Information security is continuously becoming a important part of web-application development and sales. After the inception of European Union’s General Data Protection Regulations in 2018 web-applications owners can face concrete punishments for neglecting security in web-applications. This means that customers are more interested in information security but without knowledge in the technology behind web-application security, it has become more important for the web-application provider to test and prove the security of their applications.

The goal of this project was to develop an efficient method for testing and proving an existing security standard while maintaining a reasonable workload. The security standard includes all of the Open Web Application Security Projects Top 10 most critical web-application vulnerabilities. A secondary goal for the project was to create a method for efficiently reporting the results of web-application security testing.

In the first part of the development phase of the project, sufficient tools were researched for penetration testing the web-applications. The penetration testing was originally conducted manually using OWASP’s own web-application penetration testing tool, Zed Attack Proxy. After manually testing the security of the web-application based on the security standard, and reporting the results, the manual penetration testing was concluded to be too inefficient for being integrated into web-application development workflow. In the second part of the development phase the goal was to automate the testing that was conducted manually in part one. The automation was implemented using a version control tool, BitBucket, and a continuous integration tool, CircleCI.

The outcome of the project was two separate testing methods. The first one was a manual testing method. The manual testing method is conducted by hand and requires the attention of a penetration tester. The manual testing method is an accurate and extensive testing method for web-applications. The second method was a completely automated testing method for web-applications that could be integrated into web-application development workflow. The automated testing method is less accurate, than the manual one but requires no work from the penetration tester after the initial configuration.

The project goals were reached after developing the automated testing method. Further development is recommended for the automated penetration testing, since authentication could not be automated in the limited time that the project was being worked on. This means that parts of the web-application being tested might remain untested if no authentication is automated. The automated testing method will however test all parts of the web-application that do not require authentication.