Risk Analysis Automation Process in IT Security for Cloud Applications

Modern Secure Development Life Cycles recognize that there is a need to (i) perform a risk assessment to identify the threats that a system is facing and (ii) a risk rating procedure to prioritize the development and maintenance activities. However, such processes are hardly applicable in the development of Cloud-based applications, due to the cost (money and time) that such procedures imply. This article aims at addressing such an issue by proposing a technique, compatible with the Security-By-Design development methodologies, that automates the threat modeling and risk evaluation of a system, reducing the costs and requiring the developers with just a limited set of security skills. Through the proposed approach, the software system is analyzed to identify the threats that affect the system assets, ranking the level of risk associated with each threat and suggesting a set of countermeasures in standard terms; the process requires minimal user interaction. The proposed technique was implemented through a dedicated tool and validated against a simple case study.