This article proposes an adaptive methodology for quantitative security assessment of web applications based on standardized requirements from the OWASP Application Security Verification Standard (ASVS). This methodology takes into account various aspects of website security, including authentication, authorization, data protection, input handling, and others. The proposed approach allows obtaining quantitative metrics for the level of compliance with each requirement, thus ensuring objectivity and transparency of the evaluation process for both auditors and web application owners. The use of clearly defined numerical metrics facilitates unambiguous interpretation of results and avoids subjectivity in determining the security level of a web application. Based on the analysis of OWASP ASVS requirements, a relevant subset of requirements was formed to assess the security of websites of varying complexity. It was assumed that the expert conducting the assessment possesses the necessary technical competencies and has access to web application development documentation. For each requirement, a structured set of criteria was developed with clearly defined evaluation rules to obtain quantitative indicators. A system of weight coefficients was introduced to determine the significance of each criterion and requirement, and their normalization was performed. The weight coefficients of requirements are established considering the functionality, website architecture, and availability of access to technical documentation or source code. To ensure methodology adaptivity, the auditor has the ability to modify any weight coefficients. The implementation of an adaptive approach to security assessment allows forming individual requirements based on architecture and functionality of a web application by adjusting weight coefficients. This flexible model ensures more accurate results that reflect the website's actual security state.

web application security, quantitative assessment, OWASP ASVS, evaluation criteria, security assessment

Full Text:

PDF

1. Zahid A. (2024) Vulnerability detection and prevention: an approach to enhance cybersecurity. MS Computer Science. https://doi.org/10.13140/RG.2.2.31687.71841

2. Humayun. M., Niazi. M., & Jhanjhi. N. (2020). Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study / M. Humayun et al. Arabian Journal for Science and Engineering. (Vol. 45(4)). (pp 3171–3189). https://doi.org/10.1007/s13369-019-04319-2.

3. Asaduzzaman M. (2020). Security Aspects of ePayment System and Improper Access Control in Microtransactions. EasyChair.

4. (2024) Data Breach Investigations Report. Verizon Business. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf.

5. Lella I., Theocharidou M., Magonara E. (2024). Enisa threat landscape. ENISA, 2024.

6. Ravindran U., Potukuchi R. V. (2022). A review on web application vulnerability assessment and penetration testing. Review of Computer Engineering Studies. (Vol. 9(1)). https://doi.org/ 10.18280/rces.090101

7. Pentest monkey. https://pentestmonkey.net/

8. I. Yaqoob, S.A. Hussain, & S. Mamoon. (2017) Penetration Testing and Vulnerability Assessment . Journal of Network Communications and Emerging Technologies (JNCET). 2017. (Vol. 7(8)).

9. N. Rane, & A. Qureshi. (2024). Comparative Analysis of Automated Scanning and Manual Penetration Testing for Enhanced Cybersecurity. 12th International Symposium on Digital forensics and security : Conference. San Antonio.

10. OWASP Foundation, the Open Source Foundation for Application Security. https://owasp.org

11. National Institute of Standards and Technology. https://www.nist.gov

12. Cyber Security Training. https://www.sans.org/emea

13. A. van der Stock, D. Cuthbert, & J. Manico. (2021). OWASP Application Security Verification Standard 4.0.3.

14. CWE - Common Weakness Enumeration. https://cwe.mitre.org.