Arquitetura integrada de normas e frameworks de desenvolvimento de software seguro aplicada para apoiar a identificação de falhas na especificação de requisitos

Detalhes bibliográficos
Ano de defesa: 2024
Autor(a) principal: Gatto, Dacyr Dante de Oliveira lattes
Orientador(a): Sassi, Renato José lattes
Banca de defesa: Sassi, Renato José lattes, Lopes, Fábio Silva lattes, Sátyro, Walter Cardoso lattes, Costa, Ivanir lattes, Pinto, Luiz Fernando Rodrigues lattes
Tipo de documento: Tese
Tipo de acesso: Acesso aberto
Idioma: por
Instituição de defesa: Universidade Nove de Julho
Programa de Pós-Graduação: Programa de Pós-Graduação em Informática e Gestão do Conhecimento
Departamento: Informática
País: Brasil
Palavras-chave em Português:
Palavras-chave em Inglês:
Área do conhecimento CNPq:
Link de acesso: http://bibliotecatede.uninove.br/handle/tede/3507
Resumo: The Software Development Life Cycle (SDLC) is a development process approach that spans from the conception to the maintenance of the final software product. The software requirements specification is a crucial phase of the SDLC, involving the identification of functional and non-functional requirements. Failures in this phase can lead to organizational issues such as information security problems. A development process approach that encompasses information security is the Secure Software Development Life Cycle (S-SDLC), which integrates security into all phases of software development, although it may not cover all activities of each phase of the cycle. Standards considered references for information security, such as ISO/IEC 27001 and ISO/IEC 27002; and frameworks like NIST Cybersecurity Framework (CSF), CIS Critical Security Controls, Mitre Att&ck, and OWASP Secure Coding Practices (OWASP SCP), support this comprehensiveness, especially if integrated into an architecture. The literature highlights the importance of an architecture that integrates information security standards and frameworks addressing failures in the specifications of functional and non-functional requirements across all activities in the S-SDLC, without overburdening software development. Thus, the aim of this work was to develop and apply an Integrated Architecture of Standards and Frameworks for Secure Software Development to support the identification of failures in specifying functional and non-functional requirements during the phases of the Secure Software Development Life Cycle. The development of the architecture was divided into six distinct phases: Systematic Literature Review (SLR); Documentary Research; Development of the Integrated Architecture of Standards and Frameworks for Secure Software Development; Definition, Application, and Evaluation of the S-SDLC Maturity Model; Application of the Integrated Architecture of Standards and Frameworks for Secure Software Development in the S-SDLC; and Validation of S-SDLC Maturity Evolution Post-Application of the Integrated Architecture of Standards and Frameworks for Secure Software Development. With the development and application of the architecture, problems of the S-SDLC were addressed, and it was observed that the phases and activities of the S-SDLC were supported with information security requirements and controls that enhanced the maturity of the S-SDLC, comparing the status of the S-SDLC Pre-Application and Post-Application of the architecture.