Tramonto : um framework para gerenciamento de pentests

Detalhes bibliográficos
Autor(a) principal: Bertoglio, Daniel Dalalana
Data de Publicação: 2019
Tipo de documento: Tese
Idioma: por
Título da fonte: Biblioteca Digital de Teses e Dissertações da PUC_RS
Texto Completo: http://tede2.pucrs.br/tede2/handle/tede/8816
Resumo: Nowadays, companies have more systems integration on the Internet and their ap- plications deal with sensitive data. Thus, providing methods to ensure the security of the data and assets, considering the level of information exposure, is a mandatory requirement. As a way to protect and mitigate the high number of security incidents that arise from the business context, security testing has been applied to assess the existence of vulnerabilities in the target scenarios. One of the known tests of this category is the Penetration Test (Pen- test), which approximates the reality of attacks by simulating the behavior of an attacker. Considering the specific characteristics that differ the penetration tests from the other tests, methodologies have been established in an attempt to standardize the processes and sup- port the test executor (tester) through standards and guidelines. However, the methodolo- gies that are most widespread in the security community seek to meet the criteria of other types of security testing, sometimes disregarding the particularities of a Pentest. There- fore, this work proposes the construction of a framework called Tramonto. This framework, based on the main methodologies applied to security testing, aims to help the testers in Pen- tests execution in order to provide better organization, standardization, and flexibility in the test workflow. Some studies were conducted with security test professionals to validate the propositions suggested by Tramonto, supported by the Tramonto-App web application. The results achieved through these studies confirm the importance of the framework supporting the testers, and also indicate the direction and other possibilities in the Pentest area.
id P_RS_ee63dfbb98d0bc651b3cecbe05970526
oai_identifier_str oai:tede2.pucrs.br:tede/8816
network_acronym_str P_RS
network_name_str Biblioteca Digital de Teses e Dissertações da PUC_RS
repository_id_str
spelling Zorzo, Avelino Franciscohttp://lattes.cnpq.br/4315350764773182http://lattes.cnpq.br/4493244304420308Bertoglio, Daniel Dalalana2019-07-25T19:40:43Z2019-06-26http://tede2.pucrs.br/tede2/handle/tede/8816Nowadays, companies have more systems integration on the Internet and their ap- plications deal with sensitive data. Thus, providing methods to ensure the security of the data and assets, considering the level of information exposure, is a mandatory requirement. As a way to protect and mitigate the high number of security incidents that arise from the business context, security testing has been applied to assess the existence of vulnerabilities in the target scenarios. One of the known tests of this category is the Penetration Test (Pen- test), which approximates the reality of attacks by simulating the behavior of an attacker. Considering the specific characteristics that differ the penetration tests from the other tests, methodologies have been established in an attempt to standardize the processes and sup- port the test executor (tester) through standards and guidelines. However, the methodolo- gies that are most widespread in the security community seek to meet the criteria of other types of security testing, sometimes disregarding the particularities of a Pentest. There- fore, this work proposes the construction of a framework called Tramonto. This