Threat Copilot: Um sistema de recomendação para a modelagem de ameaças
Abstract
Secure software development processes aim to ensure that products can operate effectively even in the face of attacks. One relevant activity in a secure development lifecycle is identifying security flaws proactively through threat modeling. Various threat modeling methods have been proposed in both industry and academic research. Despite this, integrating this activity into development teams has not been straightforward. This paper introduces a tool named ”Threat Copilot”, which is a knowledge-based recommendation system. Its purpose is to identify threats by comparing them to pre-existing threat models within an organization. Preliminary results indicate that the tool can be useful in facilitating threat elicitation.
References
Aggarwal, C. C. et al. (2016). Recommender systems, volume 1. Springer.
Bernsmed, K., Cruzes, D. S., Jaatun, M. G., and Iovan, M. (2022). Adopting threat modelling in agile software development projects. Journal of Systems and Software, 183:111090.
BeyondTrust (2023). Microsoft vulnerabilities report 2023. Technical report, BeyondTrust. Disponível em: [link]. Acesso em 15/06/2023.
Casola, V., De Benedictis, A., Rak, M., and Villano, U. (2019). Toward the automation of threat modeling and risk assessment in iot systems. Internet of Things, 7:100056. B1.
Davis, F. D. et al. (1989). Technology acceptance model: Tam. Al-Suqri, MN, Al-Aufi, AS: Information Seeking Behavior and Technology Adoption, pages 205–219.
Elkamel, A., Gzara, M., and Ben-Abdallah, H. (2016). An uml class recommender system for software design. In 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), pages 1–8.
Ghosh, S., Zaboli, A., Hong, J., and Kwon, J. (2023). An integrated approach of threat analysis for autonomous vehicles perception system. IEEE Access, 11:14752–14777.
Granata, D. and Rak, M. (2023). Systematic analysis of automated threat modelling techniques: Comparison of open-source tools. Software Quality Journal, pages 1–37.
Kudriavtseva, A. and Gadyatskaya, O. (2022). Secure software development methodologies: A multivocal literature review. (arXiv:2211.16987).
Shull, F. (2016). Evaluation of competing threat modeling methodologies. Technical report, Software Engineering Institute Carnegie Mellon University.
Tok, Y. C. and Chattopadhyay, S. (2023). Identifying threats, cybercrime and digital forensic opportunities in smart city infrastructure via threat modeling. Forensic Science International: Digital Investigation, 45:301540.
Xiong, W. and Lagerström, R. (2019). Threat modeling – a systematic literature review. Computers Security, 84:53–69.
Yskout, K., Heyman, T., Van Landuyt, D., Sion, L., Wuyts, K., and Joosen, W. (2020). Threat modeling: from infancy to maturity. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results, page 9–12, Seoul South Korea. ACM.
Bernsmed, K., Cruzes, D. S., Jaatun, M. G., and Iovan, M. (2022). Adopting threat modelling in agile software development projects. Journal of Systems and Software, 183:111090.
BeyondTrust (2023). Microsoft vulnerabilities report 2023. Technical report, BeyondTrust. Disponível em: [link]. Acesso em 15/06/2023.
Casola, V., De Benedictis, A., Rak, M., and Villano, U. (2019). Toward the automation of threat modeling and risk assessment in iot systems. Internet of Things, 7:100056. B1.
Davis, F. D. et al. (1989). Technology acceptance model: Tam. Al-Suqri, MN, Al-Aufi, AS: Information Seeking Behavior and Technology Adoption, pages 205–219.
Elkamel, A., Gzara, M., and Ben-Abdallah, H. (2016). An uml class recommender system for software design. In 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), pages 1–8.
Ghosh, S., Zaboli, A., Hong, J., and Kwon, J. (2023). An integrated approach of threat analysis for autonomous vehicles perception system. IEEE Access, 11:14752–14777.
Granata, D. and Rak, M. (2023). Systematic analysis of automated threat modelling techniques: Comparison of open-source tools. Software Quality Journal, pages 1–37.
Kudriavtseva, A. and Gadyatskaya, O. (2022). Secure software development methodologies: A multivocal literature review. (arXiv:2211.16987).
Shull, F. (2016). Evaluation of competing threat modeling methodologies. Technical report, Software Engineering Institute Carnegie Mellon University.
Tok, Y. C. and Chattopadhyay, S. (2023). Identifying threats, cybercrime and digital forensic opportunities in smart city infrastructure via threat modeling. Forensic Science International: Digital Investigation, 45:301540.
Xiong, W. and Lagerström, R. (2019). Threat modeling – a systematic literature review. Computers Security, 84:53–69.
Yskout, K., Heyman, T., Van Landuyt, D., Sion, L., Wuyts, K., and Joosen, W. (2020). Threat modeling: from infancy to maturity. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results, page 9–12, Seoul South Korea. ACM.
Published
2023-09-18
How to Cite
NEGÓCIO, Yuri Feitosa; HERTHEL JR., Nilton da Trindade; MEDEIROS, Juliana Dantas.
Threat Copilot: Um sistema de recomendação para a modelagem de ameaças. In: TOOLS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 73-80.
DOI: https://doi.org/10.5753/sbseg_estendido.2023.235688.
