A MDE Tool for Security Risk Assessment of Enterprises

  • Enrico Schiavone ResilTech S.R.L.
  • Nicola Nostro ResilTech S.R.L.
  • Francesco Brancati ResilTech S.R.L.


This paper introduces ResilBlockly, a Model-Driven Engineering software that evolves an existing tool called Blockly4SoS and which has been provided with a set of new features for addressing the challenge of assessing security risks of enterprises and infrastructures, especially when operating in the domain of critical systems.

Palavras-chave: modelling, threat, securiry, vulnerability, weakness, risk assessment


ENISA, Cybersecurity for SMEs – Challenges and Recommendations June 2021. https://www.enisa.europa.eu/publications/enisa-report-cybersecurity-for-smes.

ENISA, Understanding the Increase in Supply Chain Security Attacks July 2021. https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks.

A. Babu, S. Iacob, P. Lollini, M. Mori, Amadeos framework and supporting tools. In Cyber-Physical Systems of Systems (pp. 128-164). Springer, Cham, 2016.

Blockly4SoS https://blockly4sos.resiltech.com.

H. Michael and L. David, “Writing secure code: practical strategies and proven techniques for building secure applications in a networked world”, Microsoft Press Corp, WA, 2002

Threat Modelling Tool, Getting Started, Microsoft Corporation https://docs.microsoft.com/it-it/azure/security/develop/threat-modeling-tool-getting-started.

A. Schaad, T. Reski, "Open Weakness and Vulnerability Modeler"(OVVL)–An Updated Approach to Threat Modelling, 2019.

Threat Dragon, OWASP https://docs.threatdragon.org/.

F. Vraalsen, F. Den Braber, M. S. Lund, K. Stølen. The CORAS tool for security risk analysis. In Int. Conf. on Trust Management (pp. 402- 405). Springer, Berlin, Heidelberg, May 2005.

The CORAS Tool http://coras.sourceforge.net/.

IriusRisk – Getting Started https://support.iriusrisk.com/hc/en-us/articles/360021517751.

ThreatModeler - http://threatmodeler.com/.

SecuriCAD https://foreseeti.com/securicad/.

AMADEOS EU FP7-ICT-2013.3.4 Project: Architecture for Multi criticality Agile Dependable Evolutionary Open System-of-Systems http://amadeos-project.eu/. GA no. 610535

Google Blockly https://developers.google.com/blockly/.

CWE – Common Weakness Enumeration https://cwe.mitre.org.

CVE – Common Vulnerabilities and Exposures https://cve.mitre.org/.

NVD – US National Vulnerability Database https://nvd.nist.gov/.

CAPEC – Common Attack Pattern Enumeration and Classification, https://capec.mitre.org/.

CVSS – Common Vulnerability Scoring System version 3.1: Specification Document https://www.first.org/cvss/specification-document.

R. S. Ross. Guide for conducting risk assessments. NIST Special Publication 800-30 rev. 1. Tech. report, US Dep. Of Commerce, 2012.

IEC 62443 Security for Industrial Automation and Control Systems Standard. IEC, Geneva, CH.ISO 27001.

ETSI EG 203 251 V1.1.1 (2016-01) Methods for Testing & Specification; Risk-based Security Assessment and Testing Methodologies.

ISO 3100 Risk Management Guidelines, Ed. 2, Feb 2018.

E. Lear, R. Droms, and D. Romascanu, “Manufacturer Usage Description Specification,” Internet Engineering Task Force Work in Progress, Jun. 2018.
SCHIAVONE, Enrico; NOSTRO, Nicola; BRANCATI, Francesco. A MDE Tool for Security Risk Assessment of Enterprises. In: INDUSTRY TRACK - LATIN-AMERICAN SYMPOSIUM ON DEPENDABLE COMPUTING (LADC), 10. , 2021, Florianópolis. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2021 . p. 5-7. DOI: https://doi.org/10.5753/ladc.2021.18530.