Design and Development of a Technique for the Automation of the Risk Analysis Process in IT Security

Daniele Granata, Massimiliano Rak

2021

Abstract

Cloud service architectures are very heterogeneous and commonly relies on components managed by third parties. As a consequence, the security verification process of these architectures is a complex and costly process. Moreover, development of application that runs in cloud should take into account the agile software design and development methodologies and a really short time-to market, which are often incompatible with deep security testing. This article aims at addressing such issues proposing a technique, compatible with Security-By-Design methodologies, that automates the threat modeling and risk evaluation of a system, reducing the costs and requiring a limited set of security skills. Through the proposed approach, the software system is analysed identifying the threats that affects the system technical assets, ranking the level of risk associated to each threat and suggesting a set of countermeasures in standard terms; the process requires a minimal user interaction. The proposed technique, was implemented through a dedicated tool and, correctly integrated in development processes, can significantly reduce the need of costly security experts and shorten the time needed to execute a full system security assessment. In order to validate the technique, we compared our results with approaches available in literature and existing tools.

Download


Paper Citation


in Harvard Style

Granata D. and Rak M. (2021). Design and Development of a Technique for the Automation of the Risk Analysis Process in IT Security. In Proceedings of the 11th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-510-4, pages 87-98. DOI: 10.5220/0010455200870098


in Bibtex Style

@conference{closer21,
author={Daniele Granata and Massimiliano Rak},
title={Design and Development of a Technique for the Automation of the Risk Analysis Process in IT Security},
booktitle={Proceedings of the 11th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2021},
pages={87-98},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010455200870098},
isbn={978-989-758-510-4},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 11th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Design and Development of a Technique for the Automation of the Risk Analysis Process in IT Security
SN - 978-989-758-510-4
AU - Granata D.
AU - Rak M.
PY - 2021
SP - 87
EP - 98
DO - 10.5220/0010455200870098