framework, based on the main methodologies applied to security testing, aims to help the testers in Pen- tests execution in order to provide better organization, standardization, and flexibility in the test workflow. Some studies were conducted with security test professionals to validate the propositions suggested by Tramonto, supported by the Tramonto-App web application. The results achieved through these studies confirm the importance of the framework supporting the testers, and also indicate the direction and other possibilities in the Pentest area.Nos dias de hoje, cada vez mais as empresas possuem maior integra??o de siste- mas com a Internet e tamb?m aplica??es que lidam com dados sens?veis. Assim, ? neces- s?rio oferecer m?todos que possam garantir a seguran?a dos dados e ativos, considerando o n?vel de exposi??o dessas informa??es. A partir disso, como forma de proteger e miti- gar o alto n?mero de incidentes de seguran?a que vem surgindo no contexto empresarial, testes de seguran?a t?m sido aplicados para avaliar a exist?ncia de vulnerabilidades nos cen?rios-alvo. Um dos testes conhecidos dessa categoria ? o Teste de Intrus?o (Pentest ), que aproxima a realidade de ataques por meio da simula??o do comportamento de um ata- cante. Considerando as caracter?sticas espec?ficas que diferem os pentests dos demais testes, estabeleceram-se metodologias na tentativa de padronizar os processos e apoiar o executor do teste (tester ) por meio de guias e diretrizes. Contudo, as metodologias mais dis- seminadas na comunidade de seguran?a destinam seus esfor?os para atender os crit?rios de outros tipos de testes de seguran?a, por vezes desconsiderando as particularidades de um pentest. Portanto, com base nessa problem?tica, este trabalho prop?e a cria??o de um framework chamado Tramonto. Este framework, baseado nas principais metodologias de teste de seguran?a, objetiva auxiliar os testers na execu??o de pentests de modo a oferecer melhor organiza??o, padroniza??o e flexibilidade no workflow do teste. Foram conduzidos estudos com profissionais da ?rea de pentest para validar as proposi??es sugeridas pelo Tramonto, apoiados da aplica??o web Tramonto-App. Os resultados alcan?ados por meio desses estudos corroboram a import?ncia e aux?lio do framework nos testes realizados, e indicam os rumos e possibilidades de atua??o do mesmo na ?rea de pentest.Submitted by PPG Ci?ncia da Computa??o (ppgcc@pucrs.br) on 2019-07-18T18:57:05Z No. of bitstreams: 1 DANIEL DALALANA BERTOGLIO_TES.pdf: 4891379 bytes, checksum: 7f309f930dc96a51224285fbb30fc1ba (MD5)Approved for entry into archive by Sarajane Pan (sarajane.pan@pucrs.br) on 2019-07-25T19:36:17Z (GMT) No. of bitstreams: 1 DANIEL DALALANA BERTOGLIO_TES.pdf: 4891379 bytes, checksum: 7f309f930dc96a51224285fbb30fc1ba (MD5)Made available in DSpace on 2019-07-25T19:40:43Z (GMT). No. of bitstreams: 1 DANIEL DALALANA BERTOGLIO_TES.pdf: 4891379 bytes, checksum: 7f309f930dc96a51224285fbb30fc1ba (MD5) Previous issue date: 2019-06-26application/pdfhttp://tede2.pucrs.br:80/tede2/retrieve/176031/DANIEL%20DALALANA%20BERTOGLIO_TES.pdf.jpgporPontif?cia Universidade Cat?lica do Rio Grande do SulPrograma de P?s-Gradua??o em Ci?ncia da Computa??oPUCRSBrasilEscola Polit?cnicaTestes de Seguran?aPentestFrameworkSecurity TestingPenetration TestCIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAOTramonto : um framework para gerenciamento de pentestsinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisTrabalho n?o apresenta restri??o para publica??o-4570527706994352458500500-862078257083325301info:eu-repo/semantics/openAccessreponame:Biblioteca Digital