Uma Modelagem de Risco Centrada em Comportamentos para o Desenvolvimento Seguro de Serviços no Ecossistema Web
Abstract
The aim of this paper is to present a risk modeling for secure development over the Web ecosystem. The proposal also aims to estimate a factor of risk and impact for assets, considering data breaches, human aspects and service compliance, furthermore, considering the behaviors of actors, devices, and resources. In addition, the proposal presents evaluation through "top-threat" catalogs and test cases developed with Java language and BDD techniques. As a result, it is possible to observe applicability to the most emerging risks characterizing itself as an artifact that provides a guided development in the prevention of potential threats to services over the Web.References
Alvarez, G. and Petrovic, S. (2003). A new taxonomy of web attacks suitable for efficient encoding. Computers & Security, 22(5):435–449.
Berners-Lee, T., Hendler, J., and Lassila, O. (2001). The semantic web. Scientific American, 284(5):34–43.
Bishop, M. (2009). Some ”secure programming”exercises for an introductory programming class. In IEEE Security and Privacy, pages 226–232.
Dahl, H. E. I., Hogganvik, I., and Stølen, K. (2007). Structured semantics for the coras security risk modelling language. Cooperative and trusted systems, SINTEF.
DeRyck, P., Desmet, L., Joosen, W., and Muhlberg, J. (2013). Web-platform security guide: Security assessment of the web ecosystem. Technical report, W3.
Douad, M. A. and Dahmani, Y. (2015). Artt taxonomy and cyber-attack framewok. In New Technologies of Information and Communication.
Gary Stoneburner, A. G. and Feringa, A. (2002). Risk management guide for information technology systems. Disponível em: https://goo.gl/kB6yv5.
Hansman, S. and Hunt, R. (2005). A taxonomy of network and computer attacks. Computers & Security, 24(1):31–43.
ISO (2009). Iso/iec 31010 risk management - risk assessment techniques. Disponível em: https://www.iso.org/standard/51073.html.
ISO (2013). Iso27001: Information technology - security techniques - information security management systems – requirements. Disponível em: https://www.iso.org/standard/54534.html.
Jansen, S., Finkelstein, A., and Brinkkemper, S. (2009). A sense of community: A research agenda for software ecosystems. In 2009 31st International Conference on Software Engineering - Companion Volume, pages 187–190.
Landwehr, C. E., Bull, A. R., Mcdermott, J. P.,William, and Choi, S. (1994). A taxonomy of computer program security flaws. ACM Computing Surveys, 26:211–254.
MITRE (2011). Cwe/sans top 25 most dangerous software errors. Disponível em: http://cwe.mitre.org/top25/.
MITRE (2015). Common attack pattern enumeration and classification (capec). Dispon ível em: https://capec.mitre.org/.
Moore, J. F. (1999). Creating value in the network economy. In Tapscott, D., editor, Predators and Prey: A New Ecology of Competition, pages 121–141, Boston, MA, USA. Harvard Business School Press.
OWASP (2013). Top ten 2013. Disponível em: https://goo.gl/VKz94B.
OWASP (2014). Vulnerabilities. Disponível em: https://goo.gl/xsxX8G.
OWASP (2016). Threat modeling cheat sheet. Disponível em: https://goo.gl/tgn772.
Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., and Chen, H. (2014). Uninvited connections: A study of vulnerable devices on the internet of things (iot). In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pages 232–235.
Saitta, P., Larcom, B., and Eddington, M. (2005). Trike v.1. http://octotrike.org/.
Schneier (1999). Attack trees. Dr Dobb’s Journal, v.24, n.12. Retrieved 2007-08-16.
SDL, M. (2010a). Appendix n: Sdl security bug bar (sample). Disponível em: https://goo.gl/USXuBM.
SDL, M. (2010b). Security briefs - add a security bug bar to microsoft team foundation server 2010. Disponível em: https://goo.gl/Qv3smB.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, 1 edition.
Sivanandan, S. and B, Y. C. (2014). Agile development cycle: Approach to design an effective model based testing with behaviour driven automation framework. In Advanced Computing and Communications, pages 22–25.
Stettina, C. J., Heijstek, W., and Fægri, T. E. (2012). Documentation work in agile teams: The role of documentation formalism in achieving a sustainable practice. In Agile Conference (AGILE), 2012, pages 31–40.
Symantec (2019). Internet security threat report. Disponível em: https://www.symantec.com/security-center/threat-report.
Tsipenyuk, K., Chess, B., and McGraw, G. (2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6):81–84.
UcedaVelez, T. and Morana, M. (2015). Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, 1 edition.
