Security testing as a service with docker containerization

Abstract

Nowadays web applications are used widely in day to day life. These web applications needs to be secured from vulnerabilities. In order to test how much a web application is secured, testers use various web vulnerability scanners [1]. But in order to run scans as expected, these tools need to be properly configured and also consume lots of resources. This paper explains how developers can test the security of their web applications properly using a provided automated security testing service. This system is capable of running a dynamic security scan with Zed Attack Proxy tool, running a static code analysis security scan with FindSecBugs plugin and do a dependency check with Open Web Application Security Project (OWASP) dependency check tool through docker containerization. End user needs to provide their source code, the database dump and Uniform Resource Locators (URLs)/credentials for any login pages of their web application to the system. Then the system will run the scans and provide security reports without false positives by freeing end user from all the burden of manual security testing.