Security analysis of a web application for accessing the critical data storage system

The paper deals with the issue of providing secure access using a web application to an existing database containing critical information about the parameters of complex technical products life cycle. Based on the analysis of the document of the international organization Web Application Security Consortium (WASC) "The WASC Threat Classification v2.0", possible attacks on a web application, acting as a unidirectional layer of access to the database, exploiting potential vulnerabilities (authentication flaws, authorization flaws, client-side attacks, execution of malicious code on the server-side) have been highlighted and a set of countermeasures has been devised in relation to the architecture of a web application. A pattern has been developed that describes countermeasures concerning the Model-View-Controller architecture of a web application. The diagram of the first level of the web application functional model decomposition is presented. To ensure security at the network level, the basic architecture of the enterprise network with a demilitarized zone and the corresponding configuration of firewalls has been modernized. To assess the security, the internal metrics of software security were utilized, and the cybersecurity risk analysis method by means of fuzzy gray cognitive maps was applied which made it possible to quantitatively assess the reduction with regard to the risk of the accumulated data integrity violation by 3.5 times. Four scenarios of the attacker's impact are considered: without the use of additional countermeasures, the use of the web application layer architectural organization, which takes into account the main patterns of cybersecurity, the use of the Web-application Firewall (WAF), the use of the application architectural organization, and WAF.

1. Frid A.I. et al. Architecture of the Security Access System for Information on the State of the Automatic Control Systems of Aircraft. Acta Polytechnica Hungarica. 2020;17(8):151–164.

2. Frid A.I. et al. The architecture of the web application for protected access to the informational system of processing critically important information. Proceedings of 19th International Workshop «Computer Science and Information Technologies» (CSIT’2017), Baden-Baden, Germany. 2017:16–22.

3. Guzairov M.B. et al. Protected access to the database on the state of automatic control systems (ACS) of aviation gas turbine engines via a web application. Informacija i bezopasnost'. 2017;20(3):410–413. (In Russ.)

4. Web Application Security Consortium. Available from: http://www.webappsec.org/ (accessed 20.10.2021).

5. Huang H.C. et al. Web application security: Threats, countermeasures, and pitfalls, Computer. 2017;50(6):81–85.

6. OWASP Top Ten Project. Available from: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (accessed on 20.10.2021).

7. Wichers D. OWASP TOP-10 2013. OWASP Foundation. February 2013.

8. Wiradarma A.A.B.A., Sasmita G.M.A. IT Risk Management Based on ISO 31000 and OWASP Framework using OSINT at the Information Gathering Stage (Case Study: X Company). International Journal of Computer Network and Information Security. 2019;11(12):17–29.

9. Recommendations of the National Institute of Standards and Technology. NIST. 2014:128.

10. The WASC Threat Classification v2.0. Available from: http://projects.webappsec.org/w/page/13246978/Threat%20Classification (дата обращения 20.10.2021).

11. Vasilyev V.I., Vulfin A.M., Guzairov M.B., Kirillova A.D. Interval estimation of information risks with use of fuzzy grey cognitive maps. Informacionnye tehnologii = Information technologies. 2018;24(10):657–664. (In Russ.)

12. Vasilyev V.I. et al. Cybersecurity risk assessment of industrial objects' ACS of TP on the basis of nested fuzzy cognitive maps technology. Informacionnye tehnologii = Information technologies. 2020;26(4):213–221. (In Russ.)

13. Vasilyev V.I., Vulfin A.M., Chernyakhovskaya L.R. Risk analysis of innovative projects with use of multilayer fuzzy cognitive maps. Programmnaja inzhenerij = Software Engineering. 2020;11(3):142–151. (In Russ.)