Análise de vulnerabilidades de sistemas computacionais governamentais baseada em diretrizes OWASP
Resumo
Com a digitalização de diversos processos, sistemas governamentais enfrentam desafios cada vez maiores em cibersegurança. Uma abordagem eficaz para aumentar a confiabilidade do software é a identificação e mitigação de vulnerabilidades ainda na fase de desenvolvimento. Este trabalho propõe uma metodologia prática para a detecção e correção de falhas no código, conforme diretrizes da comunidade OWASP e utilizando ferramentas tais como SonarQube e Trivy. Para validar a abordagem, duas aplicações governamentais em uso foram analisadas de forma automatizada e contínua. Os resultados demonstram a eficácia da metodologia na mitigação de vulnerabilidades, reforçando a importância de uma estratégia formal de segurança no desenvolvimento de software governamental.Referências
Alhazmi, O., Malaiya, Y., and Ray, I. (2005). Security vulnerabilities in software systems: A quantitative perspective. In IFIP Annual Conference on Data and Applications Security and Privacy, pages 281–294. Springer.
Aljabri, M., Aldossary, M., Al-Homeed, N., Alhetelah, B., Althubiany, M., Alotaibi, O., and Alsaqer, S. (2022). Testing and exploiting tools to improve owasp top ten security vulnerabilities detection. In 2022 14th International Conference on Computational Intelligence and Communication Networks (CICN), pages 797–803. IEEE.
Chatfield, A. T. and Reddick, C. G. (2017). Cybersecurity innovation in government: A case study of u.s. pentagon’s vulnerability reward program. In Proceedings of the 18th Annual International Conference on Digital Government Research, dg.o ’17, page 64–73, New York, NY, USA. Association for Computing Machinery.
Foundation, O. (2021). OWASP Top Ten – 2021: The Ten Most Critical Web Application Security Risks. Accessed: 2025-03-22.
Idris, M., Syarif, I., and Winarno, I. (2021). Development of vulnerable web application based on owasp api security risks. In 2021 International Electronics Symposium (IES), pages 190–194. IEEE.
Krsul, I. V. (1998). Software vulnerability analysis. Purdue University.
Li, J. (2020). Vulnerabilities mapping based on owasp-sans: a survey for static application security testing (sast). arXiv preprint arXiv:2004.03216.
Liu, B., Shi, L., Cai, Z., and Li, M. (2012). Software vulnerability discovery techniques: A survey. In 2012 fourth international conference on multimedia information networking and security, pages 152–156. IEEE.
Marcilio, D., Bonifácio, R., Monteiro, E., Canedo, E., Luz, W., and Pinto, G. (2019). Are static analysis violations really fixed? a closer look at realistic usage of sonarqube. In 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC), pages 209–219. IEEE.
Mateo Tudela, F., Bermejo Higuera, J.-R., Bermejo Higuera, J., Sicilia Montalvo, J.-A., and Argyros, M. I. (2020). On combining static, dynamic and interactive analysis security testing tools to improve owasp top ten security vulnerability detection in web applications. Applied Sciences, 10(24):9119.
Ramadlan, M. F. (2019). Introduction and implementation owasp risk rating management. Open Web Application Security Project.
Rose, S., Borchert, O., Mitchell, S., and Connell, S. (2020). Zero Trust Architecture, Draft (2nd ) NIST Special Publication 800-207.
Santos, L. C. M., Prado, E. P. V., and Chaim, M. L. (2020). Técnicas e ferramentas para detecção de vulnerabilidades em ambientes de desenvolvimento ágil de software. Brazilian Journal of Development, 6(6):33921–33941.
Saxena, P. (2023). Container image security with trivy and istio inter-service secure communication in kubernetes. PhD thesis, Dublin, National College of Ireland.
Setiawan, H., Erlangga, L. E., and Baskoro, I. (2020). Vulnerability analysis using the interactive application security testing (iast) approach for government x website applications. In 2020 3rd International Conference on Information and Communications Technology (ICOIACT), pages 471–475.
van Den Berghe, A. (2015). Towards a practical security analysis methodology. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, volume 2, pages 883–886. IEEE.
