Cloud service architectures are very heterogeneous and commonly relies on components managed by third parties. As a consequence, the security verification process of these architectures is a complex and costly process. Moreover, development of application that runs in cloud should take into account the agile software design and development methodologies and a really short time-to market, which are often incompatible with deep security testing. This article aims at addressing such issues proposing a technique, compatible with Security-By-Design methodologies, that automates the threat modeling and risk evaluation of a system, reducing the costs and requiring a limited set of security skills. Through the proposed approach, the software system is analysed identifying the threats that affects the system technical assets, ranking the level of risk associated to each threat and suggesting a set of countermeasures in standard terms; the process requires a minimal user interaction. The propo sed technique, was implemented through a dedicated tool and, correctly integrated in development processes, can significantly reduce the need of costly security experts and shorten the time needed to execute a full system security assessment. In order to validate the technique, we compared our results with approaches available in literature and existing tools.

Design and Development of a Technique for the Automation of the Risk Analysis Process in IT Security

Granata, Daniele
;
Rak, Massimiliano
2021

Abstract

Cloud service architectures are very heterogeneous and commonly relies on components managed by third parties. As a consequence, the security verification process of these architectures is a complex and costly process. Moreover, development of application that runs in cloud should take into account the agile software design and development methodologies and a really short time-to market, which are often incompatible with deep security testing. This article aims at addressing such issues proposing a technique, compatible with Security-By-Design methodologies, that automates the threat modeling and risk evaluation of a system, reducing the costs and requiring a limited set of security skills. Through the proposed approach, the software system is analysed identifying the threats that affects the system technical assets, ranking the level of risk associated to each threat and suggesting a set of countermeasures in standard terms; the process requires a minimal user interaction. The propo sed technique, was implemented through a dedicated tool and, correctly integrated in development processes, can significantly reduce the need of costly security experts and shorten the time needed to execute a full system security assessment. In order to validate the technique, we compared our results with approaches available in literature and existing tools.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11591/515733
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact