RESEARCH ON THE APPLICATION OF ADAPTIVE RISK ASSESSMENT METHODS FOR WEB APPLICATIONS
DOI:
https://doi.org/10.31891/csit-2024-3-5Keywords:
information security, web attack, SQL injections, OWASP, databases, information security management system, information protection, risk, risk managementAbstract
The paper analyzes the significance of security issues in modern web applications and emphasizes that the major threats in this area include low awareness among employees regarding information security, weak password policies or widespread non-compliance, deficiencies in software update management processes, use of unsafe configurations, and paradoxically, ineffective inter-network access segmentation.
The testing methods of «white-box,» «gray-box,» and «black-box» are described. It is argued that gray-box testing combines techniques used in black-box testing along with reverse engineering technologies and methods. The value of source code in vulnerability discovery lies in its representation of the program’s logic in a comprehensible form for researchers. Analyzing source codes, in addition to black-box and gray-box methods, allows for the identification of more vulnerabilities for each application. Specifically, white-box testing on average identifies 3.5 times more medium-risk vulnerabilities compared to black-box and gray-box methods.
Based on the identified list of most common threats to web applications and the application of an enhanced cumulative risk methodology, a detailed analysis of threat data was conducted, and risk factors specific to each threat were identified. These factors were determined based on available statistics. A comparison of security risk assessment methods for web applications was conducted using an example from the banking sector. Criteria for translating indicators from quantitative to qualitative values for the researched enterprise are provided. Recommendations are made to reduce threat levels regarding reported vulnerabilities: reducing the automatic system logout time during inactivity; implementing multi-factor authentication on the web application, such as password and card, or password and fingerprint; installing additional protective software (e. g., vipnet); enabling quick revocation of privileges, minimizing damage by swiftly identifying and stopping unauthorized actions; any changes in an employee’s position that affect their rights should promptly reflect in their actual rights in the computer system.
