Towards automated, provenance-driven security audit for git-based repositories: applied to germany's corona-warn-app: vision paper

Sonnekalb, Tim; Heinze, Thomas S.; Kurnatowski, Lynn von; Schreiber, Andreas; González-Barahona, Jesús M.; Packer, Heather S.

doi:10.1145/3416507.3423190

Cited by 5 publications

(3 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We already work on using the provenance data for non-visual analytics of open-source projects. For example, to investigate whether vulnerabilities are introduced by external contributors (e.g., via pull requests)-we apply static code analysis for revisions in development history determined on the provenance data [23].…”

Section: Discussionmentioning

confidence: 99%

Visualization of Contributions to Open-Source Projects

Schreiber¹

2020

Preprint

Self Cite

View full text Add to dashboard Cite

We want to analyze visually, to what extend team members and external developers contribute to open-source projects. This gives a high-level impression about collaboration in that projects. We achieve this by recording provenance of the development process and use graph drawing on the resulting provenance graph. Our graph drawings show, which developers are jointly changed the same files-and to what extend-which we show at Germany's COVID-19 exposure notification app 'Corona-Warn-App'.

show abstract

Section: Discussionmentioning

confidence: 99%

Visualization of Contributions to Open-Source Projects

Schreiber¹

2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…It must, however, be noted that although the population download rates of the CTA in Germany remains relatively low (Amann et al, 2021;Zimmermann et al, 2021;Blom et al, 2021), Munzert et al (2021) suggest that considerable awareness of the app was generated and the provision of monetary incentives for downloading the app might be more effective than further awareness-raising. Also, the government has been hailed for its open-source approach, which enables public scrutiny of the apps source code and increased transparency (Sonnekalb et al, 2020;Amann et al, 2021;Weiß et al, 2021). However, Grill et al (2021) argue there has been a 'missed communication opportunity' because many non-users are not aware of the usefulness and effectiveness of the app, and, the government has been criticised for the lack of transparency and clear communication about its purpose and function (Amann et al, 2021).…”

Section: Germanymentioning

confidence: 99%

Contact Tracing Apps for the COVID-19 Pandemic: A Responsible Innovation Perspective

Ogoh

Akintoye

Eke

et al. 2022

Philosophy of Engineering and Technology

View full text Add to dashboard Cite

The COVID-19 pandemic has brought about the first real opportunity to test the efficacy of the Responsible Research and Innovation framework or RRI in a global health crisis. This is in view of the bold new approaches to health research and innovation that the pandemic has paved the way for. One such approach is the digital contact tracing application (CTA). Although contact tracing has been a fundamental part of infectious disease control for decades, this is the first time this technique has been used in mobile applications. Based on a Multivocal Literature Review, the development of CTAs in four countries – France, Germany, Spain, and the UK – was assessed to understand what dimensions of RRI can be identified in the governments’ response to COVID-19. This chapter shows that although from 2011, RRI has been promoted as a governance approach for increasing societal desirability of the processes and products of science and technology, very little is known about how the framework may be applied in a health crisis. Notwithstanding that RRI was not explicitly referenced during the development of CTAs in France, the UK, Spain, and Germany, the analysis has identified some interesting linkage to this framework. It shows that while no RRI approach was explicitly embraced by these governments, some key components were present – even though inadequately. It also indicates that, while it is challenging to apply RRI in crises, there is value in using it as an analytical tool for techno-social responses in situations, like those created by the COVID-19 health crisis.

show abstract

“…The basic principle of our provenance-driven code security analysis is to find and select relevant or "interesting" activities in the development process by making queries on provenance information and then evaluating the results of static code analysis at the times of these activities [25,27].…”

Section: Introductionmentioning

confidence: 99%