logo logo
Українською English

Вхід

Логін
Пароль
Зареєструватися 

Корисні посилання

tntu logo
 
GoogleScholarLogo
 
 
logo


Development of an information system for the quantitative assessment of web application security based on the OWASP ASVS standard

НазваDevelopment of an information system for the quantitative assessment of web application security based on the OWASP ASVS standard
Назва англійськоюDevelopment of an information system for the quantitative assessment of web application security based on the OWASP ASVS standard
АвториOleksandr Revniuk, Nataliya Zagorodna, Ruslan Kozak, Bohdan Yavorskyy
ПринадлежністьTernopil Ivan Puluj National Technical University, Ternopil, Ukraine
Бібліографічний описDevelopment of an information system for the quantitative assessment of web application security based on the OWASP ASVS standard / Oleksandr Revniuk, Nataliya Zagorodna, Ruslan Kozak, Bohdan Yavorskyy // Scientific Journal of TNTU. — Tern.: TNTU, 2025. — Vol 118. — No 2. — P. 56–65.
Bibliographic description:Revniuk O., Zagorodna N., Kozak R., Yavorskyy B. (2025) Development of an information system for the quantitative assessment of web application security based on the OWASP ASVS standard. Scientific Journal of TNTU (Tern.), vol 118, no 2, pp. 56–65.
УДК

004.056.5

Ключові слова

OWASP ASVS, web application, expert evaluation, information system, security, information security audit.

The design of an information system for assessing the security of web applications based on an original methodology developed by the authors is presented in this paper. The proposed security assessment methodology is based on the requirements of the OWASP Application Security Verification Standard (ASVS) and adapted to various application architectures and functionalities by selecting a set of relevant requirements and determining their impact on the overall evaluation. The quantitative assessment of requirements is calculated using a system of developed criteria and an evaluation algorithm that incorporates weight coefficients of importance assigned by experts. The assessment is carried out by multiple experts to minimize subjectivity in judgments. The aggregation of expert judgments is performed within a fuzzy logic subsystem. The article describes all stages of the assessment process automation – from collecting input data to calculating the integrated security score, taking into account the weight coefficients. The information system supports a modular architecture, personalized project workflows, and result visualization, enabling its application in information security audits.

ISSN:2522-4433
Перелік літератури
  1. Shahid J., Hameed M. K., Javed I. T., Qureshi K. N., Ali M. & Crespi N. (2022). A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions. Applied Sciences, 12 (8), 4077. Available at: https://doi.org/10.3390/app12084077.
  2. Derkach M. V., Khomyshyn V. H., & Hudzenko V. O. (2023) Testuvannia bezpeky vebresursu na bazi instrumentiv dlia skanuvannia ta vyiavlennia vrazlyvostei. Naukovi visti Dalivskoho universytetu. Elektronne vydannia, 25, 1–8.
  3. Revniuk O., Zagorodna N. & Ulichev O. (2024) Adaptive Methodology for Computing the Quantitative Security Status Indicator of Web Applications. Central Ukrainian Scientific Bulletin. Technical Sciences, 2(10(41)), 3–10. https://doi.org/10.32515/2664-262x.2024.10(41).2.3-10
  4. Yaqoob I., Hussain A. S., Mamoon S., Naseer N., Akram J. & Rehman A. U. R. (2017) Penetration Testing and Vulnerability Assessment. Journal of Network Communications and Emerging Technologies (JNCET), 7 (8).
  5. Tadhani J. R., Vekariya V., Sorathiya V., Alshathri S. & El-Shafai W. (2024) Securing web applications against XSS and SQLi attacks using a novel deep learning approach. Scientific Reports, 14 (1). Available at: https://doi.org/10.1038/s41598-023-48845-4.
  6. Wen S.-F. & Katt B. (2023) A quantitative security evaluation and analysis model for web applications based on OWASP application security verification standard. Computers & Security, 135, 103532. Available at: https://doi.org/10.1016/j.cose.2023.103532.
  7. Kaźmierak I. (2025) Comparison of the effectiveness of tools for testing the security of web applications. Journal of Computer Sciences Institute, 34, 36–43. Available at: https://doi.org/10.35784/jcsi.6613.
  8. Tryhubets B., Tryhubets M. & Zagorodna N. (2024) Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications. Scientific Journal of the Ternopil National Technical University, 116 (4), рр. 23–30. Available at: https://doi.org/10.33108/visnyk_ tntu2024.04.023.
  9. OWASP Application Security Verification Standard (ASVS). OWASP Foundation. OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation. https://owasp.org/www-project-application-security-verification-standard.
  10. CWE – Common Weakness Enumeration. CWE – Common Weakness Enumeration. https://cwe.mitre.org/
  11. Revniuk O. A. & Zahorodna N. V. (2024) Metodolohiia kilkisnoi otsinky zakhyshchenosti vebdodatku elektronnoi komertsii na etapi ekspluatatsii. Scientific Bulletin of Ivano-Frankivsk National Technical University of Oil and Gas, (2(57)), pp. 107–119. Available at: https://doi.org/10.31471/1993-9965-2024-2(57)-107-119.
  12. Putra F. P ., Ubaidi U., Hamzah A., Pramadi W. A. & Nuraini A. (2024). Systematic Literature Review: Security Gap Detection on Websites Using OWASP ZAP. Brilliance Research of Artificial Intelligence, 4 (1), pp. 348–355. Available at: https://doi.org/10.47709/brilliance.v4i1.4227.
  13. Seth A., Bhattacharya S., Elder S., Zahan N. & Williams L. (2025) Comparing effectiveness and efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools in a large java-based system. Empirical Software Engineering, 30 (3). Available at: https://doi.org/10.1007/ s10664-025-10621-5.
  14. Mangaoang N. E. F. (2024) Common Vulnerabilities and Exposures Assessment of private higher educational institutions using web application security. Deleted Journal, 20 (5s), pp. 668–676. Available at:  https://doi.org/10.52783/jes.2288.
  15. OWASP Juice Shop. OWASP Foundation. OWASP Foundation, the Open Source Foundation for Application Security. OWASP Foundation. https://owasp.org/www-project-juice-shop/

