Practical recommendations for assessing software security and choosing its optimal version for use at facilities of informatization of internal affairs agencies

Objective. The aim of the study is to develop practical recommendations for conducting a quantitative assessment of software security in real time and choosing its optimal version in accordance with the requirements of the FSTEC of Russia and taking into account the features and shortcomings of the operation of automated systems of internal affairs agencies. Method. A systems approach has been implemented. The methods of theoretical analysis, synthesis, and deduction have been used. Result. Practical recommendations are presented for the implementation of the methodology for analyzing and quantitatively assessing the security of software, taking into account vulnerabilities and selecting the most secure version for use in automated systems of internal affairs agencies. Supplementing existing methods with practical recommendations will improve the efficiency and quality of software evaluation at IT facilities of internal affairs agencies. Conclusion. Prospects for using the obtained results are associated with the development of methodological documentation for assessing the state of technical information protection in automated systems of the internal affairs agencies in order to justify the choice of organizational and technical measures to ensure the security of restricted service information.

1. Zolotykh E.S.Models for assessing the danger of implementing network attacks in automated systems of internal affairs bodies:dis.Cand.of Techn.Scie.2.3.6.Zolotykh Elena Sergeevna.Voronezh, 2022:220(In Russ).

2. Batskikh A. V. Models for assessing the effectiveness of modified information access control subsystems in automated systems of internal affairs bodies: dis. 2.3.6. Cand. of Techn. Scie. Batskikh Anna Vadimovna. - Voronezh, 2022: 190 p. (In Russ).

3. Popov A. D. Models and algorithms for assessing the effectiveness of information protection systems from unauthorized access, taking into account their time characteristics in automated systems of internal affairs bodies: 05.13.19 dis. Cand. of Technical Scie.Popov Anton Dmitrievich. Voronezh, 2018:163 p. (In Russ).

4. Drovnikova I. G. Security indicators of software used at the information technology facilities of the internal affairs bodies / I. G. Drovnikova, A. D. Popova. Bulletin of the Voronezh Institute of the Ministry of Internal Affairs of Russia. 2024;1:50–59. (In Russ).

5. Shcheglov A.Yu. Elements of the theory of operational information security: a tutorial / A. Yu. Shcheglov. – St. Petersburg: SPbSU ITMO, 2014: 59 p. (In Russ).

6. Popova A. D. Methodology for analyzing and assessing the security level of software used at the information technology facilities of the internal affairs bodies /A. D. Popova, I. G. Drovnikova. Information technology security = IT Security. 2024; 31( 2):51–64. (In Russ).

7. Popova A.D. Algorithm for the functioning of the software package for analyzing and assessing the security of software of automated systems of internal affairs bodies. Herald of the Daghestan State Technical University. Technical Sciences. 2024; 51(2):128–136. (In Russ).

8. GOST R ISO/IEC 25051-2017. Information technology. Systems and software engineering. Requirements and quality assessment of systems and software. – Moscow: Standartinform, 2017: 32 p. (In Russ).

9. Information technology security. Criteria for assessing the security of information technology: Guidance document of June 19, 2002, No. 187 //FSTEC of Russia [Electronic resource]. - Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/rukovodyashchij-dokument-ot-19-iyunya-2002-g-n-187 (accessed: 10/30/2024). (In Russ).

10. GOST R ISO / IEC 9126-93. Information technology. Software product evaluation. Quality characteristics and guidelines for their application [Electronic resource]. - Access mode: http://docs.cntd.ru/document/gostr-iso-mek-9126-93 (accessed 11/05/2024). (In Russ).

11. ISO/IEC 17000:2004. Conformity assessment. Dictionary and General principles [Electronic resource]. – Access mode: https://pqm-online.com/assets/files/lib/std/iso17000-2004.pdf (accessed: 06.11.2024).

12. ISO/IEC 27002:2005-2013. Information technology. Security method. Practical rules of information security management[El.resource].:http://docs.cntd.ru/document/gost-r-iso-mek-17799-2005(06.11.2024).

13. Efimov A.O. Conceptual foundations for assessing the level of security of automated systems based on their vulnerability /A.O. Efimov, I.I. Livshits, T.V. Meshcheryakova, E.A. Rogozin. Information Technology Security = IT Security. 2023; 30(2):63-79. (In Russ).

14. On the issue of assessing the security of automated systems based on the criticality of their vulnerabilities. A.O. Efimov [et al.]. Bulletin of the Voronezh Institute of the Federal Penitentiary Service of Russia. 2023; 2:50-54. (In Russ).

15. Radko N.M. Penetrations into the computer operating environment: models of malicious remote access: tutorial/N.M. Radko, Yu.K. Yazov, N.N. Korneeva. Voronezh:Voronezh State Technical University, 2013; p.

16. Yazov Yu. K., S.V. Soloviev. Methodology for assessing the effectiveness of information protection in information systems from unauthorized access: monograph. St. Petersburg: Science-intensive technologies, 2023;258 p.(In Russ).

17. Yazov Yu.K., A.V. Anishchenko. Petri-Markov networks and their application for modeling the processes of implementing information security threats in information systems: oronezh:Kvarta, 2020;173(In Russ).

18. Common Vulnerability Scoring System version 4.0: User Guid–e [Electronic resource]. – Access mode: https://www.first.org/cvss/v4.0/user-guide (date of access: 15.11.2024). (In Russ).

19. Drovnikova I.G. Methods for assessing the level of security of software of automated systems of internal affairs bodies and directions for their improvement / I.G. Drovnikova, A.D. Popova. Herald of the Dagestan State Technical University. Technical sciences. 2023; 50(4): 85-92. (In Russ).

20. Methodology for assessing the indicator of the state of technical protection of information and ensuring the security of significant objects of the critical information infrastructure of the Russian Federation: methodological document of May 2, 2024//FSTEC of Russia [Electronic resource]. - Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokumentot-2-maya-2024-g (date of access: 11/25/2024). (In Russ).

21. Methodology for testing security updates for software, firmware and hardware: methodological document of October 28, 2022/FSTEC of Russia [Electronic resource]. – Access mode: https://fstec.ru/dokumenty/vsedokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-28-oktyabrya-2022-g-2 (date of access: 25.11.2024). (In Russ).

22. Methodology for assessing the criticality level of software, software and hardware vulnerabilities: methodological document dated October 28, 2022 // FSTEC of Russia [Electronic resource]. – Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokumentot-28-oktyabrya-2022-g-2 (date of access: 20.11.2024). (In Russ).

23. Guidelines for organizing the vulnerability management process in a body (organization): methodological document dated May 17,2023. FSTEC of Russia [Electronic resource]. Access mode: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-17-maya-2023-g (accessed: 11/25/2024). (In Russ).

24. Popova A.D., A.D. Popov, I.G. Drovnikova. Experimental methodology for assessing the security of software of automated systems of internal affairs bodies. Information Technology Security = IT Security. 2025; 32(1):95-111. (In Russ).