Tramonto : um framework para gerenciamento de pentests
Autor(a) principal: | |
---|---|
Data de Publicação: | 2019 |
Tipo de documento: | Tese |
Idioma: | por |
Título da fonte: | Biblioteca Digital de Teses e Dissertações da PUC_RS |
Texto Completo: | http://tede2.pucrs.br/tede2/handle/tede/8816 |
Resumo: | Nowadays, companies have more systems integration on the Internet and their ap- plications deal with sensitive data. Thus, providing methods to ensure the security of the data and assets, considering the level of information exposure, is a mandatory requirement. As a way to protect and mitigate the high number of security incidents that arise from the business context, security testing has been applied to assess the existence of vulnerabilities in the target scenarios. One of the known tests of this category is the Penetration Test (Pen- test), which approximates the reality of attacks by simulating the behavior of an attacker. Considering the specific characteristics that differ the penetration tests from the other tests, methodologies have been established in an attempt to standardize the processes and sup- port the test executor (tester) through standards and guidelines. However, the methodolo- gies that are most widespread in the security community seek to meet the criteria of other types of security testing, sometimes disregarding the particularities of a Pentest. There- fore, this work proposes the construction of a framework called Tramonto. This framework, based on the main methodologies applied to security testing, aims to help the testers in Pen- tests execution in order to provide better organization, standardization, and flexibility in the test workflow. Some studies were conducted with security test professionals to validate the propositions suggested by Tramonto, supported by the Tramonto-App web application. The results achieved through these studies confirm the importance of the framework supporting the testers, and also indicate the direction and other possibilities in the Pentest area. |
id |
P_RS_ee63dfbb98d0bc651b3cecbe05970526 |
---|---|
oai_identifier_str |
oai:tede2.pucrs.br:tede/8816 |
network_acronym_str |
P_RS |
network_name_str |
Biblioteca Digital de Teses e Dissertações da PUC_RS |
repository_id_str |
|
spelling |
Zorzo, Avelino Franciscohttp://lattes.cnpq.br/4315350764773182http://lattes.cnpq.br/4493244304420308Bertoglio, Daniel Dalalana2019-07-25T19:40:43Z2019-06-26http://tede2.pucrs.br/tede2/handle/tede/8816Nowadays, companies have more systems integration on the Internet and their ap- plications deal with sensitive data. Thus, providing methods to ensure the security of the data and assets, considering the level of information exposure, is a mandatory requirement. As a way to protect and mitigate the high number of security incidents that arise from the business context, security testing has been applied to assess the existence of vulnerabilities in the target scenarios. One of the known tests of this category is the Penetration Test (Pen- test), which approximates the reality of attacks by simulating the behavior of an attacker. Considering the specific characteristics that differ the penetration tests from the other tests, methodologies have been established in an attempt to standardize the processes and sup- port the test executor (tester) through standards and guidelines. However, the methodolo- gies that are most widespread in the security community seek to meet the criteria of other types of security testing, sometimes disregarding the particularities of a Pentest. There- fore, this work proposes the construction of a framework called Tramonto. This framework, based on the main methodologies applied to security