Algorithm for the functioning of the analysis and evaluation software package security of software of automated systems internal affairs bodies

Objective. The purpose of the study is to construct an algorithm for the functioning of a software package that automates the process of analyzing and assessing the security of the software used and selecting its most secure version for use at informatization facilities of internal affairs bodies.
Method. During the study, we used: a method of a systematic approach to determining software security indicators, a method of mathematical formalization and algorithmization of the process of analyzing and assessing software security for developing program code.
Result. An algorithm for the functioning of a software complex is proposed that allows for analysis and quantitative assessment of the security of software of automated systems of internal affairs bodies in relation to current vulnerabilities in real time. The algorithm is complex in nature, including five component algorithms. The operation of the main blocks of the algorithm is described.
Conclusion. Conclusions are drawn about the importance of the practical implementation of the developed algorithm in the form of a software package that selects the optimal (most secure) version of software for operation at informatization facilities of internal affairs bodies in order to increase the actual security of limited-distribution official information.

1. Issues of organizing information and legal support for the activities of internal affairs bodies of the Russian Federation: order of the Ministry of Internal Affairs of Russia dated August 25 2017 No. 680 (as amended by order of the Ministry of Internal Affairs of Russia dated March 23, 2018 No. 155) [Electronic resource]. – Access mode: https://base.garant.ru/72617376/?ysclid=lmduxlmjdz739176488 (date of access: 04/10/2024). ( In Russ)

2. On approval of the Information Security Doctrine of the Russian Federation: Decree of the President of the Russian Federation dated December 5, 2016 No. 646 // Collection of Legislation of the Russian Federation of 2016 - No. 50. Art. 7074; 50:12. (In Russ)

3. GOST R ISO/IEC 9126-93. Information technology. Evaluation of software products. Quality characteristics and guidelines for their use [Electronic resource]. – Access mode: http://docs.cntd.ru/document/gost-riso-mek-9126-93 (access date: 04/15/2024). ( In Russ)

4. GOST R 56939-2016. Data protection. Secure software development. General requirements. – Moscow: Standardinform, 2016;24. ( In Russ)

5. GOST R ISO/IEC 25051-2017. Information Technology. System and software engineering. Requirements and quality assessment of systems and software. Moscow: Standardinform, 2017; 32. ( In Russ)

6. Shcheglov K.A. Mathematical models and methods of formal design of information systems protection systems: textbook. K.A. Shcheglov, A.Yu. Shcheglov. – St. Petersburg: St. Petersburg State University ITMO, 2014; 83. ( In Russ)

7. Shcheglov A.Yu. Elements of the theory of operational information security: textbook / A.Yu. Shcheglov. – St. Petersburg: St. Petersburg State University ITMO, 2014; 59. ( In Russ)

8. Efimov A.O. Conceptual basis for assessing the level of security of automated systems based on their vulnerability / A.O. Efimov, I.I. Livshits,T.V. Meshcheryakova, E.A. Rogozin. Information technology security =IT Security. 2023; 30 (2): 63–79. ( In Russ)

9. Maps of sources containing information about software vulnerabilities A.L. Heart [and others]. Information and security. 2019; 22(3): 411-422. – EDN ZOUMGN. ( In Russ)

10. Drovnikova I.G. Methods for assessing the level of security of software of automated systems of internal affairs bodies and directions for their improvement/ I.G. Drovnikova, A.D. Popova. Herald of the Dagestan State Technical University. Technical Sciences. 2023; 50( 4): 85–92. ( In Russ)

11. Drovnikova I.G. Indicators of security of software used at informatization facilities of internal affairs bodies / I.G. Drovnikova, A.D. Popova. Herald of the Voronezh Institute of the Ministry of Internal Affairs of Russia. 2024;1: 50–59. ( In Russ)

12. Drovnikova I.G. Theoretical aspects of calculating security indicators of software of automated systems of internal affairs bodies /Drovnikova, A.D. Popova. Bulletin of the Voronezh Institute of the Federal Penitentiary Service of Russia. 2024; 2. ( In Russ)

13. Drovnikova I.G. Analytical models for calculating security indicators of software of automated systems of internal affairs bodies /Drovnikova, A.D. Popova // Bulletin of the Voronezh Institute of the Ministry of Internal Affairs of Russia. 2024; 2: 22-33. ( In Russ)

14. Popova A.D. Methodology for analyzing and assessing the level of security of software used at informatization facilities of internal affairs bodies /HELL. Popova, I.G. Drovnikova. Information technology security = IT Security, 2024; 31(2):51-64. ( In Russ)

15. Methodology for testing security updates of software, firmware and hardware: Methodological document dated October 28, 2022//FSTEC of Russia [Electronic resource]. – Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokumentot-28-oktyabrya-2022-g (date of access: 04/24/2024). ( In Russ)

16. Common Vulnerability Scoring System version 4.0: Specification Document [Electronic resource]. – Access mode: https://www.first.org/cvss/v4.0/specification-document (access date: 04/28/2024).

17. Common Vulnerability Scoring System version 4.0: User Guide [Electronic resource]. – Access mode: https://www.first.org/cvss/v4.0/user-guide (access date: 04/28/2024).

18. Common Vulnerability Scoring System version 4.0: Examples [Electronic resource]. – Access mode: https://www.first.org/cvss/v4.0/examples (access date: 04/28/2024).

19. CVSS 4.0: analytical review of the new version of the popular standard [Electronic resource]. – Access mode: https://www.habr.com>ru/companies/pt/articles/ 788310/ (date of access: 04/28/2024). ( In Russ)

20. Methodology for assessing the level of criticality of software, software and hardware vulnerabilities: Methodological document dated October 28, 2022 // FSTEC of Russia [Electronic resource]. – Access mode:https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskijdokument-ot-28-oktyabrya-2022-g-2 (date of access: 04/30/2024). ( In Russ)

21. Common Vulnerability Scoring System Version 4.0: Calculator [Electronic resource]. – Access mode: https://www.first.org/cvss/calculator/4.0 (access date: 04/30/2024).