WebAppSec (2010). Wasc. Disponível em: http://bit.ly/296FhpO.
WhiteHat (2016). Security predictions 2017. Disponível em: https://goo.gl/f94Qq8.
Berners-Lee, T., Hendler, J., and Lassila, O. (2001). The semantic web. Scientific American, 284(5):34–43.
Bishop, M. (2009). Some ”secure programming”exercises for an introductory programming class. In IEEE Security and Privacy, pages 226–232.
Dahl, H. E. I., Hogganvik, I., and Stølen, K. (2007). Structured semantics for the coras security risk modelling language. Cooperative and trusted systems, SINTEF.
DeRyck, P., Desmet, L., Joosen, W., and Muhlberg, J. (2013). Web-platform security guide: Security assessment of the web ecosystem. Technical report, W3.
Douad, M. A. and Dahmani, Y. (2015). Artt taxonomy and cyber-attack framewok. In New Technologies of Information and Communication.
Gary Stoneburner, A. G. and Feringa, A. (2002). Risk management guide for information technology systems. Disponível em: https://goo.gl/kB6yv5.
Hansman, S. and Hunt, R. (2005). A taxonomy of network and computer attacks. Computers & Security, 24(1):31–43.
ISO (2009). Iso/iec 31010 risk management - risk assessment techniques. Disponível em: https://www.iso.org/standard/51073.html.
ISO (2013). Iso27001: Information technology - security techniques - information security management systems – requirements. Disponível em: https://www.iso.org/standard/54534.html.
Jansen, S., Finkelstein, A., and Brinkkemper, S. (2009). A sense of community: A research agenda for software ecosystems. In 2009 31st International Conference on Software Engineering - Companion Volume, pages 187–190.
Landwehr, C. E., Bull, A. R., Mcdermott, J. P.,William, and Choi, S. (1994). A taxonomy of computer program security flaws. ACM Computing Surveys, 26:211–254.
MITRE (2011). Cwe/sans top 25 most dangerous software errors. Disponível em: http://cwe.mitre.org/top25/.
MITRE (2015). Common attack pattern enumeration and classification (capec). Dispon ível em: https://capec.mitre.org/.
Moore, J. F. (1999). Creating value in the network economy. In Tapscott, D., editor, Predators and Prey: A New Ecology of Competition, pages 121–141, Boston, MA, USA. Harvard Business School Press.
OWASP (2013). Top ten 2013. Disponível em: https://goo.gl/VKz94B.
OWASP (2014). Vulnerabilities. Disponível em: https://goo.gl/xsxX8G.
OWASP (2016). Threat modeling cheat sheet. Disponível em: https://goo.gl/tgn772.
Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., and Chen, H. (2014). Uninvited connections: A study of vulnerable devices on the internet of things (iot). In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pages 232–235.
Saitta, P., Larcom, B., and Eddington, M. (2005). Trike v.1. http://octotrike.org/.
Schneier (1999). Attack trees. Dr Dobb’s Journal, v.24, n.12. Retrieved 2007-08-16.
SDL, M. (2010a). Appendix n: Sdl security bug bar (sample). Disponível em: https://goo.gl/USXuBM.
SDL, M. (2010b). Security briefs - add a security bug bar to microsoft team foundation server 2010. Disponível em: https://goo.gl/Qv3smB.
Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley, 1 edition.
Sivanandan, S. and B, Y. C. (2014). Agile development cycle: Approach to design an effective model based testing with behaviour driven automation framework. In Advanced Computing and Communications, pages 22–25.
Stettina, C. J., Heijstek, W., and Fægri, T. E. (2012). Documentation work in agile teams: The role of documentation formalism in achieving a sustainable practice. In Agile Conference (AGILE), 2012, pages 31–40.
Symantec (2019). Internet security threat report. Disponível em: https://www.symantec.com/security-center/threat-report.
Tsipenyuk, K., Chess, B., and McGraw, G. (2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6):81–84.
UcedaVelez, T. and Morana, M. (2015). Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, 1 edition.
WebAppSec (2010). Wasc. Disponível em: http://bit.ly/296FhpO.
WhiteHat (2016). Security predictions 2017. Disponível em: https://goo.gl/f94Qq8.
Published
2019-09-02
How to Cite
DA SILVA, Carlo; GARCIA, Vinícius.
Uma Modelagem de Risco Centrada em Comportamentos para o Desenvolvimento Seguro de Serviços no Ecossistema Web. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 351-364.
DOI: https://doi.org/10.5753/sbseg.2019.13983.
