Organization and methodology of an experiment to determine initial data for assessing software security indicators for automated systems of internal affairs agencies

Objective. The aim of the article is to develop a methodology for conducting a full-scale experiment to determine the initial data necessary for assessing the security of software used in the information technology systems of internal affairs agencies, in the dynamics of its operation. The methodology allows for the identification of potential vulnerabilities of high and critical levels of criticality during software operation, determining the values of the time characteristics of their operation, and the average values of the times to identify and eliminate current vulnerabilities in the software.

Method. To achieve the stated objective, the methods of graph theory, automated static analysis of program code, electronic chronometry, direct measurement, analysis of statistical data, and comparison were used.

Result. The application of the proposed methodology yielded quantitative values of the initial data required for assessing the comprehensive software security indicator for automated systems of internal affairs agencies. This indicator includes the criticality level of a set of software vulnerabilities, the software security time indicator, the software readiness coefficient for safe operation in the presence of vulnerabilities, and the interval indicator of software security breach due to exploitation of a vulnerability of a given criticality level.

Conclusion. The prospects for the practical implementation of the proposed methodology are related to the analysis and accurate quantitative assessment of the software security in use in real time based on the developed software package. This is achieved by selecting the most secure version to improve the security of restricted service information circulating at specific information systems of internal affairs agencies.

1. GOST R 56939-2024. Information Security. Development of Secure Software. General Requirements: official publication: approved and put into effect by Order of the Federal Agency for Technical Regulation and Metrology dated October 24, 2024;1504-st: effective date: December 20, 2024. Moscow: Standartinform, 2024:29 p.

2. Methodology for Assessing the Criticality of Vulnerabilities in Software and Hardware: methodological document dated October 28, 2022.FSTEC of Russia [Electronic resource]. – Available at: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-28-oktyabrya2022-g-2 (Accessed: 20.04.2025).

3. Popova, A.D. “Development of a software package for analyzing and assessing the security of software in automated systems of internal affairs agencies” A.D. Popova, I.G. Drovnikova // Bulletin of the Voronezh Institute of the Federal Penitentiary Service of Russia. 2025:102–109.

4. Certificate of state registration of a computer program No. 2025662021. Russian Federation. "Software Package for Analysis and Assessment of Software Security of Automated Systems of Internal Affairs Bodies": No. 2025662021: declared 28.04.2025: published 16.05.2025 / A.D. Popova, D.V. Poddubnov, I.G. Drovnikova; copyright holders: Arina Dmitrievna Popova, Danila Viktorovich Poddubnov, Irina Grigoryevna Drovnikova.

5. A.D. Popova. Results of an Experimental Study of Software Security of Automated Systems of Internal Affairs Bodies. A.D. Popova, I.G. Drovnikova. Bulletin of the Voronezh Institute of the Ministry of Internal Affairs of Russia. 2025;2: 9-20.

6. Current Cyber Threats: Q1 2024 [Electronic resource]. https://www.ptsecurity.com/ru-ru/research/analytics/cybersecurity-threatscape-2024-q1/ (date of access: 04.08.2024).

7. Exploits and Vulnerabilities in Q1 2024 // Securelist by Kaspersky [Electronic resource]. – URL: https://securelist.ru/vulnerability-report-q1-2024/109484/ (date of access: 07.05.2024).

8. Kaspersky Security Bulletin 2023/ Statistics | Securelist [Electronic resource]. – URL: https:// www.itb.spb.ru/time-to-live-news/informatsionnaya-bulletin_2023_statistika/ (date of application: 04.04.2024).

9. Security Week 2420: Exploitation of Vulnerabilities in Software // Kaspersky_Lab [Electronic resource]. – URL: https://habr.com/ru/companies/kaspersky/articles/814065/ (date of application: 14.06.2025).

10. URL: ttps://www.consultant.ru/cons/cgi/online.cgi?req=doc&base=EXP&n=633381#nbQp5sUnqmXfbuF6 (date of access: 12.06.2025). On approval of the Regulation on the organization of password protection in the Federal Service for Intellectual Property: order of Rospatent dated 14.07.2015 No. 97 // ConsultantPlus [Electronic resource].

11. Static Application Security Testing (SAST) [Electronic resource]. – URL: https://docs.gitlab.com/ee/user/application_security/sast/ (date of application: 06.07.2025).

12. Search for exploits for any vulnerability [Electronic resource]. – URL: https://www.itsecforu.ru/2022/02/21/poisk-eksploytov-dlya-lyuboy-uyazvimosti/ (date of access: 14.12.2024).

13. Top 10 Exploit Databases or Finding Vulnerabilities [Electronic resource]. https://www.how-to/top-10-exploit-databases-for-finding-vulnerabilities-0189314/ (date of application: September 14, 2024).

14. Sovetov, B.Ya. System Modeling. B.Ya. Sovetov, S.A. Yakovlev. –3rd edition, revised and supplemented. Moscow: Vysshaya Shkola, 2001:343 p.

15. Sovetov, B.Ya. System Modeling. Workshop. B.Ya. Sovetov, S.A. Yakovlev. 4th edition, revised and supplemented. Moscow: Yurait, 2014:295 p.

16. How Vulnerability Management Changed in 2022 // Positive Technologies [Electronic resource]. URL: https://www.ptsecurity.com/ru-ru/research/analytics/kak-izmenilas-rabota-s-uyazvimostyami-v-2022-godu/ (Accessed: October 16, 2023).

17. URL: https://habr.com/ru/companies/swordfish_security/articles/747638/ (Application Date: June 11, 2025). Shift Left: A Nice Report or Reality? [Electronic resource]