Aljabri, M., Aldossary, M., Al-Homeed, N., Alhetelah, B., Althubiany, M., Alotaibi, O., and Alsaqer, S. (2022). Testing and exploiting tools to improve owasp top ten security vulnerabilities detection. In 2022 14th International Conference on Computational Intelligence and Communication Networks (CICN), pages 797–803. IEEE.
Chatfield, A. T. and Reddick, C. G. (2017). Cybersecurity innovation in government: A case study of u.s. pentagon’s vulnerability reward program. In Proceedings of the 18th Annual International Conference on Digital Government Research, dg.o ’17, page 64–73, New York, NY, USA. Association for Computing Machinery.
Foundation, O. (2021). OWASP Top Ten – 2021: The Ten Most Critical Web Application Security Risks. Accessed: 2025-03-22.
Idris, M., Syarif, I., and Winarno, I. (2021). Development of vulnerable web application based on owasp api security risks. In 2021 International Electronics Symposium (IES), pages 190–194. IEEE.
Krsul, I. V. (1998). Software vulnerability analysis. Purdue University.
Li, J. (2020). Vulnerabilities mapping based on owasp-sans: a survey for static application security testing (sast). arXiv preprint arXiv:2004.03216.
Liu, B., Shi, L., Cai, Z., and Li, M. (2012). Software vulnerability discovery techniques: A survey. In 2012 fourth international conference on multimedia information networking and security, pages 152–156. IEEE.
Marcilio, D., Bonifácio, R., Monteiro, E., Canedo, E., Luz, W., and Pinto, G. (2019). Are static analysis violations really fixed? a closer look at realistic usage of sonarqube. In 2019 IEEE/ACM 27th International Conference on Program Comprehension (ICPC), pages 209–219. IEEE.
Mateo Tudela, F., Bermejo Higuera, J.-R., Bermejo Higuera, J., Sicilia Montalvo, J.-A., and Argyros, M. I. (2020). On combining static, dynamic and interactive analysis security testing tools to improve owasp top ten security vulnerability detection in web applications. Applied Sciences, 10(24):9119.
Ramadlan, M. F. (2019). Introduction and implementation owasp risk rating management. Open Web Application Security Project.
Rose, S., Borchert, O., Mitchell, S., and Connell, S. (2020). Zero Trust Architecture, Draft (2nd ) NIST Special Publication 800-207.
Santos, L. C. M., Prado, E. P. V., and Chaim, M. L. (2020). Técnicas e ferramentas para detecção de vulnerabilidades em ambientes de desenvolvimento ágil de software. Brazilian Journal of Development, 6(6):33921–33941.
Saxena, P. (2023). Container image security with trivy and istio inter-service secure communication in kubernetes. PhD thesis, Dublin, National College of Ireland.
Setiawan, H., Erlangga, L. E., and Baskoro, I. (2020). Vulnerability analysis using the interactive application security testing (iast) approach for government x website applications. In 2020 3rd International Conference on Information and Communications Technology (ICOIACT), pages 471–475.
van Den Berghe, A. (2015). Towards a practical security analysis methodology. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, volume 2, pages 883–886. IEEE.
Publicado
20/07/2025
Como Citar
NOGUEIRA, José Marcos; MACEDO, Daniel F.; MILANEZ, Guilherme A. S.; FERREIRA, Henrique R. S.; SANTOS, Lucas André; LEODORO, Sabrina S.; DIAS, Luis F. C..
Análise de vulnerabilidades de sistemas computacionais governamentais baseada em diretrizes OWASP. In: SEMINÁRIO INTEGRADO DE SOFTWARE E HARDWARE (SEMISH), 52. , 2025, Maceió/AL.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 465-476.
ISSN 2595-6205.
DOI: https://doi.org/10.5753/semish.2025.9055.
