Characterization of security defects and analysis of vulnerability criticality in software for automated systems of internal affairs bodies

Objective. The purpose of the study is to theoretically analyze security defects and study the criticality of vulnerabilities in software used in modern automated systems of internal affairs agencies.

Method. A systematic approach method was used to consider the essence of the problem of assessing the security of software of automated systems of internal affairs bodies and the criticality of its vulnerabilities.

Result. The results of an analysis of theoretical aspects of the study of vulnerabilities in software of automated systems are presented. The components of typical software used in the automated workstation of a user of a modern automated system of internal affairs bodies were analyzed for the presence of known vulnerabilities presented in the US National Vulnerability Database and the Data Bank of Information Security Threats of the Federal Service for Technical and Export Control of Russia, obtaining basic estimates for standard Common Vulnerability Scoring System versions 3.0 and 3.1.

Conclusion. Carry out timely updates of the software used based on the selection of its optimal version in terms of security level. The main directions of activity for conducting a quantitative assessment of the level of software security in automated systems of internal affairs bodies are outlined, taking into account its vulnerabilities in real time.

1. Efimov A. O. Measures to protect tablet computers processing confidential information from unauthorized access /A.O. Efimov, T. V. Meshcheryakova, E. A. Rogozin. Bulletin of the Voronezh Institute Ministry of Internal Affairs of Russia. 2023; 2:31–38.

2. Efimov A. O. Conceptual basis for assessing the level of security of automated systems based on their vulnerability / A. O. Efimov, I. Livshits,T. V. Meshcheryakova, E. A. Rogozin. Information technology security = IT Security. 2023; 30(2): 63–79.

3. National Vulnerability Database. Nist [El. res.]. Access mode: https://nvd.nist.gov/ (date of access: 01/29/2024).

4. Data bank of information security threats. Vulnerabilities // FSTEC of Russia [Electronic resource]. – Access mode: https://bdu.fstec.ru/vul (date of access: 01/30/2024).

5. Common Vulnerability Scoring System (CVSS-SIG) [Electronic resource]. – Access mode: https://www.first.org/cvss (access date: 02/12/2024).

6. Common Vulnerability Scoring System version 3.0. Specification Document.Revision 0 [Electronic resource]. – Access mode: https://cvss-v3-specification_r0.pdf (access date: 02/12/2024).

7. Common Vulnerability Scoring System version 3.1. Specification Document.Revision 1 [Electronic resource]. – Access mode: https://cvss-v31-specification_r1.pdf (access date: 02.12.2024).

8. GOST R 56939-2016. Data protection. Secure software development. General requirements. – Moscow: Standardinform, 2016; 24.

9. GOST R 50922-2006. Data protection. Basic terms and definitions. Moscow: Standartinform, 2008; 15.

10. GOST R ISO/IEC 13335-1-2006. Information technology. Methods and means of ensuring security. Part 1. Concept and models of security management of information and telecommunication technologies. – Moscow: Standartinform, 2007; 33.

11. Yazov Yu. K. Protection of information in information systems from unauthorized access: textbook / Yu. K. Yazov, S. V. Solovyov. Voronezh: Kvarta, 2015; 440.

12. Common Vulnerabilities and Exposures (CVE) [Electronic resource]. – Access mode: https://en.wikichip.org/wiki/cve (access date: 02.12.2024).

13. A Complete Guide to the Common Vulnerability Assessment Standard Version 2. Calculating the Score [El. resource]. – Access mode: https://www.securitylab.ru/analytics/356476.php (access date: 01/30/2024).

14. GOST R 56546-2015. Data protection. Vulnerabilities of information systems. Classification of information system vulnerabilities. – Moscow: Standartinform, 2015;12.

15. Methodology for assessing the level of criticality of software, software and hardware vulnerabilities: Methodological document dated October 28, 2022 // FSTEC of Russia [Electronic resource]. – Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-28-oktyabrya-2022-g-2 (date of access: 01/29/2024).

16. Zolotykh E. S. Models for assessing the danger of implementing network attacks in automated systems of internal affairs bodies: 2.3.6. dissertation for the degree of Cand. of Technical Sci. / Elena Sergeevna Zolotykh. – Voronezh, 2022; 220.

17. BDU-CVSS v3 Calculator [El.res.]. Access mode: https://bdu.fstec.ru/calc3 (date of access: 02.12.2024).

18. BDU-CVSS v31 Calculator [El.res.]. Access mode: https://bdu.fstec.ru/calc31 (date of access: 02.12.2024).