Development of an information system for the quantitative assessment of web application security based on the OWASP ASVS standard
Article Sidebar
Main Article Content
Abstract
The design of an information system for assessing the security of web applications based on an original methodology developed by the authors is presented in this paper. The proposed security assessment methodology is based on the requirements of the OWASP Application Security Verification Standard (ASVS) and adapted to various application architectures and functionalities by selecting a set of relevant requirements and determining their impact on the overall evaluation. The quantitative assessment of requirements is calculated using a system of developed criteria and an evaluation algorithm that incorporates weight coefficients of importance assigned by experts. The assessment is carried out by multiple experts to minimize subjectivity in judgments. The aggregation of expert judgments is performed within a fuzzy logic subsystem. The article describes all stages of the assessment process automation — from collecting input data to calculating the integrated security score, taking into account the weight coefficients. The information system supports a modular architecture, personalized project workflows, and result visualization, enabling its application in information security audits.
Article Details
Issue
Section
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
1. Shahid J., Hameed M. K., Javed I. T., Qureshi K. N., Ali M. & Crespi N. (2022). A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions. Applied Sciences, 12 (8), 4077. Available at: https://doi.org/10.3390/app12084077.
2. Derkach, M. V., Khomyshyn, V. G., Gudzenko, V. O. (2023). Web resource security testing based on tools for scanning and detecting vulnerabilities. Scientific News of Dal University. Electronic edition, 25, pp. 1–8. [in Ukrainian]
3. Revniuk O., Zagorodna N. & Ulichev O. (2024) Adaptive Methodology for Computing the Quantitative Security Status Indicator of Web Applications. Central Ukrainian Scientific Bulletin. Technical Sciences, 2(10(41)), 3–10. https://doi.org/10.32515/2664-262x.2024.10(41).2.3-10
4. Yaqoob I., Hussain A. S., Mamoon S., Naseer N., Akram J. & Rehman A. U. R. (2017) Penetration Testing and Vulnerability Assessment. Journal of Network Communications and Emerging Technologies (JNCET), 7 (8).
5. Tadhani J. R., Vekariya V., Sorathiya V., Alshathri S. & El-Shafai W. (2024) Securing web applications against XSS and SQLi attacks using a novel deep learning approach. Scientific Reports, 14 (1). Available at: https://doi.org/10.1038/s41598-023-48845-4.
6. Wen S.-F. & Katt B. (2023) A quantitative security evaluation and analysis model for web applications based on OWASP application security verification standard. Computers & Security, 135, 103532. Available at: https://doi.org/10.1016/j.cose.2023.103532.
7. Kaźmierak I. (2025) Comparison of the effectiveness of tools for testing the security of web applications. Journal of Computer Sciences Institute, 34, 36–43. Available at: https://doi.org/10.35784/jcsi.6613.
8. Tryhubets B., Tryhubets M. & Zagorodna N. (2024) Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications. Scientific Journal of the Ternopil National Technical University, 116 (4), рр. 23–30. Available at: https://doi.org/10.33108/visnyk_ tntu2024.04.023.
9. OWASP Application Security Verification Standard (ASVS). OWASP Foundation. OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation. https://owasp.org/www-project-application-security-verification-standard.
10. CWE – Common Weakness Enumeration. CWE – Common Weakness Enumeration. https://cwe.mitre.org/
11. Revnyuk, O. A., Zagorodna, N. V. (2024). Methodology of quantitative assessment of security of electronic commerce web application at the operation stage. Scientific Bulletin of Ivano-Frankivsk National Technical University of Oil and Gas. 2(57), pp. 107–119. https://doi.org/10.31471/1993-9965-2024-2(57)-107-119 [in Ukrainian]
12. Putra F. P ., Ubaidi U., Hamzah A., Pramadi W. A. & Nuraini A. (2024). Systematic Literature Review: Security Gap Detection on Websites Using OWASP ZAP. Brilliance Research of Artificial Intelligence, 4 (1), pp. 348–355. Available at: https://doi.org/10.47709/brilliance.v4i1.4227.
13. Seth A., Bhattacharya S., Elder S., Zahan N. & Williams L. (2025) Comparing effectiveness and efficiency of Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP) tools in a large java-based system. Empirical Software Engineering, 30 (3). Available at: https://doi.org/10.1007/ s10664-025-10621-5.
14. Mangaoang N. E. F. (2024) Common Vulnerabilities and Exposures Assessment of private higher educational institutions using web application security. Deleted Journal, 20 (5s), pp. 668–676. Available at: https://doi.org/10.52783/jes.2288.
15. OWASP Juice Shop. OWASP Foundation. OWASP Foundation, the Open Source Foundation for Application Security. OWASP Foundation. https://owasp.org/www-project-juice-shop/