Visible to the public Architecture-Driven Penetration Testing Against an Identity Access Management (IAM) System

TitleArchitecture-Driven Penetration Testing Against an Identity Access Management (IAM) System
Publication TypeConference Paper
Year of Publication2016
AuthorsChung, Sam, Moon, Sky, Endicott-Popovsky, Barbara
Conference NameProceedings of the 5th Annual Conference on Research in Information Technology
Date PublishedSeptember 2016
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4453-1
KeywordsHuman Behavior, identity and access management environment, Identity management, Metrics, OAuth 2.0, Penetration Testing, pubcrawl, Resiliency, Scalability, software architecture
Abstract

The purpose of this research is to propose architecture-driven, penetration testing equipped with a software reverse and forward engineering process. Although the importance of architectural risk analysis has been emphasized in software security, no methodology is shown to answer how to discover the architecture and abuse cases of a given insecure legacy system and how to modernize it to a secure target system. For this purpose, we propose an architecture-driven penetration testing methodology: 4+1 architectural views of the given insecure legacy system, documented to discover program paths for vulnerabilities through a reverse engineering process. Then, vulnerabilities are identified by using the discovered architecture abuse cases and countermeasures are proposed on identified vulnerabilities. As a case study, a telecommunication company's Identity Access Management (IAM) system is used for discovering its software architecture, identifying the vulnerabilities of its architecture, and providing possible countermeasures. Our empirical results show that functional suggestions would be relatively easier to follow up and less time-consuming work to fix; however, architectural suggestions would be more complicated to follow up, even though it would guarantee better security and take full advantage of OAuth 2.0 supporting communities.

URLhttps://dl.acm.org/doi/10.1145/2978178.2978183
DOI10.1145/2978178.2978183
Citation Keychung_architecture-driven_2016