SYSTEM APPROACH TO WEB APPLICATION SECURITY: ANALYSIS OF THREATS AND METHODS OF CYBER PROTECTION
DOI:
https://doi.org/10.18372/2410-7840.26.20022Keywords:
cybersecurity, web application vulnerabilities, OWASP Top 10, static code analysis, dynamic analysis, machine learning, automated vulnerability detection, cyber threatsAbstract
The study focuses on analyzing common vulnerabilities in web applications, their impact on information system security, economic, reputational, and legal consequences, as well as methods for their detection and mitigation. A comprehensive review of the current state of web application security is conducted, including statistical data on current threats, analysis of attack trends, and an overview of the most notable incidents in recent years. Special attention is given to comparing different approaches to vulnerability classification, including OWASP Top 10, CWE Top 25, MITRE ATT&CK, NIST SP 800-53, and other standards, to evaluate their effectiveness and practical applicability. The study examines web application security testing methods, including static (SAST), dynamic (DAST), and interactive application security testing (IAST), as well as the potential of artificial intelligence (AI) and machine learning (ML) for automated threat detection. The advantages and limitations of different cybersecurity methods are analyzed, along with practical aspects of their implementation in real-world scenarios. Additionally, a detailed analysis of the impact of vulnerabilities on organizations is presented, covering economic consequences (direct financial losses, response costs, market value decline), reputational risks (loss of user trust, brand damage), and legal repercussions (fines, lawsuits, regulatory compliance requirements). The results of the study contribute to forming a comprehensive approach to risk minimization, including the implementation of advanced security analysis methods, adherence to international security standards, and the application of modern cybersecurity tools. This ensures more efficient detection and mitigation of threats at the early stages of web application development and operation.
References
Verizon, «2024 Data Breach Investigations Report». [Електронний ресурс]. Режим доступу: https://www.verizon.com/business/resources/T807/reports/2024-dbir-data-breach-investigations- report.pdf.
Barracuda. «Threat Spotlight: Attackers Targeting Web Applications Right Now», 2024. [Електронний ресурс]. Режим доступу: https://blog.barracuda.com/2024/02/07/threat-spotlight- attackers-targeting-web-applications-right-now.
Statista, «Cybercrime Target Industries 2024». [Електронний ресурс]. Режим доступу: https://www.statista.com/statistics/221293/cyber-crime-target-industries/.
Cloud Security Alliance, «What we know about vulnerability exploitation in 2024 so far». [Електронний ресурс]. Режим доступу: https://cloudsecurityalliance.org/blog/2024/06/12/what-we- know-about-vulnerability-exploitation-in-2024-so-far.
C. C. Aladi, «Web Application Security: A Pragmatic Exposé», Electronics, Vol. 11, Issue 13, 2024. DOI: 10.1145/3644394. [Електронний ресурс]. Режим доступу: https://www.mdpi.com/2079- 9292/11/13/2049.
M. S. Chughtai et al., «Deep learning trends and future perspectives of web security and vulnerabilities», 2024. DOI: 10.3233/JHS-230037. [Електронний ресурс]. Режим доступу: https://ouci.dntb.gov.ua/en/works/4y6dzKgl/.
O. Ezenwoye, Y. Liu, W. Patten, «Classifying common security vulnerabilities by software type», Proceedings of the 32nd International Conference on Software Engineering and Knowledge Engineering (SEKE 2020), 2020. DOI: 10.18293/SEKE2020-047. [Електронний ресурс]. Режим доступу: https://ksiresearch.org/seke/seke20paper/paper047.pdf.
M. Althunayyan et al., «Evaluation of Black-Box Web Application Security Scanners in Detecting Injection Vulnerabilities», Electronics, Vol. 11, Issue 13, 2022. DOI: 10.3390/electronics11132049. [Електронний ресурс]. Режим доступу: https://www.mdpi.com/2079-9292/11/13/2049.
