Enterprise-Driven Open Source Software: A Case Study on Security Automation

Angermeir, Florian; Voggenreiter, Markus; Moyón, Fabiola; Méndez, Daniel

doi:10.1109/icse-seip52600.2021.00037

Cited by 13 publications

(10 citation statements)

References 18 publications

(20 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are also research studies on bridging the gap between agile development and security auditing. Angermeir et al analyzed the enterprise-driven open-source software and corresponding security automation on a large scale, indicating that security activities in enterprise-driven OSS are scarce and the protection coverage is low [33]. Türpe et al revealed the isolation between scrum CI/CD framework and security experts [34].…”

Section: Security Of Ci/cd Scriptsmentioning

confidence: 99%

Ambush From All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines

Pan

Shen

Wang

et al. 2024

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

The continuous integration and continuous deployment (CI/CD) pipelines are widely adopted on Internet hosting platforms, such as GitHub. However, current CI/CD pipelines suffer from malicious code and severe vulnerabilities. Even worse, people have not been fully aware of its attack surfaces and the corresponding impacts. Therefore, in this paper, we conduct a large-scale measurement and a systematic analysis to reveal the attack surfaces of the CI/CD pipeline and quantify their security impacts. Specifically, for the measurement, we collect a data set of 320,000+ CI/CD pipeline-configured GitHub repositories and build an analysis tool to parse the CI/CD pipelines and extract security-critical usages. Our measurement reveals that the script runtimes are prone to code hiding while the script usage update is not in time, giving attackers chances to hide malicious code and exploit existing vulnerabilities. Moreover, even the scripts from verified creators may contain severe vulnerabilities. Besides current CI/CD ecosystem heavily relies on several core scripts, which may lead to a single point of failure. While the CI/CD pipelines contain sensitive information/operations, making them the attacker's favorite targets. Inspired by the measurement findings, we abstract the threat model and the attack approach toward CI/CD pipelines, followed by a systematic analysis of attack surfaces, attack strategies, and the corresponding impacts. We further launch case studies on five attacks in real-world CI/CD environments to validate the revealed attack surfaces. Finally, we give suggestions on mitigating attacks on CI/CD scripts, including securing CI/CD configurations, securing CI/CD scripts, and improving CI/CD infrastructure.

show abstract

Section: Security Of Ci/cd Scriptsmentioning

confidence: 99%

Ambush From All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines

Pan

Shen

Wang

et al. 2024

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…Such technologies advocate automation which is considered a backbone of DevSecOps workflow implementation [70]. Automated security has begun to consider the panorama of challenges by bridging the gap between compliance with security standards and the software engineering environment itself [20]. The opportunity to integrate compliance aspects into the DevOps methodology makes the process a matter of automation as well.…”

Section: Managementmentioning

confidence: 99%

“…The use of security tools as an embedded component allows the automation of security testing [43]. Security activities such as Third-Party Vulnerability Scanning, Static/Dynamic Application Security Testing [20], security requirements testing, threat mitigation testing, vulnerability testing, and penetration testing [61] were performed to test for security risks. Security testing itself contributes to the application of compliance testing.…”

Section: Managementmentioning

confidence: 99%

“…On the other hand, the automation of system configurations itself will ensure that manual errors are avoided and compliance is ensured [43]. Moreover, it will facilitate the compliance verification process, given the security configuration applied and compliance checks on the configuration [20].…”

Section: Technicalitiesmentioning

confidence: 99%

“…With an industry that is widely embracing and adopting DevOps [19], the integration of security processes in pipelines is turned into a must, which has resulted in DevSecOps. These pipelines not only support the detection of any security vulnerabilities, but also contribute to the adherence to standards and regulations [20]. In addition to the protection of customers that the adherence to regulations or the state of being compliant offers, it protects the product provider as well.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Holding on to Compliance While Adopting DevSecOps: An SLR

et al. 2022

View full text Add to dashboard Cite

The software industry has witnessed a growing interest in DevSecOps due to the premises of integrating security in the software development lifecycle. However, security compliance cannot be disregarded, given the importance of adherence to regulations, laws, industry standards, and frameworks. This study aims to provide an overview of compliance aspects in the context of DevSecOps and explore how compliance is ensured. Furthermore, this study reveals the trends of compliance according to the extant literature and identifies potential directions for further research in this context. Therefore, we carried out a systematic literature review on the integration of compliance aspects in DevSecOps, which rigorously followed the guidelines proposed by Kitchenham and Charters. We found 934 articles related to the topic by searching five bibliographic databases (163) and Google Scholar (771). Through a rigorous selection process, we selected 15 papers as primary studies. Then, we identified the compliance aspects of DevSecOps and grouped them into three main categories: compliance initiation, compliance management, and compliance technicalities. We observed a low number of studies; therefore, we encourage further efforts into the exploration of compliance aspects, their automated integration, and the development of metrics to evaluate such a process in the context of DevSecOps.

show abstract