INTEGRATION OF INTELLIGENCE TECHNIQUES ON THE EXECUTION OF PENETRATION TESTS (iPENTEST)

Penetration Tests (Pentests) identify potential vulnerabilities in the security of computer systems via security assessment. However, it should also benefit from widely recognized methodologies and recommendations within this field, as the Penetration Testing Execution Standard (PTES). The objective of this research is to explore PTES, particularly the three initial phases: 1. Pre-Engagement Interactions; 2. Intelligence Gathering; 3. Threat Modeling; and ultimately to apply Intelligence techniques to the Threat Modeling phase. To achieve this, we will use open-source and/or commercial tools to structure a process to clarify how the results were reached using the research inductive methodology. The following steps were implemented: i) critical review of the “Penetration Testing Execution Standard (PTES)”; ii) critical review of Intelligence Production Process; iii) specification and classification of contexts in which Intelligence could be applied; iv) definition of a methodology to apply Intelligence Techniques to the specified contexts; v) application and evaluation of the proposed methodology to real case study as proof of concept. This research has the ambition to develop a model grounded on Intelligence techniques to be applied on PTES Threat Modeling phase

Generator for Z Conceptual Model Using JFlex and BYACC/J Specification

The Z notation is one of leading formal specification language based on standard mathematical notation, used for describing and modeling computer systems. The system, which is called ZC06, is composed by some phases, namely lexical analysis, syntax analysis, semantic analysis, and model conceptual-generation. ZC06 accepts Z specification and produces conceptual model whose format is based on format that had been proposed by researchers around 1990's. The lexical analyzer is developed by using JFlex, whilst the three other phases are developed by using BYACC/J. ZC06 is implemented by interfacing JFlex with BYACC/J. ZC06 has been tested by using two specifications. The first specification is a specification that specifies security room (SBK), which has been used by previous researcher. The output is evaluated by comparing ZC06's output with the one, which had been developed by that researcher. The second one is a specification that specifies a system, which records people's birthday (SHJ). This specification has not been used as an input in previous researches. Therefore, the output is evaluated by redeveloping manually its specification based on its conceptual model. The result shows that ZC06 produces conceptual model, which is equally the same as the previous one. Moreover, SHJ has been redeveloped successfull

A Static Verification Framework for Secure Peer-to-Peer Applications

In this paper we present a static verification framework to support the design and verification of secure peer-to-peer applications. The framework supports the specification, modeling, and analysis of security aspects together with the general characteristics of the system, during early stages of the development life-cycle. The approach avoids security issues to be taken into consideration as a separate layer that is added to the system as an afterthought by the use of security protocols. The main functionality supported by the framework are concerned with the modeling of the system together with its security aspects by using an extension of UML, modeling of abuse cases to represent scenarios of attackers and assist with the identification of properties to be verified, specification of properties to be verified in a graphical template language, verification of the models against the properties, and visualization of the results of the verification process