Automated Application Security Testing in Two Pharmacovigilance Systems

Abstract: To improve the security of IT systems, companies can use automated security testing. In this thesis, three methods for automated security testingare evaluated and compared against each other. These three methods are Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Interactive Application Security Testing (IAST). To test these three methods, three different tools have been tested on two web-based IT systems for pharmacovigilance. These systems collect and process side-effect reports from medicines and vaccines (called ICSRs and AEFI reports). These systems aid governmental agencies intracking the side effects of medicines and vaccines in their country to improve medicinal safety. The three tested tools are SonarQube (SAST), OWASP ZAP (DAST) and Contrast Community Edition (IAST). From the evaluations and tests of the tools, the thesis determines what vulnerabilities the methods and tools are capable of identifying, how much time is required for execution, following up the results and maintenance, what requirements the tools have on the environment they are running in and if the tools can be integrated into existing build and release pipelines.