files web implementation according to the OWASP ASVS level 1 requirements and 15 issues were found for level 2 requirements. These issues were reported to the relevant development teams and as a result some fixes were done within M-Files web implementation. Moreover, several improvement action points were proposed as a result of this thesis work to improve the existing security level and continuous development of the M-Files web. Overall M-Files web application security is in good state. The M-Files web is fulfilling around 83% of ASVS requirements for level 1 and around 78% for level 2. With further improvements in upcoming releases, this number will keep on increasing.