ІНТЕГРАЛЬНИЙ МЕТОД ОЦІНЮВАННЯ РІВНЯ КІБЕРЗАХИЩЕНОСТІ ВЕБ- ЗАСТОСУНКІВ НА ОСНОВІ АГРЕГУВАННЯ РЕЗУЛЬТАТІВ СКАНУВАННЯ

Saved in:
Bibliographic Details
Title: ІНТЕГРАЛЬНИЙ МЕТОД ОЦІНЮВАННЯ РІВНЯ КІБЕРЗАХИЩЕНОСТІ ВЕБ- ЗАСТОСУНКІВ НА ОСНОВІ АГРЕГУВАННЯ РЕЗУЛЬТАТІВ СКАНУВАННЯ
Alternate Title: AN INTEGRATED METHOD FOR EVALUATING THE CYBERSECURITY LEVEL OF WEB APPLICATIONS BASED ON THE AGGREGATION OF SCANNING RESULTS.
Authors: Петровська, М. Г.1 kushnirenko@op.edu.ua, Кушніренко, Н. І.1, Троянський, О. В.1
Source: Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì. 2026, Vol. 16 Issue 2, p353-360. 8p.
Subjects: Penetration testing (Computer security), Risk assessment, Internet security, Web-based user interfaces
Abstract: This article discusses a method for assessing the cybersecurity of web applications, proposed as a comprehensive approach that aggregates the results of OWASP ZAP scans. The growing number of cyberattacks on web applications requires the development of effective methods for assessing their security. Modern automated scanning tools can detect a significant number of potential vulnerabilities; however, their scan results are presented as a disparate list of issues, which makes it difficult to form a comprehensive assessment of the system's security status. Furthermore, existing approaches often produce false positives, which requires additional time for manual verification. This work aims to justify the concept of an integrated method for assessing the cybersecurity level of web applications, which will allow aggregating scan results while accounting for the criticality, density, and context of vulnerabilities, and will generate a comprehensive security score. This research is based on an analysis of existing approaches to web application security (SAST, DAST, IAST, automated scanners, including OWASP ZAP) and the identification of their shortcomings. A concept for a mathematical model of integral assessment is proposed, which will include the calculation of baseline risk based on the weighted sum of vulnerabilities, accounting for vulnerability density via the indicator D, the context coefficient C, and normalization to a Security Score scale of 0-10. The feasibility of a two-level assessment model is justified: (1) calculation of the integral indicator; (2) application of additional interpretation rules--limiting the assessment in the presence of critical vulnerabilities, determining the priority of remediation, and categorical analysis (injections, authentication issues, access control violations, configuration errors). The scientific novelty lies in the justification of a comprehensive approach that proposes combining criteria of vulnerability density, usage context, the critical threshold rule, and categorical analysis to form a generalized security assessment of web applications. [ABSTRACT FROM AUTHOR]
Copyright of Informatics & Mathematical Methods in Simulation / Informatika ta Matematičnì Metodi v Modelûvannì is the property of Odessa Polytechnic University and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
Description
Abstract:This article discusses a method for assessing the cybersecurity of web applications, proposed as a comprehensive approach that aggregates the results of OWASP ZAP scans. The growing number of cyberattacks on web applications requires the development of effective methods for assessing their security. Modern automated scanning tools can detect a significant number of potential vulnerabilities; however, their scan results are presented as a disparate list of issues, which makes it difficult to form a comprehensive assessment of the system's security status. Furthermore, existing approaches often produce false positives, which requires additional time for manual verification. This work aims to justify the concept of an integrated method for assessing the cybersecurity level of web applications, which will allow aggregating scan results while accounting for the criticality, density, and context of vulnerabilities, and will generate a comprehensive security score. This research is based on an analysis of existing approaches to web application security (SAST, DAST, IAST, automated scanners, including OWASP ZAP) and the identification of their shortcomings. A concept for a mathematical model of integral assessment is proposed, which will include the calculation of baseline risk based on the weighted sum of vulnerabilities, accounting for vulnerability density via the indicator D, the context coefficient C, and normalization to a Security Score scale of 0-10. The feasibility of a two-level assessment model is justified: (1) calculation of the integral indicator; (2) application of additional interpretation rules--limiting the assessment in the presence of critical vulnerabilities, determining the priority of remediation, and categorical analysis (injections, authentication issues, access control violations, configuration errors). The scientific novelty lies in the justification of a comprehensive approach that proposes combining criteria of vulnerability density, usage context, the critical threshold rule, and categorical analysis to form a generalized security assessment of web applications. [ABSTRACT FROM AUTHOR]
ISSN:22235744
DOI:10.15276/imms.v16.no2.353