This dissertation work is devoted to solving a relevant scientific and technical problem consisting in synthesis of models and methods of development of secure software for computer systems.
The work has carried out analysis of modern trends in software development methodologies and software requirements, indicators and optimization criteria, as well as approaches of mathematical formalization of information processes which showed that with the introduction of computer technology in critical application systems, increase in the information which is stored, processed and circulating in them, as well as the increased vulnerability of unauthorized access to software by attackers, currently used models and methods of software development of computer systems do not provide the required level of data security. Based on the analysis, international and national standards, a general scheme of characteristics and indicators related to software quality has been formed. The analysis of software development methodologies and factors influencing security allowed to identify contradictions between increased software security requirements (taking into account all security vulnerabilities) and the need to adapt to existing objective and subjective factors inherent in the modern world of the IT industry. The conducted comparative research of the basic mathematical formalization approaches allowed us to define the basic directions of the dissertation research and to formulate the optimization task of synthesis of software development models and methods.
The work has improved the method of qualitative analysis of software development vulnerabilities, which differs from the known by considering factors of operational vulnerabilities, especially the vulnerability of non-detection of security threats to the software of computer systems, and the assessment of an arbitrary consistent finite set of "information quanta".
The method of quantitative assessment of software development vulnerabilities has been improved. Its distinctive feature is the integrated use of "Fault Tree Analysis" and the method of estimating the net present value of the software development project, taking into account the negative factors of possible non-detection of software security threats.
The method of optimizing the allocation of resources for secure software development has been improved. This method was based on the semi-Markov model of decision-making for a controlled Markov process in continuous time.
The work has improved the mathematical model of the technology for testing vulnerability to SQL injections, which differs from the known models by using an improved method of determining the distance between the injection results. The use of the Jaro-Winkler test in the proposed method to compare the results of the injection of SQL code and the introduction of a threshold value will increase software security testing accuracy.
A method of mathematical modeling of technologies for testing DOM XSS vulnerabilities and vulnerabilities to SQL -injections has been developed, which is based on the network GERT modeling approach.
Further development of the simulation model of security testing technology based on the provisions of the theory of simulation models scaling is obtained. A distinctive feature of the developed simulation model is the adaptation of the choice of input control operators and data to the increase in requirements of development efficiency and model implementation expressed in the implementation of the procedure of interaction with a real browser using browser automation means and data generation to attack in multiple dialects.
Further development of the pre-test compilation method and distribution of access, which differs from the known ones by taking into account user profiles in the synthesis of the application, as well as the use of "cloud storage" resources in the process of obtaining software installation versions has been obtained.
The work has conducted a comparative assessment of the efficiency of developed models and methods, as well as reliability of the results. In general, studies have shown that the security index of the software of the computer systems has increased to 15%, which allows us to conclude that the level of information protection has been increased with the help of synthesized models and methods of developing secure software. The results of the dissertation are implemented in the activities of commercial enterprises and educational institutions of Ukraine.
Keywords: secure software development, vulnerability identification, qualitative and quantitative analysis of vulnerabilities, data security, optimization of software development resource allocation, security testing algorithms, scaling, simulation model, GERT-networks.