METHODOLOGY FOR QUANTITATIVE ASSESSMENT OF THE SECURITY OF A E-COMMERCE WEB-APPLICATION AT THE OPERATIONAL PHASE
DOI:
https://doi.org/10.31471/1993-9965-2024-2(57)-107-119Keywords:
web application security, online store, OWASP ASVS, evaluation criteria, security assessmentAbstract
The article proposes a general approach to the quantitative assessment of e-commerce web application security based on the OWASP ASVS standard, which includes 13 sections addressing various aspects of security, such as authentication, session management, access control, data validation, file protection, and system confi-guration. The developed methodology enables obtaining quantitative indicators for the level of compliance with each requirement, making the evaluation objective and understandable for auditors and web application owners.Based on an analysis of the general list of OWASP ASVS requirements, a subset of requirements was selected for assessing the security of an operational online store, assuming that the auditor lacks technical documentation about the web application’s development. For each requirement, a structured set of criteria with clear evaluation rules was developed to derive quantitative indicators. The study utilized the “OWASP Juice Shop” test environment, allowing the methodology to be tested on a practical example containing a range of predefined built-in vulnerabilities. This web application serves as a prototype of a typical online store, making it an ideal subject for this research.As expected, the assessment results revealed a low level of implementation of security practices in areas such as session management, input data validation, and file protection, while authentication and access control demonstrated a medium level of compliance with the standards. The proposed methodology contributes to advancing practices for ensuring the security of e-commerce web applications by providing an effective tool for security assessment and vulnerability identification during the operational phase of a web application.
Downloads
References
Padgham L., Winikoff M. Developing Intelligent Agent Systems. A Practical Guide. Wiley, 2004. P. 225. DOI: 10.1002/0470861223
Saadi A., Maamri R., Sahnoun Z. Behav-ioral flexibility in Belief-Desire- Intention (BDI) architectures. Multiagent and Grid Systems. 2020. No 16(4). P. 343-377. DOI: https://doi.org/10.3233/MGS-200335
De Silva L. Meneguzzi F., Logan B. BDI Agent Architectures: A Survey, Proceedings of the Twenty-Ninth International Joint Conference on Artificial Intelligence Survey track. 2020, P. 4914–4921. DOI: https://doi.org/10.24963/ijcai.2020/684
Ekinci E., Halaç T., Erdur C., Çetin Ö., Cakirlar I., Dikenelli O. Satisfying agent goals by executing different task semantics: HTN, OWL-S or plug one yourself. Autonomous Agents and Multi-Agent Systems. 2013. No 26(2). DOI: https://doi.org/10.1007/s10458-011-9185-2
Singh D., Sardina S., Padgham L., James G. Integrating Learning into a BDI Agent for Environments with Changing Dynamics. International Joint Conference on Artificial Intelligence. 2011. P. 2525–2530. DOI: https://doi.org/10.5591/978-1-57735-516-8/IJCAI11-420
Zhang H., Huang S. Y. A general frame-work for parallel BDI agents in dynamic environments. Web Intelligence and Agent Systems Journal. 2008. No 6(3). P. 327–351. DOI: https://doi.org/10.1109/IAT.2006.8
Germano R., Lakhmi C. J. Intelligent Agents. Theory and Applications. Springer Berlin, Heidelberg. 2004. P. 402. DOI: https://doi.org/10.1007/978-3-540-44401-5
