Keywords: secure access, basic architecture, model-View-Controller architectural pattern, attack vector, web-application Firewall, fuzzy cognitive map, risk assessment
Security analysis of a web application for accessing the critical data storage system
UDC 004.056.5
DOI: 10.26102/2310-6018/2021.35.4.038
The paper deals with the issue of providing secure access using a web application to an existing database containing critical information about the parameters of complex technical products life cycle. Based on the analysis of the document of the international organization Web Application Security Consortium (WASC) "The WASC Threat Classification v2.0", possible attacks on a web application, acting as a unidirectional layer of access to the database, exploiting potential vulnerabilities (authentication flaws, authorization flaws, client-side attacks, execution of malicious code on the server-side) have been highlighted and a set of countermeasures has been devised in relation to the architecture of a web application. A pattern has been developed that describes countermeasures concerning the Model-View-Controller architecture of a web application. The diagram of the first level of the web application functional model decomposition is presented. To ensure security at the network level, the basic architecture of the enterprise network with a demilitarized zone and the corresponding configuration of firewalls has been modernized. To assess the security, the internal metrics of software security were utilized, and the cybersecurity risk analysis method by means of fuzzy gray cognitive maps was applied which made it possible to quantitatively assess the reduction with regard to the risk of the accumulated data integrity violation by 3.5 times. Four scenarios of the attacker's impact are considered: without the use of additional countermeasures, the use of the web application layer architectural organization, which takes into account the main patterns of cybersecurity, the use of the Web-application Firewall (WAF), the use of the application architectural organization, and WAF.
Keywords: secure access, basic architecture, model-View-Controller architectural pattern, attack vector, web-application Firewall, fuzzy cognitive map, risk assessment
For citation: Vulfin A.M. Security analysis of a web application for accessing the critical data storage system. Modeling, Optimization and Information Technology. 2021;9(4). URL: https://moitvivt.ru/ru/journal/pdf?id=1112 DOI: 10.26102/2310-6018/2021.35.4.038 (In Russ).
Received 14.12.2021
Revised 23.12.2021
Accepted 26.12.2021
Published 31.12.2021