DOI: https://doi.org/10.32515/2664-262X.2024.10(41).2.3-10
Adaptive Methodology for Computing the Quantitative Security Status Indicator of Web Applications
About the Authors
Оleksandr Revniuk, post-graduate, Ivan Pulyuy Ternopil National Technical University, Ternopil, Ukraine, e-mail: revo0708@gmail.com, ORCID ID: 0009-0005-0511-5354
Nataliya Zagorodnа, Associate Professor, PhD in Technics (Candidate of Technic Sciences), Ivan Pulyuy Ternopil National Technical University, Ternopil, Ukraine, e-mail: zagorodna_n@tntu.edu.ua, ORCID ID: 0000-0002-1808-835X
Oleksandr Ulichev, PhD in Technics (Candidate of Technic Sciences), Central Ukraіnian National Technical University, Kropyvnytskyi, Ukraine, e-mail: askin79@gmail.com, ORCID ID: 0000-0003-3736-9613
Abstract
This article proposes an adaptive methodology for quantitative security assessment of web applications based on standardized requirements from the OWASP Application Security Verification Standard (ASVS). This methodology takes into account various aspects of website security, including authentication, authorization, data protection, input handling, and others.
The proposed approach allows obtaining quantitative metrics for the level of compliance with each requirement, thus ensuring objectivity and transparency of the evaluation process for both auditors and web application owners. The use of clearly defined numerical metrics facilitates unambiguous interpretation of results and avoids subjectivity in determining the security level of a web application. Based on the analysis of OWASP ASVS requirements, a relevant subset of requirements was formed to assess the security of websites of varying complexity. It was assumed that the expert conducting the assessment possesses the necessary technical competencies and has access to web application development documentation. For each requirement, a structured set of criteria was developed with clearly defined evaluation rules to obtain quantitative indicators. A system of weight coefficients was introduced to determine the significance of each criterion and requirement, and their normalization was performed. The weight coefficients of requirements are established considering the functionality, website architecture, and availability of access to technical documentation or source code. To ensure methodology adaptivity, the auditor has the ability to modify any weight coefficients.
The implementation of an adaptive approach to security assessment allows forming individual requirements based on architecture and functionality of a web application by adjusting weight coefficients. This flexible model ensures more accurate results that reflect the website's actual security state.
Keywords
web application security, quantitative assessment, OWASP ASVS, evaluation criteria, security assessment
Full Text:
PDF
References
1. Zahid A. (2024) Vulnerability detection and prevention: an approach to enhance cybersecurity. MS Computer Science. https://doi.org/10.13140/RG.2.2.31687.71841
2. Humayun. M., Niazi. M., & Jhanjhi. N. (2020). Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study / M. Humayun et al. Arabian Journal for Science and Engineering. (Vol. 45(4)). (pp 3171–3189). https://doi.org/10.1007/s13369-019-04319-2.
3. Asaduzzaman M. (2020). Security Aspects of ePayment System and Improper Access Control in Microtransactions. EasyChair.
4. (2024) Data Breach Investigations Report. Verizon Business. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf.
5. Lella I., Theocharidou M., Magonara E. (2024). Enisa threat landscape. ENISA, 2024.
6. Ravindran U., Potukuchi R. V. (2022). A review on web application vulnerability assessment and penetration testing. Review of Computer Engineering Studies. (Vol. 9(1)). https://doi.org/ 10.18280/rces.090101
7. Pentest monkey. https://pentestmonkey.net/
8. I. Yaqoob, S.A. Hussain, & S. Mamoon. (2017) Penetration Testing and Vulnerability Assessment . Journal of Network Communications and Emerging Technologies (JNCET). 2017. (Vol. 7(8)).
9. N. Rane, & A. Qureshi. (2024). Comparative Analysis of Automated Scanning and Manual Penetration Testing for Enhanced Cybersecurity. 12th International Symposium on Digital forensics and security : Conference. San Antonio.
10. OWASP Foundation, the Open Source Foundation for Application Security. https://owasp.org
11. National Institute of Standards and Technology. https://www.nist.gov
12. Cyber Security Training. https://www.sans.org/emea
13. A. van der Stock, D. Cuthbert, & J. Manico. (2021). OWASP Application Security Verification Standard 4.0.3.
14. CWE - Common Weakness Enumeration. https://cwe.mitre.org.
Citations
1. Zahid A. Vulnerability detection and prevention: an approach to enhance cybersecurity. MS Computer Science. 2024. DOI: 10.13140/RG.2.2.31687.71841
2. Humayun. M., Niazi, M., Jhanjhi. N. Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study / M. Humayun et al. Arabian Journal for Science and Engineering. 2020. T. 45(4). 3171–3189. DOI: 10.1007/s13369-019-04319-2.
3. Asaduzzaman M. Security Aspects of ePayment System and Improper Access Control in Microtransactions. EasyChair. 2020.
4. 2024 Data Breach Investigations Report. Verizon Business. URL: https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf.
5. Lella I., Theocharidou M., Magonara E. Enisa threat landscape 2024. ENISA, 2024. 130 с.
6. Ravindran U., Potukuchi R. V. A review on web application vulnerability assessment and penetration testing. Review of Computer Engineering Studies. 2022. Т. 9, № 1. С. 1–22. DOI: 10.18280/rces.090101
7. Pentest monkey. URL: https://pentestmonkey.net/
8. I. Yaqoob, S.A. Hussain, S. Mamoon. Penetration Testing and Vulnerability Assessment. Journal of Network Communications and Emerging Technologies (JNCET). 2017. Т. 7, № 8.