M. A. Yalçınkaya, E. U. Küçüksille, «Artificial Intelligence and Dynamic Analysis-Based Web Application Vulnerability Scanner», ISECURE Journal, Vol. 16, Issue 1, 2024. DOI: 10.22042/isecure.2023.367746.847. [Електронний ресурс]. Режим доступу: https://www.isecure- journal.com/article_183555_f52954f44ac33e6b456862c7a8ad3ad5.pdf.
He Su et al., «Splendor: Static Detection of Stored XSS in Modern Web Applications», Proceedings of the 2023 International Symposium on Software Testing and Analysis (ISSTA), 2023. DOI: 10.1145/3597926.3598116.[Електронний ресурс]. Режим доступу: https://2023.issta.org/details/issta-2023-technical-papers/75/Splendor-Static-Detection-of-Stored- XSS-in-Modern-Web-Applications.
El País, «2024 bate récords históricos en ciberataques que, con ayuda de la IA, son cada vez más precisos», 2024. [Електронний ресурс]. Режим доступу: https://elpais.com/tecnologia/2024-12- 31/2024-bate-records-historicos-en-ciberataques-que-con-ayuda-de-la-ia-son-cada-vez-mas- precisos.html.
Federal Trade Commission (FTC), «Equifax Data Breach Settlement». [Електронний ресурс]. Режим доступу: https://www.ftc.gov/ enforcement/refunds/equifax-data-breach-settlement.
Reuters, «Twitter hacked: 200 million user email addresses leaked, researcher says», 2023. [Електронний ресурс]. Режим доступу: https://www.reuters.com/technology/twitter-hacked-200- million-user-email-addresses-leaked-researcher-says-2023-01-05.
OWASP Foundation, «OWASP Top 10». [Електронний ресурс]. Режим доступу: https://www.blackduck.com/glossary/what-is-owasp-top-10.htm.
Outpost24, «OWASP Top 10 2021: What is new?». [Електронний ресурс]. Режим доступу: https://outpost24.com/blog/owasp-top-10-2021-what-is-new.
SecOp Solution, «OWASP Top 10 vs SANS 25». [Електронний ресурс]. Режим доступу: https://www.secopsolution.com/blog/owasp-top-10-vs-sans-25.
MITRE, «ATT&CK Framework». [Електронний ресурс]. Режим доступу: https://attack.mitre.org/.
Kiuwan, «How NIST SP 800-53 Revision 5 Affects Application Security». [Електронний ресурс]. Режим доступу: https://www.kiuwan.com/blog/how-nist-sp-800-53-revision-5-affects-application- security.
Hyperproof, «NIST 800-53 Compliance Guide». [Електронний ресурс]. Режим доступу: https://hyperproof.io/nist-800-53/.
Stripe, «PCI Compliance Guide». [Електронний ресурс]. Режим доступу: https://stripe.com/ie/guides/pci-compliance.
ISO/IEC 27034, «Application Security Guidelines». [Електронний ресурс]. Режим доступу: https://www.iso27001security.com/html/27034.html.
Rippleshot. «How Data Breaches Impact Brand Value», [Електронний ресурс]. Режим доступу: https://www.rippleshot.com/post/how-data-breaches-impact-brand-value.
GDPR EU. «What does it mean to be GDPR compliant in 2025?», [Електронний ресурс]. Режим доступу: https://www.gdpreu.org/what-does-it-mean-to-be-gdpr-compliant-2025/.
Morillo, C., «97 Things Every Information Security Professional Should Know: Collective Wisdom from the Experts», 2021.
Imperva, «SAST, IAST, DAST – Understanding the Differences». [Електронний ресурс]. Режим доступу: https://www.imperva.com/learn/application-security/sast-iast-dast/.
Nature, «Latest Cybersecurity Threats and Trends», 2024. [Електронний ресурс]. Режим доступу: https://www.nature.com/articles/s41598-024-56871-z.
IEEE, «Web Application Vulnerability Detection Methods», 2024. [Електронний ресурс]. Режим доступу: https://ieeexplore.ieee.org/abstract/document/8614145.
Downloads
Published
Issue
Section
License
Authors who publish with this journal agree to the following terms:- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
