Ambush From All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines

Pan, Ziyue; Shen, Wenbo; Wang, Xingkai; Yang, Yutian; Chang, Rui; Liu, Yao; Liu, Chengwei; Liu, Yang; Ren, Kui

doi:10.1109/tdsc.2023.3253572

Cited by 3 publications

(1 citation statement)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, the paper is prescriptive and does not provide any reference implementation of how one might integrate these security measures. P. Kumar, V. K. Madisetti Journal of Software Engineering and Applications Pan et al [18], in their paper, "Ambush from All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines", conduct a large-scale measurement study of over 320 k CI/CD pipelines to define a threat model and approaches attackers may take towards these pipelines. They go on to validate the threat model with case studies.…”

Section: Related Workmentioning

confidence: 99%

Sher: A Secure Broker for DevSecOps and CI/CD Workflows

Kumar,

Madisetti

2024

JSEA

View full text Add to dashboard Cite

GitHub Actions, a popular CI/CD platform, introduces significant security challenges due to its integration with GitHub's open ecosystem and its use of flexible workflow configurations. This paper presents Sher, a Python-based tool that enhances the security of GitHub Actions by automating the detection and remediation of security issues in workflows. Self-Hosted Ephemeral Runner, or Sher, acts as a broker between GitHub's APIs and a customizable, isolated environment, analyzing workflows through a static rules engine and automatically fixing identified issues. By providing a secure, ephemeral runner environment and a dynamic analysis tool, Sher addresses common misconfigurations and vulnerabilities, contributing to the resilience and integrity of DevSecOps practices within software development pipelines.

show abstract

Section: Related Workmentioning

confidence: 99%

Sher: A Secure Broker for DevSecOps and CI/CD Workflows

Kumar,

Madisetti

2024

JSEA

View full text Add to dashboard Cite

show abstract

Code Obfuscation in CI/CD Pipelines for Enhanced DevOps Security

Afifah,

Kabetta,

Setia Buana

et al. 2024

2024 International Conference on Artificial Intelligence, Blockchain, Cloud Computing, and Data Analytics (ICoABCD)

View full text Add to dashboard Cite

An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks

Alotaibi,

Karne,

Wijesinha

et al. 2024

JCP

View full text Add to dashboard Cite

The Internet has become the primary vehicle for doing almost everything online, and smartphones are needed for almost everyone to live their daily lives. As a result, cybersecurity is a top priority in today’s world. As Internet usage has grown exponentially with billions of users and the proliferation of Internet of Things (IoT) devices, cybersecurity has become a cat-and-mouse game between attackers and defenders. Cyberattacks on systems are commonplace, and defense mechanisms are continually updated to prevent them. Based on a literature review of cybersecurity vulnerabilities, attacks, and preventive measures, we find that cybersecurity problems are rooted in computer system architectures, operating systems, network protocols, design options, heterogeneity, complexity, evolution, open systems, open-source software vulnerabilities, user convenience, ease of Internet access, global users, advertisements, business needs, and the global market. We investigate common cybersecurity vulnerabilities and find that the bare machine computing (BMC) paradigm is a possible solution to address and eliminate their root causes at many levels. We study 22 common cyberattacks, identify their root causes, and investigate preventive mechanisms currently used to address them. We compare conventional and bare machine characteristics and evaluate the BMC paradigm and its applications with respect to these attacks. Our study finds that BMC applications are resilient to most cyberattacks, except for a few physical attacks. We also find that BMC applications have inherent security at all computer and information system levels. Further research is needed to validate the security strengths of BMC systems and applications.

show abstract

Ambush From All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines

Cited by 3 publications

References 19 publications

Sher: A Secure Broker for DevSecOps and CI/CD Workflows

Sher: A Secure Broker for DevSecOps and CI/CD Workflows

Code Obfuscation in CI/CD Pipelines for Enhanced DevOps Security

An Evaluation of the Security of Bare Machine Computing (BMC) Systems against Cybersecurity Attacks

Contact Info

Product

Resources

About