Provenance-Based Security Audits and Its Application to COVID-19 Contact Tracing Apps

Schreiber, Andreas; Sonnekalb, Tim; Heinze, Thomas S.; Kurnatowski, Lynn von; González-Barahona, Jesús M.; Packer, Heather S.

doi:10.1007/978-3-030-80960-7_6

Cited by 3 publications

(4 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We use the commit hash or snapshot ID as the code state. The relational model can also be used as an interface to other data mining and analysis tools, as the authors have shown for the combined analysis of vulnerability and provenance data [3]. Figure 2 shows the database schema.…”

Section: B Sast Databasementioning

confidence: 99%

“…Tool corresponds to a SAST tool, with a name, configuration and version number. Run corresponds to an execution of a tool on a given snapshot and confirms a success flag which confirms a successful tool run or indicate errors 3 . Warning is a collection of all SAST warnings encountered with a message, location as file path, severity (if available) and a duplicate check field.…”

Section: B Sast Databasementioning

confidence: 99%

“…Schreiber et al provide a discussion of the visualization components in [3] and [5]. We visualize the results per tool because we cannot aggregate the values without normalizing the reports.…”

Section: Dashboardmentioning

confidence: 99%

“…Mining/Visualization The analysis results are written to a database and visualized in a dashboard. Schreiber et al [3] tested this platform using the open source repositories of the German Covid contract tracing apps as case study. They also provided a database [4] which can be used with our dashboard.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Static Analysis Platform for Investigating Security Trends in Repositories

Sonnekalb,

Knaust,

Gruner

et al. 2023

2023 IEEE/ACM 1st International Workshop on Software Vulnerability (SVM)

Self Cite

View full text Add to dashboard Cite

Static analysis tools come in many forms and configurations, allowing them to handle various tasks in a (secure) development process: code style linting, bug/vulnerability detection, verification, etc., and adapt to the specific requirements of a software project, thus reducing the number of false positives.The wide range of configuration options poses a hurdle in their use for software developers, as the tools cannot be deployed out-of-the-box. However, static analysis tools only develop their full benefit if they are integrated into the software development workflow and used on regular. Vulnerability management should be integrated via version history to identify hotspots, for example.We present an analysis platform that integrates several static analysis tools that enable Git-based repositories to continuously monitor warnings across their version history. The framework is easily extensible with other tools and programming languages. We provide a visualization component in the form of a dashboard to display security trends and hotspots. Our tool can also be used to create a database of security alerts at a scale well-suited for machine learning applications such as bug or vulnerability detection.

show abstract

Section: B Sast Databasementioning

confidence: 99%

Section: B Sast Databasementioning

confidence: 99%

Section: Dashboardmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Static Analysis Platform for Investigating Security Trends in Repositories

Sonnekalb,

Knaust,

Gruner

et al. 2023

2023 IEEE/ACM 1st International Workshop on Software Vulnerability (SVM)

Self Cite

View full text Add to dashboard Cite

show abstract

Towards Visual Analytics Dashboards for Provenance-driven Static Application Security Testing

Schreiber

Sonnekalb

Kurnatowski

2021

2021 IEEE Symposium on Visualization for Cyber Security (VizSec)

View full text Add to dashboard Cite

show abstract

A Blockchain-Enabled Framework for Improving the Software Audit Process

Assiri

Humayun

2023

Applied Sciences

View full text Add to dashboard Cite

Audits are an essential component of every organization, particularly those involving software development. In addition to several testing cycles, software auditing has become an essential software development milestone. Software auditing is a continual activity that enables a business to remain ahead of the curve and predict potential software problems. Audits, whether undertaken in-house or by external auditors, entail a significant amount of time and work. Consistent audits provide financial and economic benefits, as well as legal benefits. The most essential advantage of audits is safeguarding your system from internal and external assaults. Audit logs serve a crucial role in the auditing process; they typically capture all system operations and occurrences. They are used as evidence providers during an inquiry and by auditors to monitor the privacy and security of information and systems. Auditors confirm the accuracy of data pertaining to businesses and their activities. To determine if these acts exceed the limitations established by organizations, governments, and other parties, dependable information is essential. Infractions of such rules or corporate standards may be indicative of fraud, malpractice, risk, or inefficiency. Despite the existence of automated audit tools, audit policy, and audit logs, many audit frauds are reported on a daily basis. To make the audit process transparent and secure, this research proposes a blockchain-enabled framework SSFTA to aid software auditors in conducting a transparent and effective audit process. The proposed framework is evaluated using a case study. The findings demonstrated that the suggested framework makes the auditing process simple and transparent.

show abstract

Provenance-Based Security Audits and Its Application to COVID-19 Contact Tracing Apps

Cited by 3 publications

References 30 publications

A Static Analysis Platform for Investigating Security Trends in Repositories

A Static Analysis Platform for Investigating Security Trends in Repositories

Towards Visual Analytics Dashboards for Provenance-driven Static Application Security Testing

A Blockchain-Enabled Framework for Improving the Software Audit Process

Contact Info

Product

Resources

About