Security testing for web applications: A Systematic Literature Review

As the use of the Internet grows, the number and relevance of web applications have also grown, being an integral part of many sectors and businesses. However this growth has adverse effects in the form of increased security threats. Given the large number of current vulnerabilities and the wide variety of testing techniques and tools used to find vulnerabilities, it becomes complex for software developers and application testers to select the proper tools and techniques to test potential threats.This paper aims to collect and classify current security-oriented software testing tools, techniques, and security development models for web systems. According to the STRIDE threat model, our, classification considers software development activities, and associated security threats. To accomplish our goal, we conducted a systematic literature review (SLR), from 2017 to 2022. We identified 18 software testing techniques, 88 tools and four secure development processes, methodologies or models. We found a great variety of tools and techniques, from traditional penetration testing to state-of-the-art Artificial Intelligence supported tools, and we associate different threats found with their respectively testing techniques and STRIDE classification. We believe that our work serves as a foundation for software testers to select proper and modern techniques, tools, and security models, processes or methodologies related to security testing, in accordance with their threat analysis, potentially improving their security testing for web systems.