A quantitative security evaluation and analysis model for web applications based on OWASP application security verification standard

Abstract

In today's digital world, web applications are popular tools used by businesses. As more and more applications are deployed on the web, they are seen as increasingly attractive targets by malicious actors eager to exploit any security gaps present. Organizations are always at risk for potential vulnerabilities in their web-based software systems, which can lead to data loss, service interruption, and lack of trust. Therefore, organizations need to have an effective and efficient method for assessing and analyzing the security of acquired web-based software to ensure adequate confidence in its use. Quantitative security evaluation employs mathematical and computational techniques to express the security level that a system reaches. This research focuses on improving the quantitative analysis of web application security evaluation. We strive to unite the Open Web Application Security Project's (OWASP) Application Security Verification Standard (ASVS) into a structural and analyzable model, which aims to efficiently evaluate web application security levels while providing meaningful insights into their strengths and weaknesses.