 

References:
  1. Shahid J., Hameed M. K., Javed I. T., Qureshi K. N., Ali M. & Crespi N. (2022). A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions. Applied Sciences, 12 (8), 4077. Available at: https://doi.org/10.3390/app12084077.
  2. Derkach M. V., Khomyshyn V. H., & Hudzenko V. O. (2023) Testuvannia bezpeky vebresursu na bazi instrumentiv dlia skanuvannia ta vyiavlennia vrazlyvostei. Naukovi visti Dalivskoho universytetu. Elektronne vydannia, 25, 1–8.
  3. Revniuk O., Zagorodna N. & Ulichev O. (2024) Adaptive Methodology for Computing the Quantitative Security Status Indicator of Web Applications. Central Ukrainian Scientific Bulletin. Technical Sciences, 2(10(41)), 3–10. https://doi.org/10.32515/2664-262x.2024.10(41).2.3-10
  4. Yaqoob I., Hussain A. S., Mamoon S., Naseer N., Akram J. & Rehman A. U. R. (2017) Penetration Testing and Vulnerability Assessment. Journal of Network Communications and Emerging Technologies (JNCET), 7 (8).
  5. Tadhani J. R., Vekariya V., Sorathiya V., Alshathri S. & El-Shafai W. (2024) Securing web applications against XSS and SQLi attacks using a novel deep learning approach. Scientific Reports, 14 (1). Available at: https://doi.org/10.1038/s41598-023-48845-4.
  6. Wen S.-F. & Katt B. (2023) A quantitative security evaluation and analysis model for web applications based on OWASP application security verification standard. Computers & Security, 135, 103532. Available at: https://doi.org/10.1016/j.cose.2023.103532.
  7. Kaźmierak I. (2025) Comparison of the effectiveness of tools for testing the security of web applications. Journal of Computer Sciences Institute, 34, 36–43. Available at: https://doi.org/10.35784/jcsi.6613.
  8. Tryhubets B., Tryhubets M. & Zagorodna N. (2024) Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications. Scientific Journal of the Ternopil National Technical University, 116 (4), рр. 23–30. Available at: https://doi.org/10.33108/visnyk_ tntu2024.04.023.
  9. OWASP Application Security Verification Standard (ASVS). OWASP Foundation. OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation. https://owasp.org/www-project-application-security-verification-standard.
  10. CWE – Common Weakness Enumeration. CWE – Common Weakness Enumeration. https://cwe.mitre.org/
  11. Revniuk O. A. & Zahorodna N. V. (2024) Metodolohiia kilkisnoi otsinky zakhyshchenosti vebdodatku elektronnoi komertsii na etapi ekspluatatsii. Scientific Bulletin of Ivano-Frankivsk National Technical University of Oil and Gas, (2(57)), pp. 107–119. Available at: https://doi.org/10.31471/1993-9965-2024-2(57)-107-119.
  12. Putra F. P ., Ubaidi U., Hamzah A., Pramadi W. A. & Nuraini A. (2024). Systematic Literature Review: Security Gap Detection on Websites Using OWASP ZAP. Brilliance Research of Artificial Intelligence, 4 (1), pp. 348–355. Available at: https://doi.org/10.47709/brilliance.v4i1.4227.
  13. Seth A., Bhattacharya S., Elder S., Zahan N. & Williams L. (2025) Comparing effectiveness and efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools in a large java-based system. Empirical Software Engineering, 30 (3). Available at: https://doi.org/10.1007/ s10664-025-10621-5.
  14. Mangaoang N. E. F. (2024) Common Vulnerabilities and Exposures Assessment of private higher educational institutions using web application security. Deleted Journal, 20 (5s), pp. 668–676. Available at:  https://doi.org/10.52783/jes.2288.
  15. OWASP Juice Shop. OWASP Foundation. OWASP Foundation, the Open Source Foundation for Application Security. OWASP Foundation. https://owasp.org/www-project-juice-shop/
Завантажити

Всі права захищено © 2019. Тернопільський національний технічний університет імені Івана Пулюя.