testing, aims to help the testers in Pen- tests execution in order to provide better organization, standardization, and flexibility in the test workflow. Some studies were conducted with security test professionals to validate the propositions suggested by Tramonto, supported by the Tramonto-App web application. The results achieved through these studies confirm the importance of the framework supporting the testers, and also indicate the direction and other possibilities in the Pentest area.Nos dias de hoje, cada vez mais as empresas possuem maior integra??o de siste- mas com a Internet e tamb?m aplica??es que lidam com dados sens?veis. Assim, ? neces- s?rio oferecer m?todos que possam garantir a seguran?a dos dados e ativos, considerando o n?vel de exposi??o dessas informa??es. A partir disso, como forma de proteger e miti- gar o alto n?mero de incidentes de seguran?a que vem surgindo no contexto empresarial, testes de seguran?a t?m sido aplicados para avaliar a exist?ncia de vulnerabilidades nos cen?rios-alvo. Um dos testes conhecidos dessa categoria ? o Teste de Intrus?o (Pentest ), que aproxima a realidade de ataques por meio da simula??o do comportamento de um ata- cante. Considerando as caracter?sticas espec?ficas que diferem os pentests dos demais testes, estabeleceram-se metodologias na tentativa de padronizar os processos e apoiar o executor do teste (tester ) por meio de guias e diretrizes. Contudo, as metodologias mais dis- seminadas na comunidade de seguran?a destinam seus esfor?os para atender os crit?rios de outros tipos de testes de seguran?a, por vezes desconsiderando as particularidades de um pentest. Portanto, com base nessa problem?tica, este trabalho prop?e a cria??o de um framework chamado Tramonto. Este framework, baseado nas principais metodologias de teste de seguran?a, objetiva auxiliar os testers na execu??o de pentests de modo a oferecer melhor organiza??o, padroniza??o e flexibilidade no workflow do teste. Foram conduzidos estudos com profissionais da ?rea de pentest para validar as proposi??es sugeridas pelo Tramonto, apoiados da aplica??o web Tramonto-App. Os resultados alcan?ados por meio desses estudos corroboram a import?ncia e aux?lio do framework nos testes realizados, e indicam os rumos e possibilidades de atua??o do mesmo na ?rea de pentest.Submitted by PPG Ci?ncia da Computa??o (ppgcc@pucrs.br) on 2019-07-18T18:57:05Z No. of bitstreams: 1 DANIEL DALALANA BERTOGLIO_TES.pdf: 4891379 bytes, checksum: 7f309f930dc96a51224285fbb30fc1ba (MD5)Approved for entry into archive by Sarajane Pan (sarajane.pan@pucrs.br) on 2019-07-25T19:36:17Z (GMT) No. of bitstreams: 1 DANIEL DALALANA BERTOGLIO_TES.pdf: 4891379 bytes, checksum: 7f309f930dc96a51224285fbb30fc1ba (MD5)Made available in DSpace on 2019-07-25T19:40:43Z (GMT). No. of bitstreams: 1 DANIEL DALALANA BERTOGLIO_TES.pdf: 4891379 bytes, checksum: 7f309f930dc96a51224285fbb30fc1ba (MD5) Previous issue date: 2019-06-26application/pdfhttp://tede2.pucrs.br:80/tede2/retrieve/176031/DANIEL%20DALALANA%20BERTOGLIO_TES.pdf.jpgporPontif?cia Universidade Cat?lica do Rio Grande do SulPrograma de P?s-Gradua??o em Ci?ncia da Computa??oPUCRSBrasilEscola Polit?cnicaTestes de Seguran?aPentestFrameworkSecurity TestingPenetration TestCIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAOTramonto : um framework para gerenciamento de pentestsinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisTrabalho n?o apresenta restri??o para publica??o-4570527706994352458500500-862078257083325301info:eu-repo/semantics/openAccessreponame:Biblioteca Digital de Teses e Dissertações da PUC_RSinstname:Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS)instacron:PUC_RSTHUMBNAILDANIEL DALALANA