Análise de Segurança Baseada em Roles para Fábricas de Software
This addresses security vulnerabilities in software factories, particularly for developers in large-scale environments, but is incremental as it applies existing static analysis methods to a specific domain.
The paper tackles the problem of securing sensitive information in software factories by presenting a static analysis technique based on role-based security policies, which successfully identified several security flaws, including serious ones, in large software factories.
Most software factories contain applications with sensitive information that needs to be protected against breaches of confidentiality and integrity, which can have serious consequences. In the context of large factories with complex applications, it is not feasible to manually analyze accesses to sensitive information without some form of safety mechanisms. This article presents a static analysis technique for software factories, based on role-based security policies. We start by synthesising a graph representation of the relevant software factories, based on the security policy defined by the user. Later the graph model is analysed to find access information where the security policy is breached, ensuring that all possible execution states are analysed. A proof of concept of our technique has been developed for the analysis of OutSystems software factories. The security reports generated by the tool allows developers to find and prioritise security breaches in their factories. The prototype was evaluated using large software factories, with strong safety requirements. Several security flaws were found, some serious ones that would be hard to be detected without our analysis.