9. N. Rane, A. Qureshi. Comparative Analysis of Automated Scanning and Manual Penetration Testing for Enhanced Cybersecurity. 12th International Symposium on Digital forensics and security : : матеріали конференції, м. San Antonio, 29 квіт. 2024 р. San Antonio, 2024.
10. OWASP Foundation, the Open Source Foundation for Application Security. URL: https://owasp.org
11. National Institute of Standards and Technology. URL: https://www.nist.gov
12. Cyber Security. URL: https://www.sans.org/emea
13. A. van der Stock, D. Cuthbert, J. Manico. OWASP Application Security Verification Standard 4.0.3. 2021. 71 с.
14. CWE - Common Weakness Enumeration. URL: https://cwe.mitre.org.
Copyright (c) 2024 Оleksandr Revniuk, Nataliya Zagorodnа, Oleksandr Ulichev
Adaptive Methodology for Computing the Quantitative Security Status Indicator of Web Applications
About the Authors
Оleksandr Revniuk, post-graduate, Ivan Pulyuy Ternopil National Technical University, Ternopil, Ukraine, e-mail: revo0708@gmail.com, ORCID ID: 0009-0005-0511-5354
Nataliya Zagorodnа, Associate Professor, PhD in Technics (Candidate of Technic Sciences), Ivan Pulyuy Ternopil National Technical University, Ternopil, Ukraine, e-mail: zagorodna_n@tntu.edu.ua, ORCID ID: 0000-0002-1808-835X
Oleksandr Ulichev, PhD in Technics (Candidate of Technic Sciences), Central Ukraіnian National Technical University, Kropyvnytskyi, Ukraine, e-mail: askin79@gmail.com, ORCID ID: 0000-0003-3736-9613
Abstract
Keywords
Full Text:
PDFReferences
1. Zahid A. (2024) Vulnerability detection and prevention: an approach to enhance cybersecurity. MS Computer Science. https://doi.org/10.13140/RG.2.2.31687.71841
2. Humayun. M., Niazi. M., & Jhanjhi. N. (2020). Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study / M. Humayun et al. Arabian Journal for Science and Engineering. (Vol. 45(4)). (pp 3171–3189). https://doi.org/10.1007/s13369-019-04319-2.
3. Asaduzzaman M. (2020). Security Aspects of ePayment System and Improper Access Control in Microtransactions. EasyChair.
4. (2024) Data Breach Investigations Report. Verizon Business. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf.
5. Lella I., Theocharidou M., Magonara E. (2024). Enisa threat landscape. ENISA, 2024.
6. Ravindran U., Potukuchi R. V. (2022). A review on web application vulnerability assessment and penetration testing. Review of Computer Engineering Studies. (Vol. 9(1)). https://doi.org/ 10.18280/rces.090101
7. Pentest monkey. https://pentestmonkey.net/
8. I. Yaqoob, S.A. Hussain, & S. Mamoon. (2017) Penetration Testing and Vulnerability Assessment . Journal of Network Communications and Emerging Technologies (JNCET). 2017. (Vol. 7(8)).
9. N. Rane, & A. Qureshi. (2024). Comparative Analysis of Automated Scanning and Manual Penetration Testing for Enhanced Cybersecurity. 12th International Symposium on Digital forensics and security : Conference. San Antonio.
10. OWASP Foundation, the Open Source Foundation for Application Security. https://owasp.org
11. National Institute of Standards and Technology. https://www.nist.gov
12. Cyber Security Training. https://www.sans.org/emea
13. A. van der Stock, D. Cuthbert, & J. Manico. (2021). OWASP Application Security Verification Standard 4.0.3.
14. CWE - Common Weakness Enumeration. https://cwe.mitre.org.
Citations
1. Zahid A. Vulnerability detection and prevention: an approach to enhance cybersecurity. MS Computer Science. 2024. DOI: 10.13140/RG.2.2.31687.71841
2. Humayun. M., Niazi, M., Jhanjhi. N. Cyber Security Threats and Vulnerabilities: A Systematic Mapping Study / M. Humayun et al. Arabian Journal for Science and Engineering. 2020. T. 45(4). 3171–3189. DOI: 10.1007/s13369-019-04319-2.
3. Asaduzzaman M. Security Aspects of ePayment System and Improper Access Control in Microtransactions. EasyChair. 2020.
4. 2024 Data Breach Investigations Report. Verizon Business. URL: https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf.
5. Lella I., Theocharidou M., Magonara E. Enisa threat landscape 2024. ENISA, 2024. 130 с.
6. Ravindran U., Potukuchi R. V. A review on web application vulnerability assessment and penetration testing. Review of Computer Engineering Studies. 2022. Т. 9, № 1. С. 1–22. DOI: 10.18280/rces.090101
7. Pentest monkey. URL: https://pentestmonkey.net/
8. I. Yaqoob, S.A. Hussain, S. Mamoon. Penetration Testing and Vulnerability Assessment. Journal of Network Communications and Emerging Technologies (JNCET). 2017. Т. 7, № 8.
9. N. Rane, A. Qureshi. Comparative Analysis of Automated Scanning and Manual Penetration Testing for Enhanced Cybersecurity. 12th International Symposium on Digital forensics and security : : матеріали конференції, м. San Antonio, 29 квіт. 2024 р. San Antonio, 2024.
10. OWASP Foundation, the Open Source Foundation for Application Security. URL: https://owasp.org
11. National Institute of Standards and Technology. URL: https://www.nist.gov
12. Cyber Security. URL: https://www.sans.org/emea
13. A. van der Stock, D. Cuthbert, J. Manico. OWASP Application Security Verification Standard 4.0.3. 2021. 71 с.
14. CWE - Common Weakness Enumeration. URL: https://cwe.mitre.org.