BERTOGLIO_TES.pdf.jpgDANIEL DALALANA BERTOGLIO_TES.pdf.jpgimage/jpeg5584http://tede2.pucrs.br/tede2/bitstream/tede/8816/4/DANIEL+DALALANA+BERTOGLIO_TES.pdf.jpg3ffd5efa91184789bb04d9b59e6a9232MD54TEXTDANIEL DALALANA BERTOGLIO_TES.pdf.txtDANIEL DALALANA BERTOGLIO_TES.pdf.txttext/plain308058http://tede2.pucrs.br/tede2/bitstream/tede/8816/3/DANIEL+DALALANA+BERTOGLIO_TES.pdf.txt2f1cc0dc7f7817c1b133d139b04d3138MD53ORIGINALDANIEL DALALANA BERTOGLIO_TES.pdfDANIEL DALALANA BERTOGLIO_TES.pdfapplication/pdf4891379http://tede2.pucrs.br/tede2/bitstream/tede/8816/2/DANIEL+DALALANA+BERTOGLIO_TES.pdf7f309f930dc96a51224285fbb30fc1baMD52LICENSElicense.txtlicense.txttext/plain; charset=utf-8590http://tede2.pucrs.br/tede2/bitstream/tede/8816/1/license.txt220e11f2d3ba5354f917c7035aadef24MD51tede/88162019-07-25 20:00:31.812oai:tede2.pucrs.br:tede/8816QXV0b3JpemE/P28gcGFyYSBQdWJsaWNhPz9vIEVsZXRyP25pY2E6IENvbSBiYXNlIG5vIGRpc3Bvc3RvIG5hIExlaSBGZWRlcmFsIG4/OS42MTAsIGRlIDE5IGRlIGZldmVyZWlybyBkZSAxOTk4LCBvIGF1dG9yIEFVVE9SSVpBIGEgcHVibGljYT8/byBlbGV0cj9uaWNhIGRhIHByZXNlbnRlIG9icmEgbm8gYWNlcnZvIGRhIEJpYmxpb3RlY2EgRGlnaXRhbCBkYSBQb250aWY/Y2lhIFVuaXZlcnNpZGFkZSBDYXQ/bGljYSBkbyBSaW8gR3JhbmRlIGRvIFN1bCwgc2VkaWFkYSBhIEF2LiBJcGlyYW5nYSA2NjgxLCBQb3J0byBBbGVncmUsIFJpbyBHcmFuZGUgZG8gU3VsLCBjb20gcmVnaXN0cm8gZGUgQ05QSiA4ODYzMDQxMzAwMDItODEgYmVtIGNvbW8gZW0gb3V0cmFzIGJpYmxpb3RlY2FzIGRpZ2l0YWlzLCBuYWNpb25haXMgZSBpbnRlcm5hY2lvbmFpcywgY29ucz9yY2lvcyBlIHJlZGVzID9zIHF1YWlzIGEgYmlibGlvdGVjYSBkYSBQVUNSUyBwb3NzYSBhIHZpciBwYXJ0aWNpcGFyLCBzZW0gP251cyBhbHVzaXZvIGFvcyBkaXJlaXRvcyBhdXRvcmFpcywgYSB0P3R1bG8gZGUgZGl2dWxnYT8/byBkYSBwcm9kdT8/byBjaWVudD9maWNhLgo=Biblioteca Digital de Teses e Dissertaçõeshttp://tede2.pucrs.br/tede2/PRIhttps://tede2.pucrs.br/oai/requestbiblioteca.central@pucrs.br||opendoar:2019-07-25T23:00:31Biblioteca Digital de Teses e Dissertações da PUC_RS - Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS)false |
dc.title.por.fl_str_mv |
Tramonto : um framework para gerenciamento de pentests |
title |
Tramonto : um framework para gerenciamento de pentests |
spellingShingle |
Tramonto : um framework para gerenciamento de pentests Bertoglio, Daniel Dalalana Testes de Seguran?a Pentest Framework Security Testing Penetration Test CIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAO |
title_short |
Tramonto : um framework para gerenciamento de pentests |
title_full |
Tramonto : um framework para gerenciamento de pentests |
title_fullStr |
Tramonto : um framework para gerenciamento de pentests |
title_full_unstemmed |
Tramonto : um framework para gerenciamento de pentests |
title_sort |
Tramonto : um framework para gerenciamento de pentests |
author |
Bertoglio, Daniel Dalalana |
author_facet |
Bertoglio, Daniel Dalalana |
author_role |
author |
dc.contributor.advisor1.fl_str_mv |
Zorzo, Avelino Francisco |
dc.contributor.advisor1Lattes.fl_str_mv |
http://lattes.cnpq.br/4315350764773182 |
dc.contributor.authorLattes.fl_str_mv |
http://lattes.cnpq.br/4493244304420308 |
dc.contributor.author.fl_str_mv |
Bertoglio, Daniel Dalalana |
contributor_str_mv |
Zorzo, Avelino Francisco |
dc.subject.por.fl_str_mv |
Testes de Seguran?a |
topic |
Testes de Seguran?a Pentest Framework Security Testing Penetration Test CIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAO |
dc.subject.eng.fl_str_mv |
Pentest Framework Security Testing Penetration Test |
dc.subject.cnpq.fl_str_mv |
CIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAO |
description |
