Table 9. Comparison of findings.
| Source | OWASP Top 10 | CWE Top 25 | Real-world apps | Finding(s)/Contribution(s) | Limitation(s) |
|---|---|---|---|---|---|
| Tudela et al. (2020) | 2017 | N | N | Combination of SAST (Fortify); DAST(Arachni, OWASP ZAP); IAST (CCE) approach is best. | OWASP Benchmark Project |
| Setiawan, Erlangga & Baskoro (2020) | 2017 | N | Y | IAST (Jenkins, API ZAP and SonarQube) approach provides greater test accuracy. | 1 domain |
| Li (2020) | 2017 | 2019 | Y | Checkmarx for SAST | 1 custom-made app |
| Cruz, Almeida & Oliveira (2023) | 2021 | N | – | OWASP ZAP for DAST Bandit for SAST | No information about target apps |
| Khanum, Qadir & Jehan (2023) | 2021 | N | Y1 | OWASP ZAP is effective for five categories | Only OWASP ZAP |
| This work | 2021 | 2023 | Y2 | 1. DAST approach is suitable for OWASP Top 10:2021 and using SAST approach is suitable for CWE Top 25:2023 | Tools did not identify vulnerabilities in all risk categories. |
| 2. OWASP ZAP is the best tool for OWASP Top 10:2021 and Yasca and Synk are the best for CWE Top 25:2023 | |||||
| 3. Yasca is best for high severity, Iron WASP for medium severity, and Vega for low severity vulnerabilities. | |||||
| 4. OWASP ZAP is consistent in effectiveness in terms of count and severity of vulnerabilities |
Notes:
1
50 live; 20 Locally-hosted.
2
75 Locally-hosted.