Uma revisão sistemática da literatura sobre a modelagem de ameaças em projetos ágeis

Rafael Souza; Carla Silva; Jéssyka Vilela; Mariana Peixoto

doi:10.51359/2317-0115.2025.265731

Autor/innen

Rafael Souza Universidade Federal de Pernambuco https://orcid.org/0009-0009-6373-1795
Carla Silva Universidade Federal de Pernambuco https://orcid.org/0000-0002-0597-3851
Jéssyka Vilela Universidade Federal de Pernambuco https://orcid.org/0000-0002-5541-5188
Mariana Peixoto Universidade de Pernambuco, Garanhuns https://orcid.org/0000-0002-5399-4155

DOI:

https://doi.org/10.51359/2317-0115.2025.265731

Schlagworte:

segurança, métodos ágeis, ameaças

Abstract

Contexto: a modelagem de ameaças é uma atividade importante para a segurança, mas o seu uso no desenvolvimento ágil é difícil. Problema: para que a modelagem de ameaças seja aplicada no desenvolvimento ágil, é necessário entender seus desafios e boas práticas. Método: para compreender qual o cenário atual do uso de threat modeling em metodologias ágeis, foi feita uma RSL utilizando bibliotecas digitais e snowballing para obter artigos que pudessem responder às perguntas de pesquisa. Resultados: o estudo identificou os desafios, práticas e ferramentas utilizadas. Contribuições: o estudo trouxe as principais tendências da área estudada.

Literaturhinweise

BALDASSARRE, M. T., BARLETTA, V. S., DIMAURO, G., GIGANTE, D., PAGANO, A., & PICCINNO, A. Supporting Secure Agile Development: the VIS-PRISE Tool. Proceedings of the 2022 International Conference on Advanced Visual Interfaces (AVI 2022). Association for Computing Machinery, New York, NY, USA, Article 69, 1–3, jun, 2022.

BALDASSARRE, M., BARLETTA, V., CAIVANO, D., & PICCINNO, A. Integrating Security and Privacy in HCD-Scrum. CHItaly 2021: 14th Biannual Conference of the Italian SIGCHI Chapter (CHItaly '21). Association for Computing Machinery, New York, NY, USA, Article 37, 1–5, jul, 2021.

BECK, K. et al. Manifesto para Desenvolvimento Ágil de Software. Disponível em: <https://agilemanifesto.org/iso/ptbr/manifesto.html>. Acesso em: 7 maio. 2022.

BERNSMED, K., CRUZES, D. S., JAATUN, M. G., & IOVAN, M Adopting threat modelling in agile software development projects. Journal of Systems and Software, Volume 183, 111090, ISSN 0164-1212, jan, 2022.

BERNSMED, K; JAATUN, M. Threat modelling and agile software development: Identified practice in four Norwegian organisations. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Oxford, UK, p. 1-8, jun, 2019.

CASOLA, V., DE BENEDICTIS, A., RAK, M., & VILLANO, U.A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach. [s.l.] Journal of Systems and Software, 2020. v. 163.

CRUZES, D., JAATUN, M. G., BERNSMED, K., & TØNDEL, I. A. Challenges and Experiences with Applying Microsoft Threat Modeling in Agile Development Projects. (IEEE, Ed.)Adelaide, SA, Australia: 2018 25th Australasian Software Engineering Conference (ASWEC), 2018.

DE VICENTE MOHINO, J. et al. The Application of a New Secure Software Development Life Cycle (S-SDLC) with Agile Methodologies. Electronics, v. 8, n. 11, p. 1218, 2019.

Draw.io. Disponível em: <https://www.draw.io/>. Acesso em: 2023

GEIB, J, SANTOS, B., BERRY, D., BALDWIN, M., & BARBARA, K. Microsoft Threat Modeling Tool threats. Disponível em: <https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats>. Acesso em: 10 out. 2022.

GEIB, J. et al. Threat Modeling Tool feature overview. Disponível em: <https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-feature-overview>. Acesso em: 12 out. 2022.

GEIB, J. et al. Microsoft Threat Modeling Tool. Disponível em: <https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool>. Acesso em: 15 out. 2022.

GRANATA, D.; RAK M.; SALZILLO G. MetaSEnD: A Security Enabled Development Life Cycle Meta-Model. 17th International Conference on Availability, Reliability and Security (ARES '22). Association for Computing Machinery, New York, NY, USA, Article 152, pp. 1–10, August, 2022.

HERNAN, S., LAMBERT, S., & OSTWALD, T. Uncover Security Design Flaws Using The STRIDE Approach. Disponível em: <https://learn.microsoft.com/en-us/archive/msdn-magazine/2006/november/uncover-security-design-flaws-using-the-stride-approach>. Acesso em: 12 jul. 2022.

KITCHENHAM, B.; CHARTERS, S.. Guidelines for performing Systematic Literature Reviews in Software Engineering (EBSE 2007-001). Keele University and Durham University Joint Report. jun, 2007.

KVAMME, S, GUDMUNDSEN, E., OYETOYAN, T. D., & CRUZES, D. S Data Protection Fortification: An Agile Approach for Threat Analysis of IoT Data. 12th International Conference on the Internet of Things (IoT '22). Association for Computing Machinery, New York, NY, USA. pp. 151–154. January, 2023

MCGRAW, G. Software security. IEEE Security & Privacy. Volume: 2, Issue: 2, March-April 2004), p. 80–83, 2 ago. 2004.

NGUYEN, J.; DUPUIS, M. Closing the Feedback Loop Between UX Design, Software Development, Security Engineering, and Operations. New York, NY, United States: Association for Computing Machinery, p. 93-98, 2019.

OUESLATI, H.; RAHMAN, M.; OTHMANE, L. Literature Review of the Challenges of Developing Secure Software Using the Agile Approach. Toulouse, France: 10th International Conference on Availability, Reliability and Security, p. 540-547, 2015.

OWASP Top Ten. Disponível em: <https://owasp.org/www-project-top-ten/>.

OWASP Threat Modeling Project. Disponível em: <https://owasp.org/www-project-threat-model/>.

PEIXOTO, M.; SILVA, C. A gamification requirements catalog for educational software: results from a systematic literature review and a survey with experts. Marrakech, Morocco: SAC 2017: Symposium on Applied Computing, abr. 2017.

RINDELL, K.; HYRYNSALMI, S.; LEPPÄNEN, V. Aligning security objectives with agile software development. Porto, Portugal: XP ’18 Companion: 19th International Conference on Agile Software Development, maio 2018.

RINDELL, K., RUOHONEN, J., HOLVITIE, J., HYRYNSALMI, S., & LEPPÄNEN, V. Security in agile software development: A practitioner survey. Information and Software Technology, v. 131, n. 106488, mar. 2021.

RINDELL, K.; HYRYNSALMI, S.; LEPPÄNEN, V. Busting a Myth: Review of Agile Security Engineering Methods. Reggio Calabria Italy: ARES ’17: International Conference on Availability, Reliability and Security, ago. 2017.

Security Development Lifecycle (SDL) Practices. Disponível em: <https://www.microsoft.com/en-us/securityengineering/sdl/practices>. Acesso em: 26 jun. 2023.

SHOSTACK, A. Elevation of Privilege: Drawing Developers into Threat Modeling. 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14). Anais...San Diego, CA: USENIX Association, ago. 2014.

SOUZA, R. et al. Material Suplementar. Disponível em: <https://docs.google.com/document/d/19Qxm0YVn_JL3egC68m_Y-18qkII0VbNdtyTjrfTb894/edit>.

TØNDEL, I.; CRUZES, D. S. Continuous software security through security prioritisation meetings. Journal of Systems and Software, v. 194, n. 111477, 2022.

TØNDEL, I., CRUZES, D. S., JAATUN, M. G., & SINDRE, G. Influencing the security prioritisation of an agile software development project. Computers & Security, v. 118, n. 102744, 2022.

Threat Modeling. Disponível em: <https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling>. Acesso em: 12 set. 2023.

WOHLIN, C., RUNESON, P., HÖST, M., OHLSSON, M. C., REGNELL, B., & WESSLÉN, A. Experimentation in software engineering. Berlim, Germany: Springer, 2024.

XIONG, W.; LAGERSTRÖM, R. Threat modeling: A systematic literature review. Computers & Security, v. 84, p. 53-69, 2019.

Uma revisão sistemática da literatura sobre a modelagem de ameaças em projetos ágeis

Autor/innen

DOI:

Schlagworte:

Abstract

Literaturhinweise

Downloads

Veröffentlicht

Ausgabe

Rubrik

Lizenz

Sprache

Informationen