A WEB-APPLICATION QUALITY EVALUATION METHOD BASED ON VULNERABILITY DETECTION

This article introduces a method of web-application quality evaluation based on static analysis of the source code. A model for SQL-injection vulnerability detection and a web-application quality model based on the results of vulnerability detection that extends the ISO/IEC 25010 quality model are described.

1. OWASP Top 10 2017. The Ten Most Critical Web Application Security Risks. Available at: https://www.owasp.org/ images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf (accessed 27.11.2017).

2. Bakhtizin V. V. A web-application vulnerability detection model. Doklady BGUIR. 2016, no. 1, pp.5–11 (In Russian).

3. Cousot P., Cousot R. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. Conference Record of the Fourth ACM Symposium on Principles of Programming Languages, Los Angeles, 1977, pp. 238–252.

4. Spolsky J. Making Wrong Code Look Wrong – Joel on Software. Available at: http://www.joelonsoftware.com/articles/Wrong.html (accessed 21.12.2014).

5. ISO/IEC 25010:2011. Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — System and software quality models. Geneva, ISO/IEC, 2011.

6. Onoshko D. E. A web-application quality assessment model based on SQL-injection vulnerability detection. Doklady BGUIR, 2016, no. 3, pp. 37–43 (In Russian).

7. Bakhtizin V. V., Glukhova L. A. Metrologija, standartizacija i sertifikacija v informacionnyh tehnologijah [Metrology, standardization and certification in information technologies]. Minsk, BSUIR, 2016. 343 p. (In Russian).

8. GOST 28195-99. Ocenka kachestva programmnyh sredstv. Obshhie polozhenija [State Standard 28195-99. Quality control of software system. General principles]. Moscow, Standartinform Publ., 1998. 49 p. (In Russian).