de Teses e Dissertações da PUC_RSinstname:Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS)instacron:PUC_RSTHUMBNAILDANIEL DALALANA BERTOGLIO_TES.pdf.jpgDANIEL DALALANA BERTOGLIO_TES.pdf.jpgimage/jpeg5584http://tede2.pucrs.br/tede2/bitstream/tede/8816/4/DANIEL+DALALANA+BERTOGLIO_TES.pdf.jpg3ffd5efa91184789bb04d9b59e6a9232MD54TEXTDANIEL DALALANA BERTOGLIO_TES.pdf.txtDANIEL DALALANA BERTOGLIO_TES.pdf.txttext/plain308058http://tede2.pucrs.br/tede2/bitstream/tede/8816/3/DANIEL+DALALANA+BERTOGLIO_TES.pdf.txt2f1cc0dc7f7817c1b133d139b04d3138MD53ORIGINALDANIEL DALALANA BERTOGLIO_TES.pdfDANIEL DALALANA BERTOGLIO_TES.pdfapplication/pdf4891379http://tede2.pucrs.br/tede2/bitstream/tede/8816/2/DANIEL+DALALANA+BERTOGLIO_TES.pdf7f309f930dc96a51224285fbb30fc1baMD52LICENSElicense.txtlicense.txttext/plain; charset=utf-8590http://tede2.pucrs.br/tede2/bitstream/tede/8816/1/license.txt220e11f2d3ba5354f917c7035aadef24MD51tede/88162019-07-25 20:00:31.812oai:tede2.pucrs.br:tede/8816QXV0b3JpemE/P28gcGFyYSBQdWJsaWNhPz9vIEVsZXRyP25pY2E6IENvbSBiYXNlIG5vIGRpc3Bvc3RvIG5hIExlaSBGZWRlcmFsIG4/OS42MTAsIGRlIDE5IGRlIGZldmVyZWlybyBkZSAxOTk4LCBvIGF1dG9yIEFVVE9SSVpBIGEgcHVibGljYT8/byBlbGV0cj9uaWNhIGRhIHByZXNlbnRlIG9icmEgbm8gYWNlcnZvIGRhIEJpYmxpb3RlY2EgRGlnaXRhbCBkYSBQb250aWY/Y2lhIFVuaXZlcnNpZGFkZSBDYXQ/bGljYSBkbyBSaW8gR3JhbmRlIGRvIFN1bCwgc2VkaWFkYSBhIEF2LiBJcGlyYW5nYSA2NjgxLCBQb3J0byBBbGVncmUsIFJpbyBHcmFuZGUgZG8gU3VsLCBjb20gcmVnaXN0cm8gZGUgQ05QSiA4ODYzMDQxMzAwMDItODEgYmVtIGNvbW8gZW0gb3V0cmFzIGJpYmxpb3RlY2FzIGRpZ2l0YWlzLCBuYWNpb25haXMgZSBpbnRlcm5hY2lvbmFpcywgY29ucz9yY2lvcyBlIHJlZGVzID9zIHF1YWlzIGEgYmlibGlvdGVjYSBkYSBQVUNSUyBwb3NzYSBhIHZpciBwYXJ0aWNpcGFyLCBzZW0gP251cyBhbHVzaXZvIGFvcyBkaXJlaXRvcyBhdXRvcmFpcywgYSB0P3R1bG8gZGUgZGl2dWxnYT8/byBkYSBwcm9kdT8/byBjaWVudD9maWNhLgo=Biblioteca Digital de Teses e Dissertaçõeshttp://tede2.pucrs.br/tede2/PRIhttps://tede2.pucrs.br/oai/requestbiblioteca.central@pucrs.br||opendoar:2019-07-25T23:00:31Biblioteca Digital de Teses e Dissertações da PUC_RS - Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS)false
dc.title.por.fl_str_mv Tramonto : um framework para gerenciamento de pentests
title Tramonto : um framework para gerenciamento de pentests
spellingShingle Tramonto : um framework para gerenciamento de pentests
Bertoglio, Daniel Dalalana
Testes de Seguran?a
Pentest
Framework
Security Testing
Penetration Test
CIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAO
title_short Tramonto : um framework para gerenciamento de pentests
title_full Tramonto : um framework para gerenciamento de pentests
title_fullStr Tramonto : um framework para gerenciamento de pentests
title_full_unstemmed Tramonto : um framework para gerenciamento de pentests
title_sort Tramonto : um framework para gerenciamento de pentests
author Bertoglio, Daniel Dalalana
author_facet Bertoglio, Daniel Dalalana
author_role author
dc.contributor.advisor1.fl_str_mv Zorzo, Avelino Francisco
dc.contributor.advisor1Lattes.fl_str_mv http://lattes.cnpq.br/4315350764773182
dc.contributor.authorLattes.fl_str_mv http://lattes.cnpq.br/4493244304420308
dc.contributor.author.fl_str_mv Bertoglio, Daniel Dalalana
contributor_str_mv Zorzo, Avelino Francisco
dc.subject.por.fl_str_mv Testes de Seguran?a
topic Testes de Seguran?a
Pentest
Framework
Security Testing
Penetration Test
CIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAO
dc.subject.eng.fl_str_mv Pentest
Framework
Security Testing
Penetration Test
dc.subject.cnpq.fl_str_mv CIENCIA DA COMPUTACAO::TEORIA DA COMPUTACAO
