Modelagem de Ameaças em Pipelines de Desenvolvimento

  • Beatriz M. Reichert UDESC
  • Rafael R. Obelheiro UDESC


Em anos recentes tem crescido a preocupação com a integridade de software, ou seja, a garantia de que o software não seja adulterado no caminho entre desenvolvedores e usuários. Esse caminho é representado por um pipeline de desenvolvimento de software. Este trabalho propõe desenvolver um modelo de ameaças para o pipeline de desenvolvimento e identificar mitigações para as ameaças encontradas. O artigo apresenta o pipeline e o modelo de ameaças para uma de suas etapas.


Adams, B. and McIntosh, S. (2016). Modern release engineering in a nutshell–why researchers should care. In IEEE SANER, volume 5, pages 78–90.

Atchison, L. (2016). Architecting for Scale: High Availability for Your Growing Applications. O’Reilly Media.

Bass, L., Holz, R., Rimba, P., Tran, A. B., and Zhu, L. (2015). Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering, pages 4–7.

Brumaghin, E., Gibb, R., Mercer, W., Molyett, M., and Williams, C. (2017). Ccleanup: A vast number of machines at risk. Talos Blog.

Cimpanu, C. (2017). Javascript packages caught stealing environment variables. Bleeping Computer. Clark, J. and Van Oorschot, P. C. (2013). SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In IEEE Symp. on Security and Privacy.

Corbet, J. (2003). An attempt to backdoor the kernel.

FireEye (2015). Protecting our customers from XcodeGhost.

Goodin, D. (2017). Devs unknowingly use “malicious” modules snuck into official python repository. Ars Technica.

Hern, A. (2014). Tor users advised to check their computers for malware. The Guardian. https: //

Juniper (2015). Important announcement about ScreenOS.

Kupsch, J. A., Heymann, E., Miller, B., and Basupalli, V. (2017). Bad and good news about using software assurance tools. Software: Practice and Experience, 47(1):143–156.

Le Vie, D. S. (2000). Understanding data flow diagrams. In Annual Conference-Society for Technical Communication, volume 47, pages 396–401.

Maunder, M. (2017). Psa: 4.8 million affected by chrome extension attacks targeting site owners.

Obelheiro, R. R., Bessani, A. N., and Lung, L. C. (2005). Analisando a viabilidade da implementação prática de sistemas tolerantes a intrusões. In Anais do SBSeg.

OWASP (2020). Pinning cheat sheet.

Palo Alto Networks (2020). Cloud threat report.

Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446.

Shaw, R. A. (2017). Software supply chain attacks.

Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.

Simpson, S. (2010). Software integrity controls–an assurance-based approach to minimizing risks in the software supply chain. Technical report, SAFECode.

Warren, T. (2017). Hackers hid malware in CCleaner software. The Verge. 3kHXlJC

Wheeler, D. A. and Reddy, D. J. (2018). Securely using software assurance (SwA) tools in the software development environment. IDA Document P-9166, Institute for Defense Analysis.

Xiao, C. (2015). Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store. Palo Alto Networks.
Como Citar

Selecione um Formato
M. REICHERT, Beatriz; R. OBELHEIRO, Rafael. Modelagem de Ameaças em Pipelines de Desenvolvimento. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 18. , 2020, Evento Online. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2020 . p. 168-174. DOI: