Uma Modelagem de Risco Centrada em Comportamentos para o Desenvolvimento Seguro de Serviços no Ecossistema Web
Resumo
O objetivo deste artigo é apresentar uma modelagem de risco para o desenvolvimento de serviços no ecossistema Web. A proposta visa estimar um fator de risco e impacto aos ativos considerando a violação de dados, os aspectos humanos e a conformidade do serviço. Além de considerar os comportamentos de seus atores, dispositivos e recursos. Adicionalmente, a proposta é validada através de catálogos de ataques top-threats disponíveis publicamente e testes estruturais com a linguagem Java e técnicas BDD. Com isso, é possível observar sua aplicabilidade sobre os riscos mais emergentes, caracterizando-se como um artefato que proporciona um desenvolvimento guiado na prevenção de ameaças para serviços da Web.Referências
Alvarez, G. and Petrovic, S. (2003). A new taxonomy of web attacks suitable for efficient encoding. Computers & Security, 22(5):435–449.
Berners-Lee, T., Hendler, J., and Lassila, O. (2001). The semantic web. Scientific American, 284(5):34–43.
Bishop, M. (2009). Some ”secure programming”exercises for an introductory programming class. In IEEE Security and Privacy, pages 226–232.
Dahl, H. E. I., Hogganvik, I., and Stølen, K. (2007). Structured semantics for the coras security risk modelling language. Cooperative and trusted systems, SINTEF.
DeRyck, P., Desmet, L., Joosen, W., and Muhlberg, J. (2013). Web-platform security guide: Security assessment of the web ecosystem. Technical report, W3.
Douad, M. A. and Dahmani, Y. (2015). Artt taxonomy and cyber-attack framewok. In New Technologies of Information and Communication.
Gary Stoneburner, A. G. and Feringa, A. (2002). Risk management guide for information technology systems. Disponível em: https://goo.gl/kB6yv5.
Hansman, S. and Hunt, R. (2005). A taxonomy of network and computer attacks. Computers & Security, 24(1):31–43.
ISO (2009). Iso/iec 31010 risk management - risk assessment techniques. Disponível em: https://www.iso.org/standard/51073.html.
ISO (2013). Iso27001: Information technology - security techniques - information security management systems – requirements. Disponível em: https://www.iso.org/standard/54534.html.
Jansen, S., Finkelstein, A., and Brinkkemper, S. (2009). A sense of community: A research agenda for software ecosystems. In 2009 31st International Conference on Software Engineering - Companion Volume, pages 187–190.
Landwehr, C. E., Bull, A. R., Mcdermott, J. P.,William, and Choi, S. (1994). A taxonomy of computer program security flaws. ACM Computing Surveys, 26:211–254.
MITRE (2011). Cwe/sans top 25 most dangerous software errors. Disponível em: http://cwe.mitre.org/top25/.
MITRE (2015). Common attack pattern enumeration and classification (capec). Dispon ível em: https://capec.mitre.org/.
Moore, J. F. (1999). Creating value in the network economy. In Tapscott, D., editor, Predators and Prey: A New Ecology of Competition, pages 121–141, Boston, MA, USA. Harvard Business School Press.
OWASP (2013). Top ten 2013. Disponível em: https://goo.gl/VKz94B.
OWASP (2014). Vulnerabilities. Disponível em: https://goo.gl/xsxX8G.
OWASP (2016). Threat modeling cheat sheet. Disponível em: https://goo.gl/tgn772.
Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., and Chen, H. (2014). Uninvited connections: A study of vulnerable devices on the internet of things (iot). In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pages 232–235.
Saitta, P., Larcom, B., and Eddington, M. (2005). Trike v.1. http://octotrike.org/.
Schneier (1999). Attack trees. Dr Dobb’s Journal, v.24, n.12. Retrieved 2007-08-16.
SDL, M. (2010a). Appendix n: Sdl security bug bar (sample). Disponível em: https://goo.gl/USXuBM.
SDL, M. (2010b). Security briefs - add a security bug bar to microsoft team foundation server 2010. Disponível em: https://goo.gl/Qv3smB.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, 1 edition.
Sivanandan, S. and B, Y. C. (2014). Agile development cycle: Approach to design an effective model based testing with behaviour driven automation framework. In Advanced Computing and Communications, pages 22–25.
Stettina, C. J., Heijstek, W., and Fægri, T. E. (2012). Documentation work in agile teams: The role of documentation formalism in achieving a sustainable practice. In Agile Conference (AGILE), 2012, pages 31–40.
Symantec (2019). Internet security threat report. Disponível em: https://www.symantec.com/security-center/threat-report.
Tsipenyuk, K., Chess, B., and McGraw, G. (2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6):81–84.
UcedaVelez, T. and Morana, M. (2015). Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, 1 edition.
WebAppSec (2010). Wasc. Disponível em: http://bit.ly/296FhpO.
WhiteHat (2016). Security predictions 2017. Disponível em: https://goo.gl/f94Qq8.
Berners-Lee, T., Hendler, J., and Lassila, O. (2001). The semantic web. Scientific American, 284(5):34–43.
Bishop, M. (2009). Some ”secure programming”exercises for an introductory programming class. In IEEE Security and Privacy, pages 226–232.
Dahl, H. E. I., Hogganvik, I., and Stølen, K. (2007). Structured semantics for the coras security risk modelling language. Cooperative and trusted systems, SINTEF.
DeRyck, P., Desmet, L., Joosen, W., and Muhlberg, J. (2013). Web-platform security guide: Security assessment of the web ecosystem. Technical report, W3.
Douad, M. A. and Dahmani, Y. (2015). Artt taxonomy and cyber-attack framewok. In New Technologies of Information and Communication.
Gary Stoneburner, A. G. and Feringa, A. (2002). Risk management guide for information technology systems. Disponível em: https://goo.gl/kB6yv5.
Hansman, S. and Hunt, R. (2005). A taxonomy of network and computer attacks. Computers & Security, 24(1):31–43.
ISO (2009). Iso/iec 31010 risk management - risk assessment techniques. Disponível em: https://www.iso.org/standard/51073.html.
ISO (2013). Iso27001: Information technology - security techniques - information security management systems – requirements. Disponível em: https://www.iso.org/standard/54534.html.
Jansen, S., Finkelstein, A., and Brinkkemper, S. (2009). A sense of community: A research agenda for software ecosystems. In 2009 31st International Conference on Software Engineering - Companion Volume, pages 187–190.
Landwehr, C. E., Bull, A. R., Mcdermott, J. P.,William, and Choi, S. (1994). A taxonomy of computer program security flaws. ACM Computing Surveys, 26:211–254.
MITRE (2011). Cwe/sans top 25 most dangerous software errors. Disponível em: http://cwe.mitre.org/top25/.
MITRE (2015). Common attack pattern enumeration and classification (capec). Dispon ível em: https://capec.mitre.org/.
Moore, J. F. (1999). Creating value in the network economy. In Tapscott, D., editor, Predators and Prey: A New Ecology of Competition, pages 121–141, Boston, MA, USA. Harvard Business School Press.
OWASP (2013). Top ten 2013. Disponível em: https://goo.gl/VKz94B.
OWASP (2014). Vulnerabilities. Disponível em: https://goo.gl/xsxX8G.
OWASP (2016). Threat modeling cheat sheet. Disponível em: https://goo.gl/tgn772.
Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., and Chen, H. (2014). Uninvited connections: A study of vulnerable devices on the internet of things (iot). In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pages 232–235.
Saitta, P., Larcom, B., and Eddington, M. (2005). Trike v.1. http://octotrike.org/.
Schneier (1999). Attack trees. Dr Dobb’s Journal, v.24, n.12. Retrieved 2007-08-16.
SDL, M. (2010a). Appendix n: Sdl security bug bar (sample). Disponível em: https://goo.gl/USXuBM.
SDL, M. (2010b). Security briefs - add a security bug bar to microsoft team foundation server 2010. Disponível em: https://goo.gl/Qv3smB.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, 1 edition.
Sivanandan, S. and B, Y. C. (2014). Agile development cycle: Approach to design an effective model based testing with behaviour driven automation framework. In Advanced Computing and Communications, pages 22–25.
Stettina, C. J., Heijstek, W., and Fægri, T. E. (2012). Documentation work in agile teams: The role of documentation formalism in achieving a sustainable practice. In Agile Conference (AGILE), 2012, pages 31–40.
Symantec (2019). Internet security threat report. Disponível em: https://www.symantec.com/security-center/threat-report.
Tsipenyuk, K., Chess, B., and McGraw, G. (2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6):81–84.
UcedaVelez, T. and Morana, M. (2015). Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, 1 edition.
WebAppSec (2010). Wasc. Disponível em: http://bit.ly/296FhpO.
WhiteHat (2016). Security predictions 2017. Disponível em: https://goo.gl/f94Qq8.
Publicado
02/09/2019
Como Citar
DA SILVA, Carlo; GARCIA, Vinícius.
Uma Modelagem de Risco Centrada em Comportamentos para o Desenvolvimento Seguro de Serviços no Ecossistema Web. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 351-364.
DOI: https://doi.org/10.5753/sbseg.2019.13983.