Security of public continuous integration services

Gruhn, Volker; Hannebauer, Christoph; Christian, John L.

doi:10.1145/2491055.2491070

Cited by 16 publications

(12 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It has the feature of running in snapshot mode where no changes will be written back to the virtual hard drive. This gave us the advantage of always starting at the same filesystem state whenever conducting any of our automated tests [29].…”

Section: Qemu-kvmmentioning

confidence: 99%

Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration

Lescisin

Mahmoud

Cioraca³

2019

Computers

View full text Add to dashboard Cite

Software security is a component of software development that should be integrated throughout its entire development lifecycle, and not simply as an afterthought. If security vulnerabilities are caught early in development, they can be fixed before the software is released in production environments. Furthermore, finding a software vulnerability early in development will warn the programmer and lessen the likelihood of this type of programming error being repeated in other parts of the software project. Using Continuous Integration (CI) for checking for security vulnerabilities every time new code is committed to a repository can alert developers of security flaws almost immediately after they are introduced. Finally, continuous integration tests for security give software developers the option of making the test results public so that users or potential users are given assurance that the software is well tested for security flaws. While there already exists general-purpose continuous integration tools such as Jenkins-CI and GitLab-CI, our tool is primarily focused on integrating third party security testing programs and generating reports on classes of vulnerabilities found in a software project. Our tool performs all tests in a snapshot (stateless) virtual machine to be able to have reproducible tests in an environment similar to the deployment environment. This paper introduces the design and implementation of a tool for security-focused continuous integration. The test cases used demonstrate the ability of the tool to effectively uncover security vulnerabilities even in open source software products such as ImageMagick and a smart grid application, Emoncms.

show abstract

Section: Qemu-kvmmentioning

confidence: 99%

Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration

Lescisin

Mahmoud

Cioraca³

2019

Computers

View full text Add to dashboard Cite

show abstract

“…Assurance Case Analysis has been performed to verify that devised tactics fully address second and third security requirement of the CDP. (Gruhn et al, 2013) analyse CI from the security perspective to identify possible security threats. This study relates to our work as it also identifies a class of threats related to build server.…”

Section: Related Workmentioning

confidence: 99%

“…Utilizing VM plug-in in Jenkins protects VM from outside malicious access (Gruhn et al, 2013). Every time a Jenkins is asked to build, it fires up a VM with a Jenkins inside it.…”

Section: Clean CI Server Vm Imagementioning

confidence: 99%

“…From these findings, it can be extracted that CDP is subjected to a vast majority of security threats. In existing literature, some studies (Bass et al, 2015 focus on access control while some (Gruhn et al, 2013) focus on virtualization for securing build server. Our approach leverages both access control measures and virtualization for securing the pipeline.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Security Support in Continuous Deployment Pipeline

Ullah

Raft

Shahin

et al. 2017

Proceedings of the 12th International Conference on Evaluation of Novel Approaches to Software Engineering

View full text Add to dashboard Cite

Abstract:Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs-one incorporates security tactics while the other does not. Both CDPs have been analysed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections.

show abstract

“…Similarly to the latter work, lean GHTorrent provides elements of GITHUB. However, GITHUB is a repository of repositories [20] or meta repository [11] and, therefore, its elements are repositories themselves. Meta repositories, including lean GHTorrent, provide for cross-domain analysis [20].…”

Section: Related Workmentioning

confidence: 99%

Lean GHTorrent: GitHub data on demand

Gousios

Vasilescu

Serebrenik

et al. 2014

Proceedings of the 11th Working Conference on Mining Software Repositories

122

View full text Add to dashboard Cite

In recent years, GITHUB has become the largest code host in the world, with more than 5M developers collaborating across 10M repositories. Numerous popular open source projects (such as Ruby on Rails, Homebrew, Bootstrap, Django or jQuery) have chosen GITHUB as their host and have migrated their code base to it. GITHUB offers a tremendous research potential. For instance, it is a flagship for current open source development, a place for developers to showcase their expertise to peers or potential recruiters, and the platform where social coding features or pull requests emerged. However, GITHUB data is, to date, largely underexplored. To facilitate studies of GITHUB, we have created GHTorrent, a scalable, queriable, offline mirror of the data offered through the GITHUB REST API. In this paper we present a novel feature of GHTorrent designed to offer customisable data dumps on demand. The new GHTorrent data-on-demand service offers users the possibility to request via a web form up-to-date GHTorrent data dumps for any collection of GITHUB repositories. We hope that by offering customisable GHTorrent data dumps we will not only lower the "barrier for entry" even further for researchers interested in mining GITHUB data (thus encourage researchers to intensify their mining efforts), but also enhance the replicability of GITHUB studies (since a snapshot of the data on which the results were obtained can now easily accompany each study).

show abstract

Security of public continuous integration services

Cited by 16 publications

References 17 publications

Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration

Design and Implementation of SFCI: A Tool for Security Focused Continuous Integration

Security Support in Continuous Deployment Pipeline

Lean GHTorrent: GitHub data on demand

Contact Info

Product

Resources

About