Nowadays, companies have more systems integration on the Internet and their ap- plications deal with sensitive data. Thus, providing methods to ensure the security of the data and assets, considering the level of information exposure, is a mandatory requirement. As a way to protect and mitigate the high number of security incidents that arise from the business context, security testing has been applied to assess the existence of vulnerabilities in the target scenarios. One of the known tests of this category is the Penetration Test (Pen- test), which approximates the reality of attacks by simulating the behavior of an attacker. Considering the specific characteristics that differ the penetration tests from the other tests, methodologies have been established in an attempt to standardize the processes and sup- port the test executor (tester) through standards and guidelines. However, the methodolo- gies that are most widespread in the security community seek to meet the criteria of other types of security testing, sometimes disregarding the particularities of a Pentest. There- fore, this work proposes the construction of a framework called Tramonto. This framework, based on the main methodologies applied to security testing, aims to help the testers in Pen- tests execution in order to provide better organization, standardization, and flexibility in the test workflow. Some studies were conducted with security test professionals to validate the propositions suggested by Tramonto, supported by the Tramonto-App web application. The results achieved through these studies confirm the importance of the framework supporting the testers, and also indicate the direction and other possibilities in the Pentest area. |
publishDate |
2019 |
dc.date.accessioned.fl_str_mv |
2019-07-25T19:40:43Z |
dc.date.issued.fl_str_mv |
2019-06-26 |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/doctoralThesis |
format |
doctoralThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://tede2.pucrs.br/tede2/handle/tede/8816 |
url |
http://tede2.pucrs.br/tede2/handle/tede/8816 |
dc.language.iso.fl_str_mv |
por |
language |
por |
dc.relation.program.fl_str_mv |
-4570527706994352458 |
dc.relation.confidence.fl_str_mv |
500 500 |
dc.relation.cnpq.fl_str_mv |
-862078257083325301 |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.publisher.none.fl_str_mv |
Pontif?cia Universidade Cat?lica do Rio Grande do Sul |
dc.publisher.program.fl_str_mv |
Programa de P?s-Gradua??o em Ci?ncia da Computa??o |
dc.publisher.initials.fl_str_mv |
PUCRS |
dc.publisher.country.fl_str_mv |
Brasil |
dc.publisher.department.fl_str_mv |
Escola Polit?cnica |
publisher.none.fl_str_mv |
Pontif?cia Universidade Cat?lica do Rio Grande do Sul |
dc.source.none.fl_str_mv |
reponame:Biblioteca Digital de Teses e Dissertações da PUC_RS instname:Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS) instacron:PUC_RS |
instname_str |
Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS) |
instacron_str |
PUC_RS |
institution |
PUC_RS |
reponame_str |
Biblioteca Digital de Teses e Dissertações da PUC_RS |
collection |
Biblioteca Digital de Teses e Dissertações da PUC_RS |
bitstream.url.fl_str_mv |
http://tede2.pucrs.br/tede2/bitstream/tede/8816/4/DANIEL+DALALANA+BERTOGLIO_TES.pdf.jpg http://tede2.pucrs.br/tede2/bitstream/tede/8816/3/DANIEL+DALALANA+BERTOGLIO_TES.pdf.txt http://tede2.pucrs.br/tede2/bitstream/tede/8816/2/DANIEL+DALALANA+BERTOGLIO_TES.pdf http://tede2.pucrs.br/tede2/bitstream/tede/8816/1/license.txt |
bitstream.checksum.fl_str_mv |
3ffd5efa91184789bb04d9b59e6a9232 2f1cc0dc7f7817c1b133d139b04d3138 7f309f930dc96a51224285fbb30fc1ba 220e11f2d3ba5354f917c7035aadef24 |
bitstream.checksumAlgorithm.fl_str_mv |
MD5 MD5 MD5 MD5 |
repository.name.fl_str_mv |
Biblioteca Digital de Teses e Dissertações da PUC_RS - Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS) |
repository.mail.fl_str_mv |
biblioteca.central@pucrs.br|| |
_version_ |
1791080306010226688 |