Modelagem de Ameaças em Pipelines de Desenvolvimento
Resumo
Em anos recentes tem crescido a preocupação com a integridade de software, ou seja, a garantia de que o software não seja adulterado no caminho entre desenvolvedores e usuários. Esse caminho é representado por um pipeline de desenvolvimento de software. Este trabalho propõe desenvolver um modelo de ameaças para o pipeline de desenvolvimento e identificar mitigações para as ameaças encontradas. O artigo apresenta o pipeline e o modelo de ameaças para uma de suas etapas.Referências
Adams, B. and McIntosh, S. (2016). Modern release engineering in a nutshell–why researchers should care. In IEEE SANER, volume 5, pages 78–90.
Atchison, L. (2016). Architecting for Scale: High Availability for Your Growing Applications. O’Reilly Media.
Bass, L., Holz, R., Rimba, P., Tran, A. B., and Zhu, L. (2015). Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering, pages 4–7.
Brumaghin, E., Gibb, R., Mercer, W., Molyett, M., and Williams, C. (2017). Ccleanup: A vast number of machines at risk. Talos Blog. https://bit.ly/34JGPmw
Cimpanu, C. (2017). Javascript packages caught stealing environment variables. Bleeping Computer. https://bit.ly/2TE3aM3 Clark, J. and Van Oorschot, P. C. (2013). SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In IEEE Symp. on Security and Privacy.
Corbet, J. (2003). An attempt to backdoor the kernel. https://bit.ly/3jJ0SWH
FireEye (2015). Protecting our customers from XcodeGhost. https://bit.ly/3mA4WdC
Goodin, D. (2017). Devs unknowingly use “malicious” modules snuck into official python repository. Ars Technica. https://bit.ly/3iHcKZD
Hern, A. (2014). Tor users advised to check their computers for malware. The Guardian. https: //bit.ly/3msg7Gd
Juniper (2015). Important announcement about ScreenOS. https://juni.pr/3c0WUGR
Kupsch, J. A., Heymann, E., Miller, B., and Basupalli, V. (2017). Bad and good news about using software assurance tools. Software: Practice and Experience, 47(1):143–156.
Le Vie, D. S. (2000). Understanding data flow diagrams. In Annual Conference-Society for Technical Communication, volume 47, pages 396–401.
Maunder, M. (2017). Psa: 4.8 million affected by chrome extension attacks targeting site owners. https://bit.ly/3oH5EHL
Obelheiro, R. R., Bessani, A. N., and Lung, L. C. (2005). Analisando a viabilidade da implementação prática de sistemas tolerantes a intrusões. In Anais do SBSeg.
OWASP (2020). Pinning cheat sheet. https://bit.ly/3c7mNER
Palo Alto Networks (2020). Cloud threat report. https://bit.ly/2DV8V3T
Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://bit.ly/31ZE5jo
Shaw, R. A. (2017). Software supply chain attacks. https://bit.ly/2RyA4Nj
Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.
Simpson, S. (2010). Software integrity controls–an assurance-based approach to minimizing risks in the software supply chain. Technical report, SAFECode.
Warren, T. (2017). Hackers hid malware in CCleaner software. The Verge. https://bit.ly/ 3kHXlJC
Wheeler, D. A. and Reddy, D. J. (2018). Securely using software assurance (SwA) tools in the software development environment. IDA Document P-9166, Institute for Defense Analysis.
Xiao, C. (2015). Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store. Palo Alto Networks. https://bit.ly/2HGEfFe
Atchison, L. (2016). Architecting for Scale: High Availability for Your Growing Applications. O’Reilly Media.
Bass, L., Holz, R., Rimba, P., Tran, A. B., and Zhu, L. (2015). Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering, pages 4–7.
Brumaghin, E., Gibb, R., Mercer, W., Molyett, M., and Williams, C. (2017). Ccleanup: A vast number of machines at risk. Talos Blog. https://bit.ly/34JGPmw
Cimpanu, C. (2017). Javascript packages caught stealing environment variables. Bleeping Computer. https://bit.ly/2TE3aM3 Clark, J. and Van Oorschot, P. C. (2013). SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In IEEE Symp. on Security and Privacy.
Corbet, J. (2003). An attempt to backdoor the kernel. https://bit.ly/3jJ0SWH
FireEye (2015). Protecting our customers from XcodeGhost. https://bit.ly/3mA4WdC
Goodin, D. (2017). Devs unknowingly use “malicious” modules snuck into official python repository. Ars Technica. https://bit.ly/3iHcKZD
Hern, A. (2014). Tor users advised to check their computers for malware. The Guardian. https: //bit.ly/3msg7Gd
Juniper (2015). Important announcement about ScreenOS. https://juni.pr/3c0WUGR
Kupsch, J. A., Heymann, E., Miller, B., and Basupalli, V. (2017). Bad and good news about using software assurance tools. Software: Practice and Experience, 47(1):143–156.
Le Vie, D. S. (2000). Understanding data flow diagrams. In Annual Conference-Society for Technical Communication, volume 47, pages 396–401.
Maunder, M. (2017). Psa: 4.8 million affected by chrome extension attacks targeting site owners. https://bit.ly/3oH5EHL
Obelheiro, R. R., Bessani, A. N., and Lung, L. C. (2005). Analisando a viabilidade da implementação prática de sistemas tolerantes a intrusões. In Anais do SBSeg.
OWASP (2020). Pinning cheat sheet. https://bit.ly/3c7mNER
Palo Alto Networks (2020). Cloud threat report. https://bit.ly/2DV8V3T
Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://bit.ly/31ZE5jo
Shaw, R. A. (2017). Software supply chain attacks. https://bit.ly/2RyA4Nj
Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.
Simpson, S. (2010). Software integrity controls–an assurance-based approach to minimizing risks in the software supply chain. Technical report, SAFECode.
Warren, T. (2017). Hackers hid malware in CCleaner software. The Verge. https://bit.ly/ 3kHXlJC
Wheeler, D. A. and Reddy, D. J. (2018). Securely using software assurance (SwA) tools in the software development environment. IDA Document P-9166, Institute for Defense Analysis.
Xiao, C. (2015). Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store. Palo Alto Networks. https://bit.ly/2HGEfFe
Publicado
25/11/2020
Como Citar
M. REICHERT, Beatriz; R. OBELHEIRO, Rafael.
Modelagem de Ameaças em Pipelines de Desenvolvimento. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 18. , 2020, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 168-174.
DOI: https://doi.org/10.5753/errc.2020.15207.