description Nowadays, companies have more systems integration on the Internet and their ap- plications deal with sensitive data. Thus, providing methods to ensure the security of the data and assets, considering the level of information exposure, is a mandatory requirement. As a way to protect and mitigate the high number of security incidents that arise from the business context, security testing has been applied to assess the existence of vulnerabilities in the target scenarios. One of the known tests of this category is the Penetration Test (Pen- test), which approximates the reality of attacks by simulating the behavior of an attacker. Considering the specific characteristics that differ the penetration tests from the other tests, methodologies have been established in an attempt to standardize the processes and sup- port the test executor (tester) through standards and guidelines. However, the methodolo- gies that are most widespread in the security community seek to meet the criteria of other types of security testing, sometimes disregarding the particularities of a Pentest. There- fore, this work proposes the construction of a framework called Tramonto. This framework, based on the main methodologies applied to security testing, aims to help the testers in Pen- tests execution in order to provide better organization, standardization, and flexibility in the test workflow. Some studies were conducted with security test professionals to validate the propositions suggested by Tramonto, supported by the Tramonto-App web application. The results achieved through these studies confirm the importance of the framework supporting the testers, and also indicate the direction and other possibilities in the Pentest area.
publishDate 2019
dc.date.accessioned.fl_str_mv 2019-07-25T19:40:43Z
dc.date.issued.fl_str_mv 2019-06-26
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://tede2.pucrs.br/tede2/handle/tede/8816
url http://tede2.pucrs.br/tede2/handle/tede/8816
dc.language.iso.fl_str_mv por
language por
dc.relation.program.fl_str_mv -4570527706994352458
dc.relation.confidence.fl_str_mv 500
500
dc.relation.cnpq.fl_str_mv -862078257083325301
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.publisher.none.fl_str_mv Pontif?cia Universidade Cat?lica do Rio Grande do Sul
dc.publisher.program.fl_str_mv Programa de P?s-Gradua??o em Ci?ncia da Computa??o
dc.publisher.initials.fl_str_mv PUCRS
dc.publisher.country.fl_str_mv Brasil
dc.publisher.department.fl_str_mv Escola Polit?cnica
publisher.none.fl_str_mv Pontif?cia Universidade Cat?lica do Rio Grande do Sul
dc.source.none.fl_str_mv reponame:Biblioteca Digital de Teses e Dissertações da PUC_RS
instname:Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS)
instacron:PUC_RS
instname_str Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS)
instacron_str PUC_RS
institution PUC_RS
reponame_str Biblioteca Digital de Teses e Dissertações da PUC_RS
collection Biblioteca Digital de Teses e Dissertações da PUC_RS
bitstream.url.fl_str_mv http://tede2.pucrs.br/tede2/bitstream/tede/8816/4/DANIEL+DALALANA+BERTOGLIO_TES.pdf.jpg
http://tede2.pucrs.br/tede2/bitstream/tede/8816/3/DANIEL+DALALANA+BERTOGLIO_TES.pdf.txt
http://tede2.pucrs.br/tede2/bitstream/tede/8816/2/DANIEL+DALALANA+BERTOGLIO_TES.pdf
http://tede2.pucrs.br/tede2/bitstream/tede/8816/1/license.txt
bitstream.checksum.fl_str_mv 3ffd5efa91184789bb04d9b59e6a9232
2f1cc0dc7f7817c1b133d139b04d3138
7f309f930dc96a51224285fbb30fc1ba
220e11f2d3ba5354f917c7035aadef24
bitstream.checksumAlgorithm.fl_str_mv MD5
MD5
MD5
MD5
repository.name.fl_str_mv Biblioteca Digital de Teses e Dissertações da PUC_RS - Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS)
repository.mail.fl_str_mv biblioteca.central@pucrs.br||
_version_ 1791080306010226688