An\'alise de Seguran\c{c}a Baseada em Roles para F\'abricas de Software

TL;DR

This paper introduces a static analysis method based on role-based security policies to identify security breaches in large software factories, demonstrated through a prototype for OutSystems with effective flaw detection.

Contribution

It presents a novel static analysis technique for security policy compliance in software factories, including a graph-based model and a prototype tool for practical evaluation.

Findings

Detected several security flaws in large factories.

Identified serious security breaches that are hard to detect manually.

Validated the approach with a prototype on OutSystems factories.

Abstract

Most software factories contain applications with sensitive information that needs to be protected against breaches of confidentiality and integrity, which can have serious consequences. In the context of large factories with complex applications, it is not feasible to manually analyze accesses to sensitive information without some form of safety mechanisms. This article presents a static analysis technique for software factories, based on role-based security policies. We start by synthesising a graph representation of the relevant software factories, based on the security policy defined by the user. Later the graph model is analysed to find access information where the security policy is breached, ensuring that all possible execution states are analysed. A proof of concept of our technique has been developed for the analysis of OutSystems software factories. The security reports generated by the tool allows developers to find and prioritise security breaches in their factories. The prototype was evaluated using large software factories, with strong safety requirements. Several security flaws were found, some serious ones that would be hard to be detected without our analysis.