Electronics and information technologies / Електроніка та інформаційні технології

Background. The increasing role of web-oriented information systems in business, education, and public administration is accompanied by a growing number and complexity of cyber threats. Traditional security mechanisms do not always enable the identification of actual system weaknesses, which necessitates the application of practice-oriented methods for assessing the level of information security. In this context, Penetration Testing is considered an effective instrument for simulating the actions of a potential attacker in order to detect and validate exploitable vulnerabilities.

Materials and Methods. The study employs a risk-oriented approach in accordance with international standards ISO/IEC 27001 and ISO/IEC 27005, as well as the recom­mendations of OWASP and NIST SP 800-115. Penetration Testing is implemented as a structured, multi-stage process that includes information gathering, attack surface analy­sis, threat modeling, execution of non-invasive validation scenarios, and risk assessment. The practical component was conducted in a controlled test environment using Nmap, Burp Suite, and Wireshark, supplemented by custom-developed Python modules for automated analysis of HTTP security headers, TLS certificates, and exposed services.

Results and Discussion. The study identified several configuration-related weaknesses at the application level, including the absence of essential HTTP security headers and deficiencies in TLS certificate management. The obtained results were formalized in a structured findings register with quantitative risk evaluation based on the Likelihood × Impact model. The analysis demonstrated that even in the absence of critical exploitable vulnerabilities, configuration errors significantly increase the overall risk level and may create preconditions for more sophisticated attacks.

Conclusion. The findings confirm the effectiveness of Penetration Testing as a comprehensive instrument for assessing the information security of web-oriented systems. The proposed approach facilitates the transition from technical testing results to substantiated managerial decisions aimed at risk reduction and enhancement of the overall protection level of information resources.

Keywords: information security, penetration testing, vulnerabilities, risk assessment, web-oriented information systems.

[1] Anderson R. Security Engineering: A Guide to Building Dependable Distributed Systems. 3rd ed. Wiley, 2020. URL: https://www.wiley.com/en-us/Security+Engineering%3A+A+Guide+to+Building+Dependable+Distributed+Systems%2C+3rd+Edition-p-9781119642787.

[2] Behl A., Behl K. Cyberwar: The Next Threat to National Security and What to Do About It. Oxford University Press, 2017.

[3] Bishop M. Computer Security: Art and Science. 2nd ed. Addison-Wesley, 2019. URL: https://ptgmedia.pearsoncmg.com/images/9780321712332/samplepages/9780321712332_Sample.pdf

[4] OWASP Foundation. OWASP Web Security Testing Guide v4. 2023.
URL: https://owasp.org/www-project-web-security-testing-guide/.

[5] European Union Agency for Cybersecurity (ENISA). Good Practices for Security of IoT – Secure Development and Testing. 2020. URL: https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot

[6] ISO/IEC 27001:2022. Information Security Management Systems - Requirements. ISO, 2022. URL: https://www.iso.org/standard/82875.html.

[7] ISO/IEC 27002:2022. Information Security Controls. ISO, 2022. URL: https://www.iso.org/standard/75652.html.

[8] Kizza J. M. Guide to Computer Network Security. 5th ed. Springer, 2020. https://doi.org/10.1007/978-3-030-38141-7.

[9] MITRE. MITRE ATT&CK®: Adversarial Tactics, Techniques, and Common Knowledge. 2023. URL: https://attack.mitre.org/

[10] CVE Program. Common Vulnerabilities and Exposures (CVE). MITRE Corporation, 2024. URL: https://www.cve.org/.

[11] NIST SP 800-53 Rev. 5. Security and Privacy Controls for Information Systems and Organizations. National Institute of Standards and Technology, Gaithersburg, 2020. https://doi.org/10.6028/NIST.SP.800-53r5.

[12] NIST SP 800-115. Technical Guide to Information Security Testing and Assessment. National Institute of Standards and Technology, Gaithersburg, 2008. URL: https://doi.org/10.6028/NIST.SP.800-115.

[13] OWASP Foundation. OWASP Testing Guide v4. 2023. URL: https://owasp.org/www-project-web-security-testing-guide/

[14] OWASP Foundation. OWASP Top 10 - Web Application Security Risks. 2021. URL: https://owasp.org/www-project-top-ten/.

[15] Scarfone, K., Mell, P. Guide to Intrusion Detection and Prevention Systems (IDPS), (NIST SP 800-94), National Institute of Standards and Technology, Gaithersburg, 2007. https://doi.org/10.6028/NIST.SP.800-94.

[16] Nelson A., Rekhi S., Souppaya M., Scarfone K. Incident Response Recommendations and Considerations for Cybersecurity Risk Management. NIST SP 800-61 Rev.3. National Institute of Standards and Technology, 2025. https://doi.org/10.6028/NIST.SP.800-61r3.

[17] Stallings W. Network Security Essentials: Applications and Standards. 6th ed. Pearson, 2017. URL: https://www.pearson.com/en-us/subject-catalog/p/network-security-essentials-applications-and-standards/P200000003333

[18] Ross, R. (2012), Guide for Conducting Risk Assessments, (NIST SP 800-30 Rev. 1), National Institute of Standards and Technology, Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-30r1.

[19] ENISA. Threat Landscape Report 2023. European Union Agency for Cybersecurity. URL: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023.

[20] Whittaker J. A., Arbon J., Carollo J. How Google Tests Software. Addison-Wesley, 2012. URL: https://www.informit.com/store/how-google-tests-software-9780321803023

[21] OSSTMM Institute. Open Source Security Testing Methodology Manual (OSSTMM) v3. 2019. URL: https://www.isecom.org/OSSTMM.3.pdf.

[22] PTES. Penetration Testing Execution Standard (PTES). 2020. URL: http://www.pentest-standard.org/.

[23] Shostack A. Threat Modeling: Designing for Security. Wiley, 2014. URL: https://www.wiley.com/en-us/Threat+Modeling%3A+Designing+for+Security-p-9781118809990.

[24] Singer, P. W., & Friedman, A. (2013). Cybersecurity and Cyberwar: What Everyone Needs to Know. Oxford University Press. URL: https://global.oup.com/academic/product/cybersecurity-and-cyberwar-9780199918096?q=Cybersecurity%20and%20Cyberwar:%20What%20Everyone%20Needs%20to%20Know&cc=ua&lang=en.

[25] Humble J., Farley D. Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Addison-Wesley, 2010. URL: https://www.informit.com/store/continuous-delivery-reliable-software-releases-through-9780321601919.

[26] Kim G., Behr K., Spafford G. The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. IT Revolution Press, 2018. https://itrevolution.com/product/the-phoenix-project/.

[27] Nelson, A., Rekhi, S., Souppaya, M. and Scarfone, K. Incident Response Recommendations and Considerations for Cybersecurity Risk Management:
A CSF 2.0 Community Profile. NIST SP 800-61 Rev. 3. National Institute of Standards and Technology, Gaithersburg, 2025. https://doi.org/10.6028/NIST.SP.800-61r3.

[28] CVE Program. Common Vulnerabilities and Exposures (CVE). MITRE Corporation, 2024. URL: https://www.cve.org/.

[29] Dempsey, K., Johnson, L., Scholl, M., Stine, K., Clay, A., Orebaugh, A., Chawla, N. and Johnston, R. (2011), Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-137 .

[30] Zalewski M. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2012. https://nostarch.com/tangledweb.

[31] MITRE. MITRE ATT&CK®: Adversarial Tactics, Techniques, and Common Knowledge. 2023. URL: https://attack.mitre.org/.