CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER

Detalhes bibliográficos
Autor(a) principal: Sousa, André Jorge Martins
Data de Publicação: 2023
Tipo de documento: Dissertação
Idioma: eng
Título da fonte: Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
Texto Completo: http://hdl.handle.net/10362/164323
Resumo: Cybercrime has increased over the past few years, as has the number of victims and the amount of data lost and stolen. This escalation in cybercrime has led to greater concern about cybersecurity, which has resulted in the creation of norms, rules and standards to guide and protect users in cyberspace. This special concern for cybersecurity has also reached Link Consulting, which, as an IT company, endeavours to guarantee the security of its products. Link Consulting, responsible forsuggesting the topic of this dissertation, is a technology company that seeks to offer its customers IT solutions that not only fulfil their requirements, but also guarantee reliability and trust. The Egov department is one of the various departments in the company that will be the subject of this dissertation. The most significant difference between Egov and the other departments is that it focuses on work in the public sector only. The department currently has a reference architecture to guide programmers in their work. With this increase in concern for Link, there was an interest in reinforcing and guaranteeing the security of the architecture. It is possible to identify some tools and possible vulnerabilities. These possible points of failure were studied, identifying the causes of the problem and possible solutions. To help Link mitigate the existing vulnerabilities in its architecture, a mechanism was created to automate the verification of these points of failure, complementing the current mechanisms with another tool that could be beneficial to the company. After analysing the entire architecture and mitigating the possible existing vulnerabilities, it was then possible to obtain a plugin that can not only identify the vulnerabilities present in Keycloak, but also check for them and report them to users. The result allows users to visualize in Jenkins (or in an output file) the result of the checks made on Keycloak, showing the vulnerabilities found and the proposed solution to them. Since Keycloak is widely known and used, in order to allow users to have greater confidence in it, and considering the results obtained to be of public use, it is intended to publish the results as open-source, so that they can be implemented by other users and thus minimize the chance of vulnerabilities in their Keycloak instances as well. Therefore, the vulnerabilities present in the reference architecture are considered to be mitigated, and it has been possible to take another step towards guaranteeing its security.
id RCAP_370b18f8ebcf8cbd59199a4b3d9f3897
oai_identifier_str oai:run.unl.pt:10362/164323
network_acronym_str RCAP
network_name_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository_id_str https://opendoar.ac.uk/repository/7160
spelling CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIERcybercrimecybersecurityvulnerabilitiesarchitecturepluginDomínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaCybercrime has increased over the past few years, as has the number of victims and the amount of data lost and stolen. This escalation in cybercrime has led to greater concern about cybersecurity, which has resulted in the creation of norms, rules and standards to guide and protect users in cyberspace. This special concern for cybersecurity has also reached Link Consulting, which, as an IT company, endeavours to guarantee the security of its products. Link Consulting, responsible forsuggesting the topic of this dissertation, is a technology company that seeks to offer its customers IT solutions that not only fulfil their requirements, but also guarantee reliability and trust. The Egov department is one of the various departments in the company that will be the subject of this dissertation. The most significant difference between Egov and the other departments is that it focuses on work in the public sector only. The department currently has a reference architecture to guide programmers in their work. With this increase in concern for Link, there was an interest in reinforcing and guaranteeing the security of the architecture. It is possible to identify some tools and possible vulnerabilities. These possible points of failure were studied, identifying the causes of the problem and possible solutions. To help Link mitigate the existing vulnerabilities in its architecture, a mechanism was created to automate the verification of these points of failure, complementing the current mechanisms with another tool that could be beneficial to the company. After analysing the entire architecture and mitigating the possible existing vulnerabilities, it was then possible to obtain a plugin that can not only identify the vulnerabilities present in Keycloak, but also check for them and report them to users. The result allows users to visualize in Jenkins (or in an output file) the result of the checks made on Keycloak, showing the vulnerabilities found and the proposed solution to them. Since Keycloak is widely known and used, in order to allow users to have greater confidence in it, and considering the results obtained to be of public use, it is intended to publish the results as open-source, so that they can be implemented by other users and thus minimize the chance of vulnerabilities in their Keycloak instances as well. Therefore, the vulnerabilities present in the reference architecture are considered to be mitigated, and it has been possible to take another step towards guaranteeing its security.O cibercrime aumentou ao longo dos anos, aumentando também a quantidade de lesados e de dados perdidos e roubados. Este escalar do cibercrime resultou numa maior preocupação com cibersegurança, que resultou na criação de normas, regras e padrões com o intuito de guiar e proteger os utilizadores no ciberespaço. Esta atenção especial para com a cibersegurança também chegou à Link Consulting que, como empresa informática, procura garantir a segurança dos seus produtos. ALink Consulting,responsável pela sugestão do tema desta dissertação,éumaempresa do ramo tecnológico que procura oferecer aos seus clientes soluções informáticas que, não só preencham os requisitos dos clientes, como também garantam fiabilidade e confiança. De entre os vários departamentos existentes na empresa, é com o departamento de Egov que será desenvolvido o tema. A diferença mais significativa entre Egov e os restantes departamentos, é que este se foca