Litcius/Paper detail

Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis

Christian Banse, Immanuel Kunz, Angelika Schneider, Konrad Weiss

202126 citationsDOIOpen Access PDF

Abstract

In this paper, we present the Cloud Property Graph (CloudPG), which bridges the gap between static code analysis and runtime security assessment of cloud services. The CloudPG is able to resolve data flows between cloud applications deployed on different resources, and contextualizes the graph with runtime information, such as encryption settings. To provide a vendorand technology-independent representation of a cloud service's security posture, the graph is based on an ontology of cloud resources, their functionalities and security features. We show, using an example, that our CloudPG framework can be used by security experts to identify weaknesses in their cloud deployments, spanning multiple vendors or technologies, such as AWS, Azure and Kubernetes. This includes misconfigurations, such as publicly accessible storages or undesired data flows within a cloud service, as restricted by regulations such as GDPR.

Topics & Concepts

Cloud computingComputer scienceProperty (philosophy)Static analysisStatic program analysisComputer securityCode (set theory)GraphSecurity analysisTheoretical computer scienceProgramming languageOperating systemSoftwareEpistemologySoftware developmentPhilosophySet (abstract data type)Cloud Data Security SolutionsData Quality and ManagementAdvanced Malware Detection Techniques
Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis | Litcius