DEVELOPMENT OF A TEST ENVIRONMENT FOR EVALUATING THE EFFECTIVENESS OF IMPLEMENTED APPLICATION-LEVEL SECURITY MEASURES
DOI:
https://doi.org/10.28925/2663-4023.2025.30.954Keywords:
security methods, web application, API interface, microservice architecture, access control mechanisms, user activity monitoring, test environment, application level, effectiveness of security measures.Abstract
The article addresses the problem of ensuring cybersecurity of corporate information and communication systems at the application level, which remains the main vector of modern cyberattacks. The limitations of traditional tools such as firewalls and antivirus software in countering vulnerabilities of web applications, APIs, and microservice architectures are emphasized. To overcome these challenges, the authors propose the development of a test environment enabling comprehensive assessment of implemented security measures, including access control, encryption, user activity monitoring, vulnerability detection and prevention, and real-time incident response. The proposed virtualized environment, built on VMware Workstation Pro and Oracle VirtualBox, is divided into three logical zones (DMZ, internal network, and instrumental zone) and integrates tools such as Burp Suite, OWASP ZAP, sqlmap, Splunk, Wazuh, and Metasploit. It allows the simulation of typical attack scenarios (SQL injection, XSS, CSRF, brute force, network scanning) to evaluate detection accuracy, false-positive rates, performance, and integration of different security components. The environment is aligned with international standards ISO/IEC 27001 and NIST SP 800-53, while its flexibility, scalability, and reproducibility make it suitable for both research and educational purposes. Results confirm the relevance of integrating the DevSecOps approach with SIEM, XDR, and SOAR technologies to strengthen application-level protection. The proposed solution provides a reliable foundation for evaluating and improving cybersecurity measures in real corporate environments.
Downloads
References
Kostiuk, Yu. V., Skladannyi, P. M., Bebeshko, B. T., Khorolska, K. V., Rzaieva, S. L., & Vorokhob, M. V. (2025). Information and communication systems security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Kostiuk, Yu. V., Skladannyi, P. M., Hulak, H. M., Bebeshko, B. T., Khorolska, K. V., & Rzaieva, S. L. (2025). Information security systems. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Hulak, H. M., Zhyltsov, O. B., Kyrychok, R. V., Korshun, N. V., & Skladannyi, P. M. (2023). Enterprise information and cyber security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Netwave. (n.d.). Zakhyst korporatyvnykh merezh vid zahroz: zasoby ta metody [Protection of corporate networks from threats: tools and methods]. Retrieved from https://netwave.ua/zahist-korporativnih-merezh-vid-zagroz-zasobi-ta-metodi/
Pidruchnyky dlia vuziv onlain. (n.d.). Bezpeka informatsiinykh system [Information systems security]. Retrieved from https://pidru4niki.com/74227/informatika/bezpeka_informatsiynih_sistem
OWASP. (2024). OWASP Top Ten Security Risks. Retrieved from https://owasp.org/www-project-top-ten/
The MITRE Corporation. (2024). CWE – Common Weakness Enumeration. Retrieved from https://cwe.mitre.org/
National Institute of Standards and Technology (NIST). (2024). National Vulnerability Database (NVD). Retrieved from https://nvd.nist.gov
SANS Institute. (2024). Application security risks. Retrieved from https://www.sans.org/top25-software-errors
Microsoft. (2024). Microsoft Security Development Lifecycle (SDL). Retrieved from https://www.microsoft.com/security/blog/security-development-lifecycle/
OWASP. (2024). Input validation in web applications. Retrieved from https://owasp.org/www-project-input-validation/
NIST. (2024). Digital identity guidelines (SP 800-63-3). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-63/3/final
SSL Labs. (2024). TLS and encryption in web applications. Retrieved from https://www.ssllabs.com/ssltest/
NIST. (2024). Vulnerability management and software updates. Retrieved from https://nvd.nist.gov/
Cisco Systems. (2024). Intrusion Detection and Prevention Systems (IDS/IPS). Retrieved from https://www.cisco.com/c/en/us/products/security/ids-ips/
SANS Institute. (2024). DevSecOps: Integrating security into development. Retrieved from https://www.sans.org/cyber-security-courses/devsecops/
OWASP. (2024). Application Security Verification Standard (ASVS). Retrieved from https://owasp.org/www-project-application-security-verification-standard/
Splunk Inc. (2024). SIEM and XDR for application protection. Retrieved from https://www.splunk.com/en_us/products/enterprise-security.html
NIST. (2024). Recommendation for key management (SP 800-57). Retrieved from https://csrc.nist.gov/publications/detail/sp/800-57/
VirusTotal. (2024). Antivirus software vulnerabilities. Retrieved from https://www.virustotal.com/gui/home/
SANS Institute. (2024). Challenges of implementing DevSecOps in modern companies. Retrieved from https://www.sans.org/cyber-security-courses/devsecops/
Microsoft Security. (2024). Issues of multi-factor authentication (MFA). Retrieved from https://www.microsoft.com/security/blog/
NIST. (2024). Software update and vulnerability management. Retrieved from https://nvd.nist.gov/
OWASP. (2024). Limitations of automated application security testing. Retrieved from https://owasp.org/www-project-application-security-verification-standard/
Cisco Systems. (2024). Intrusion detection and prevention systems: Limitations and challenges. Retrieved from https://www.cisco.com/c/en/us/products/security/ids-ips/
Kostiuk, Y., Skladannyi, P., Rzaeva, S., Mazur, N., Cherevyk, V., & Anosov, A. (2025). Features of Network Attack Implementation ThrougH TCP/IP Protocols. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 1(29), 571–597. https://doi.org/10.28925/2663-4023.2025.29.915
Tsekhmeister, R., Platonenko, A., Vorokhob, M., Cherevyk, V., & Semeniaka, S. (2025). Research of Information Security Provision Methods in a Virtual Environment. Electronic Professional Scientific Journal «Cybersecurity: Education, Science, Technique», 3(27), 63–71. https://doi.org/10.28925/2663-4023.2025.27.703
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Admin Skladannyi
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
