Security Analysis of Web-based Information Systems Through Vulnerability Assessment  Using the Framework of OWASP Web Security Testing Guide and Common Vulnerability Scoring System

Abstract

The technology of web-based information systems continues to develop and has been adopted by many organizations, including higher education institutes. However, this technology carries inherent security risks, making regular security analysis essential. This research presents a case study of eight web-based information systems at a higher education institution to assess the security condition of each system individually and its overall characteristics, as well as to construct an advanced strategy for maintaining and optimizing system security. The security analysis was conducted using a mixed-method approach: qualitatively through the OWASP Web Security Testing Guide framework across four categories (Information Gathering, Configuration and Deployment Management Testing, Session Management Testing, and Client-side Testing); and quantitatively through Common Vulnerability Scoring System (CVSS) calculations. All information systems tested were found to be vulnerable, though with varying levels of severity. Vulnerability discovery ratios ranged from a low of 8% (with a 'Low' severity level) to a high of 31% (with severity levels reaching 'Critical'). Overall, systems based on a Content Management System (CMS) were found to be less vulnerable compared to those built on non-CMS frameworks. Based on the discovered vulnerabilities, follow-up recommendations were constructed to serve as a reference for improving and optimizing the systems' security.