@Article{cmc.2020.010885,
AUTHOR = {Juan R. Bermejo Higuera, Javier Bermejo Higuera, Juan A. Sicilia Montalvo, Javier Cubo Villalba, Juan José Nombela Pérez},
TITLE = {Benchmarking Approach to Compare Web Applications Static  Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities},
JOURNAL = {Computers, Materials \& Continua},
VOLUME = {64},
YEAR = {2020},
NUMBER = {3},
PAGES = {1555--1577},
URL = {http://www.techscience.com/cmc/v64n3/39444},
ISSN = {1546-2226},
ABSTRACT = {To detect security vulnerabilities in a web application, the security analyst 
must choose the best performance Security Analysis Static Tool (SAST) in terms of 
discovering the greatest number of security vulnerabilities as possible. To compare static 
analysis tools for web applications, an adapted benchmark to the vulnerability categories 
included in the known standard Open Web Application Security Project (OWASP) Top 
Ten project is required. The information of the security effectiveness of a commercial 
static analysis tool is not usually a publicly accessible research and the state of the art on 
static security tool analyzers shows that the different design and implementation of those 
tools has different effectiveness rates in terms of security performance. Given the 
significant cost of commercial tools, this paper studies the performance of seven static 
tools using a new methodology proposal and a new benchmark designed for vulnerability 
categories included in the known standard OWASP Top Ten project. Thus, the 
practitioners will have more precise information to select the best tool using a benchmark 
adapted to the last versions of OWASP Top Ten project. The results of this work have 
been obtaining using widely acceptable metrics to classify them according to three 
different degree of web application criticality.},
DOI = {10.32604/cmc.2020.010885}
}