Khosla R., Dillon T. Engineering Intelligent Hybrid Multi-Agent Systems. Springer New York. 1997. P. 410. DOI: https://doi.org/10.1007/978-1-4615-6223-8
Bryson, J. Cross-paradigm analysis of autonomous agent architecture. Journal of Experimental & Theoretical Artificial Intelligence. 2000. No 12(2). P. 165–189. DOI: https://doi.org/10.1080/095281300409829
Rumbell T., Barnden J., Denham S., Wennekers T. Emotions in autonomous agents: comparative analysis of mechanisms and functions. Auton Agent Multi-Agent Syst. 2012. No 25. P. 1-45. DOI: https://doi.org/10.1007/s10458-011-9166-5
Cruz A., dos Santos A. V., Santiago R. H. N., Bedregal B. A Fuzzy Semantic for BDI Logic. Fuzzy Information and Engineering. 2021. No 13(2). P. 139-153. DOI: https://doi.org/10.1080/16168658.2021.1915455
Calegari R., Ciatto G., Mascardi, V., Omicini A. Logic-based technologies for multi-agent systems: a systematic literature review. Auton Agent Multi-Agent Syst. 2021. No 35(1). https://doi.org/10.1007/s10458-020-09478-3
Kruhlyk V. S., Prokofiev Ye. H., Marynov A. V. Analiz mozhlyvostei vykorystannia intelektualnykh ahentiv v adaptyvnii systemi elektronnoho navchannia. Pedahohichni nauky: teoriia ta praktyka. 2021. No 4. P. 295-302. URL: https://doi.org/10.26661/2786-5622-2021-4-44 [in Ukrainian]
Lopatto I. Yu., Hovorushchenko T. O., Kapustian M. V. Intelektualnyi ahent veryfikatsii vrakhuvannia informatsii predmetnoi haluzi v protsesi rozroblennia prohramnykh system. Visnyk Khmelnytskoho natsionalnoho universytetu, 2022. No 1. P. 116-119. URL: http://journals.khnu.km.ua/vestnik/?p=12131 [in Ukrainian]
Marynov A.V., Kruhlyk V.S., Vykory-stannia intelektualnykh prohramnykh ahentiv dlia stvorennia adaptyvnoho seredovyshcha elekt-ronnoho navchannia na bazi lms moodle. Mizhnarodna naukovo-praktychna konferents «Tsyfrova transformatsiia ta dydzhytal tekhnolohii dlia staloho rozvytku vsikh haluzei suchasnoi osvity, nauky i praktyky». Zbiór prac_Tom 2. 2023. P. 306-308. URL: https://repo.btu.kharkov.ua/bitstream/123456789/29446/1/zbior_prac_tom_2__26012023-306-308.pdf [in Ukrainian]
Noulamo T., Djimeli-Tsajio A., Kameugne R., Lienou, J. A Generic Intelligent Agent Design Approach Based on Artificial Neural Networks. World Journal of Engineering and Technology. 2023. No 11. P. 682-697. URL: 10.4236/wjet.2023.114046
Christie S .H., Chopra A. K., Singh M. P. Mandrake: Multiagent Systems as a Basis for Programming Fault-Tolerant Decentralized Applications. Autonomous Agents and Multi-Agent Systems. 2022. No 36, A. No 16. DOI: https://doi.org/10.1007/s10458-021-09540-8
Latham N. Types of intelligent agent, 2024. URL: https://www.probecx.com/en-au/blog/types-of-intelligent-agent
Intelligent Agent, 2023. URL: https://www.larksuite.com/en_us/topics/ai-glossary/intelligent-agent
Harjyot K. What are AI Agents: Types, Benefits, Applications, and Examples. 2024. URL: https://www.signitysolutions.com/blog/ai-agents
Hiren Dhaduk. What is an AI Agent? Characteristics, Advantages, Challenges, Applications. 2023. URL: https://www.simform.com/blog/ai-agent/
Krykhivskyi M. V., Krykhivska S. М. Problemy liudyno-mashynnoi vzaiemodii v konteksti shtuchnoho intelektu. Zbirnyk tez dopovidei naukovo-praktychnoi konferentsii «Informatsiini tekhnologii v osviti, tekhnitsi ta promyslovosti». 2024. P. 176-177. URL: https://stlnau.in.ua/samoosvita/item/2024/iit241010.pdf [in Ukrainian]
Downloads
Published
How to Cite
Issue
Section
License
Авторські права....
1.png)
1.png){kind=logo}
