Підходи до побудови моделі загроз для аналізу безпеки відкритого програмного кода
Ескіз недоступний
Дата
2020
Автори
Гапон, А. О.
Федорченко, В. М.
Поляков, А. О.
Hapon, A. O.
Fedorchenko, V. M.
Polyakov, A.
DOI
https://doi.org/10.30748/soi.2020.160.17
Назва журналу
Номер ISSN
Назва тому
Видавець
Харківський національний університет Повітряних Сил ім. І. Кожедуба
Анотація
Гарантування безпеки програмного продукту з відкритим вихідним кодом є актуальною проблемою, бо навіть у проектах з закритим вихідним кодом можуть бути присутні open source бібліотеки, що робить можливим появу вразливості у них. Серед методів, що використовують для виявлення вразливостей, варто виділити моделювання загроз, бо цей метод дозволяє вже на ранніх етапах розробки програмного коду прийняти заходи, що знизять витрати на ліквідацію вразливостей та спростять їх усунення і зміни до архітектури додатку. Підбір відповідного підходу при побудові моделі загроз залежить від специфіки проекту, ресурсів, а також кваліфікації адміністраторів.
Ensuring the security of an open source software product is an urgent problem, because even in closed source projects open source libraries may be present, which makes vulnerabilities possible in them. Among the methods used to identify vulner-abilities, it is worth highlighting threat modeling, since this method allows you to take measures at the early stages of developing program code and reduce the cost of eliminating vulnerabilities. The selection of an appropriate approach when building a threat model depends on the specifics of the project, resources, and also the qualifications of administrators. There are various threat modeling methodologies that provide the foundation for a complex security process for developing software code. Al-though each of these threat modeling methodologies has its own strengths and can be used to identify, evaluate, and prioritize the elimination of potential threats, they are lacking in taking into account the features of the analysis of program code and the fea-tures of the development process. As processes become more complex, it becomes increasingly difficult to implement effective threat modeling. Security is an important aspect and an integral part of all stages of software development. Both in open source software and closed source software, reliability depends on certain aspects of the design and quality of the software development. The quality and reliability of open source software can be assessed by viewing the software source code once it becomes publicly available. The analysis of the models of construction of threats taking into account the specifics of the modern development process using the agile methodology and scrum process allows to conclude about the low efficiency and complexity of their use. When building an open source security threat model, they are not effective enough at the development stage because they are not spe-cialized in the field but are generic approaches. Therefore, from our point of view, it is preferable to use recommendations toform a threat model that take into account the vulnerabilities in the code.
Ensuring the security of an open source software product is an urgent problem, because even in closed source projects open source libraries may be present, which makes vulnerabilities possible in them. Among the methods used to identify vulner-abilities, it is worth highlighting threat modeling, since this method allows you to take measures at the early stages of developing program code and reduce the cost of eliminating vulnerabilities. The selection of an appropriate approach when building a threat model depends on the specifics of the project, resources, and also the qualifications of administrators. There are various threat modeling methodologies that provide the foundation for a complex security process for developing software code. Al-though each of these threat modeling methodologies has its own strengths and can be used to identify, evaluate, and prioritize the elimination of potential threats, they are lacking in taking into account the features of the analysis of program code and the fea-tures of the development process. As processes become more complex, it becomes increasingly difficult to implement effective threat modeling. Security is an important aspect and an integral part of all stages of software development. Both in open source software and closed source software, reliability depends on certain aspects of the design and quality of the software development. The quality and reliability of open source software can be assessed by viewing the software source code once it becomes publicly available. The analysis of the models of construction of threats taking into account the specifics of the modern development process using the agile methodology and scrum process allows to conclude about the low efficiency and complexity of their use. When building an open source security threat model, they are not effective enough at the development stage because they are not spe-cialized in the field but are generic approaches. Therefore, from our point of view, it is preferable to use recommendations toform a threat model that take into account the vulnerabilities in the code.
Опис
Ключові слова
модель загроз , відкритий вихідний код , STRIDE , OCTAVE , TRIKE , PASTA , VAST , threat model , open source
Бібліографічний опис
Гапон А. О., Федорченко В. М., Поляков А. О. Підходи до побудови моделі загроз для аналізу безпеки відкритого програмного кода. Системи обробки інформації. 2020. Вип. 1(160). С. 128–135. DOI: https://doi.org/10.30748/soi.2020.160.17 .