AMADEUS: Towards the AutoMAteD secUrity teSting
-
Autores: Ángel Jesús Varela Vaca
, Rafael Martínez Gasca , Antonio Carmona, María Teresa Gómez López
- Localización: Actas de las XXV Jornadas de Ingeniería del Software y Bases de Datos (JISBD 2021): [Málaga, 22 al 24 de septiembre de 2021] / coord. por Rafael Capilla Sevilla , Maider Azanza Sese , Miguel Rodríguez Luaces , M. M. Roldán García , Dolores Burgueño Caballero, José Raúl Romero Salguero , José Antonio Parejo Maestre , José Francisco Chicano García , Marcela Genero , Óscar Díaz García , José González Enríquez , María Carmen Penades Gramage ; Silvia Mara Abrahao Gonzales (col.) , 2021
- Idioma: inglés
- Texto completo no disponible (Saber más ...)
-
Resumen
The proper configuration of systems has become a fundamental factor to avoid cybersecurity risks. Thereby, the analysis of cybersecurity vulnerabilities is a mandatory task, but the number of vulnerabilities and system configurations that can be threatened is extremely high. In this paper, we propose a method that uses software product line techniques to analyse the vulnerable configuration of the systems. We propose a solution, entitled AMADEUS, to enable and support the automatic analysis and testing of cybersecurity vulnerabilities of configuration systems based on feature models. AMADEUS is a holistic solution that is able to automate the analysis of the specific infrastructures in the organisations, the existing vulnerabilities, and the possible configurations extracted from the vulnerability repositories. By using this information, AMADEUS generates automatically the feature models, that are used for reasoning capabilities to extract knowledge, such as to determine attack vectors with certain features. AMADEUS has been validated by demonstrating the capacities of feature models to support the threat scenario, in which a wide variety of vulnerabilities extracted from a real repository are involved. Furthermore, we open the door to new applications where software product line engineering and cybersecurity can be empowered.