em trabalhos apenas no setor público. Atualmente, este departamento conta com uma arquitetura de referência que permite guiar os programadores na sua tarefa. Com este aumento da preocupação da Link, surgiu o interesse em reforçar e garantir a segurança da arquitetura.Na mesma é possível identificar algumas ferramentas e possíveis vulnerabilidades. Esses possíveis pontos de falha foram estudados, identificando as causas do problema e possíveis soluções. Para ajudar a Link a mitigar as vulnerabilidades existentes na sua arquitetura, foi criado um mecanismo de automatização de verificação desses pontos de falha, complementando os mecanismos atuais com outra ferramenta que possa ser benéfica para a empresa. Após analisada toda a arquitetura, e mitigadas as possíveis vulnerabilidades existentes, foi possível, então, obter um plugin que consegue, não só, identificar as vulnerabilidades presentes no Keycloak, como também verificar as mesmas e informar os utilizadores. O resultado permite que os utilizadores visualizem no Jenkins (ou num ficheiro de output) o resultado das verificações feitas ao Keycloak, mostrando as vulnerabilidades encontradas e a solução proposta para as mesmas. Uma vez que o Keycloak é largamente conhecido e utilizado, para permitir uma maior confiança por parte dos utilizadores, no mesmo, e considerando os resultados obtidos como sendo de utilidade pública, tencionase publicar os resultados como open-source, para poderem ser implementados por outros utilizadores e dessa forma minimizarem a probabilidade de existência de vulnerabilidades nas suas instâncias de Keycloak também. Assim sendo, consideram-se mitigadas as vulnerabilidades presentes na arquitetura de referência, e foi possível dar mais um passo no caminho de garantir a segurança da mesma.Epifânio, TiagoRavara, AntónioRUNSousa, André Jorge Martins2024-03-01T11:21:08Z2023-122023-12-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10362/164323enginfo:eu-repo/semantics/openAccessreponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiainstacron:RCAAP2024-05-22T18:19:00Zoai:run.unl.pt:10362/164323Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireinfo@rcaap.ptopendoar:https://opendoar.ac.uk/repository/71602025-05-28T17:49:43.715222Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiafalse
dc.title.none.fl_str_mv CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
title CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
spellingShingle CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
Sousa, André Jorge Martins
cybercrime
cybersecurity
vulnerabilities
architecture
plugin
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
title_short CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
title_full CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
title_fullStr CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
title_full_unstemmed CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
title_sort CYBERSECURITY IN THE APPLICATIONAL CONTEXT. KEYCLOAK, KONG AND CODE VERIFIER
author Sousa, André Jorge Martins
author_facet Sousa, André Jorge Martins
author_role author
dc.contributor.none.fl_str_mv Epifânio, Tiago
Ravara, António
RUN
dc.contributor.author.fl_str_mv Sousa, André Jorge Martins
dc.subject.por.fl_str_mv cybercrime
cybersecurity
vulnerabilities
architecture
plugin
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
topic cybercrime
cybersecurity
vulnerabilities
architecture
plugin
Domínio/Área Científica::Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática
description Cybercrime has increased over the past few years, as has the number of victims and the amount of data lost and stolen. This escalation in cybercrime has led to greater concern about cybersecurity, which has resulted in the creation of norms, rules and standards to guide and protect users in cyberspace. This special concern for cybersecurity has also reached Link Consulting, which, as an IT company, endeavours to guarantee the security of its products. Link Consulting, responsible forsuggesting the topic of this dissertation, is a technology company that seeks to offer its customers IT solutions that not only fulfil their requirements, but also guarantee reliability and trust. The Egov department is one of the various departments in the company that will be the subject of this dissertation. The most significant difference between Egov and the other departments is that it focuses on work in the public sector only. The department currently has a reference architecture to guide programmers in their work. With this increase in concern for Link, there was an interest in reinforcing and guaranteeing the security of the architecture. It is possible to identify some tools and possible vulnerabilities. These possible points of failure were studied, identifying the causes of the problem and possible solutions. To help Link mitigate the existing vulnerabilities in its architecture, a mechanism was created to automate the verification of these points of failure, complementing the current mechanisms with another tool that could be beneficial to the company. After analysing the entire architecture and mitigating the possible existing vulnerabilities, it was then possible to obtain a plugin that can not only identify the vulnerabilities present in Keycloak, but also check for them and report them to users. The result allows users to visualize in Jenkins (or in an output file) the result of the checks made on Keycloak, showing the vulnerabilities found and the proposed solution to them. Since Keycloak is widely known and used, in order to allow users to have greater confidence in it, and considering the results obtained to be of public use, it is intended to publish the results as open-source, so that they can be implemented by other users and thus minimize the chance of vulnerabilities in their Keycloak instances as well. Therefore, the vulnerabilities present in the reference architecture are considered to be mitigated, and it has been possible to take another step towards guaranteeing its security.
publishDate 2023
dc.date.none.fl_str_mv 2023-12
2023-12-01T00:00:00Z
2024-03-01T11:21:08Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10362/164323
url http://hdl.handle.net/10362/164323
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron:RCAAP
instname_str FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron_str RCAAP
institution RCAAP
reponame_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
collection Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository.name.fl_str_mv Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
repository.mail.fl_str_mv info@rcaap.pt
_version_ 1833596994667413504

Registros relacionados