Modelagem de Ameaças em Pipelines de Desenvolvimento

  • Beatriz M. Reichert UDESC
  • Rafael R. Obelheiro UDESC
DOI: https://doi.org/10.5753/errc.2020.15207

Resumo


Em anos recentes tem crescido a preocupação com a integridade de software, ou seja, a garantia de que o software não seja adulterado no caminho entre desenvolvedores e usuários. Esse caminho é representado por um pipeline de desenvolvimento de software. Este trabalho propõe desenvolver um modelo de ameaças para o pipeline de desenvolvimento e identificar mitigações para as ameaças encontradas. O artigo apresenta o pipeline e o modelo de ameaças para uma de suas etapas.

Referências

Adams, B. and McIntosh, S. (2016). Modern release engineering in a nutshell–why researchers should care. In IEEE SANER, volume 5, pages 78–90.

Atchison, L. (2016). Architecting for Scale: High Availability for Your Growing Applications. O’Reilly Media.

Bass, L., Holz, R., Rimba, P., Tran, A. B., and Zhu, L. (2015). Securing a deployment pipeline. In 2015 IEEE/ACM 3rd International Workshop on Release Engineering, pages 4–7.

Brumaghin, E., Gibb, R., Mercer, W., Molyett, M., and Williams, C. (2017). Ccleanup: A vast number of machines at risk. Talos Blog. https://bit.ly/34JGPmw

Cimpanu, C. (2017). Javascript packages caught stealing environment variables. Bleeping Computer. https://bit.ly/2TE3aM3 Clark, J. and Van Oorschot, P. C. (2013). SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. In IEEE Symp. on Security and Privacy.

Corbet, J. (2003). An attempt to backdoor the kernel. https://bit.ly/3jJ0SWH

FireEye (2015). Protecting our customers from XcodeGhost. https://bit.ly/3mA4WdC

Goodin, D. (2017). Devs unknowingly use “malicious” modules snuck into official python repository. Ars Technica. https://bit.ly/3iHcKZD

Hern, A. (2014). Tor users advised to check their computers for malware. The Guardian. https: //bit.ly/3msg7Gd

Juniper (2015). Important announcement about ScreenOS. https://juni.pr/3c0WUGR

Kupsch, J. A., Heymann, E., Miller, B., and Basupalli, V. (2017). Bad and good news about using software assurance tools. Software: Practice and Experience, 47(1):143–156.

Le Vie, D. S. (2000). Understanding data flow diagrams. In Annual Conference-Society for Technical Communication, volume 47, pages 396–401.

Maunder, M. (2017). Psa: 4.8 million affected by chrome extension attacks targeting site owners. https://bit.ly/3oH5EHL

Obelheiro, R. R., Bessani, A. N., and Lung, L. C. (2005). Analisando a viabilidade da implementação prática de sistemas tolerantes a intrusões. In Anais do SBSeg.

OWASP (2020). Pinning cheat sheet. https://bit.ly/3c7mNER

Palo Alto Networks (2020). Cloud threat report. https://bit.ly/2DV8V3T

Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://bit.ly/31ZE5jo

Shaw, R. A. (2017). Software supply chain attacks. https://bit.ly/2RyA4Nj

Shostack, A. (2014). Threat modeling: Designing for security. John Wiley & Sons.

Simpson, S. (2010). Software integrity controls–an assurance-based approach to minimizing risks in the software supply chain. Technical report, SAFECode.

Warren, T. (2017). Hackers hid malware in CCleaner software. The Verge. https://bit.ly/ 3kHXlJC

Wheeler, D. A. and Reddy, D. J. (2018). Securely using software assurance (SwA) tools in the software development environment. IDA Document P-9166, Institute for Defense Analysis.

Xiao, C. (2015). Novel malware xcodeghost modifies xcode, infects apple ios apps and hits app store. Palo Alto Networks. https://bit.ly/2HGEfFe
Publicado
25/11/2020
Como Citar

Selecione um Formato
M. REICHERT, Beatriz; R. OBELHEIRO, Rafael. Modelagem de Ameaças em Pipelines de Desenvolvimento. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 18. , 2020, Evento Online. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2020 . p. 168-174. DOI: https://doi.org/10.5753/errc.2020.15207.