The improvement of web-application SDL process to prevent Insecure Design vulnerabilities

Abstract

According to the latest “OWASP Top Ten” list, “Insecure Design” vulnerability is one of the key factors affecting the level of data protection and functional reliability. Heightening attention to this issue is pertinent as this vulnerability is appeared to be the first time in OWASP list and just briefly described there. This study aims to identify and analyze the architectural vulnerabilities of web applications arising from “Insecure Design”. The goal is not only to identify specific vulnerabilities in the web applications design and implementation process but also to develop a detailed list of recommendations, that will help not only avoid similar problems in the future but to create a good background for safe web applications development from the start point. In order to construct a systematic approach to security at all stages of development, recommendations from the Software Development Life Cycle standard are considered here. Special attention is given to integrating security principles at all stages of the development lifecycle. The analysis is based on examining existing architectural solutions, studying vulnerabilities, and developing methods for their mitigation. The developed set of recommendations to enhance the security of web applications includes measures for architectural design, verification and validation processes, and early detection of potential vulnerabilities. Significant attention is paid to developing secure code, implementing security policies, and organizing training for developers. The research emphasizes the importance of integrating security into the web application development process from the beginning. The scientific novelty lies in the systematization and development of approaches to detect and mitigate architectural vulnerabilities caused by “Insecure Design”. The practical significance of the paper is expressed in enhancing the security level of web applications, reducing risks for businesses and users, and fostering a culture of security among developers.