Enterprise-Driven Open Source Software: A Case Study on Security Automation

02/10/2021
by   Florian Angermeir, et al.
0

Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83 their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
05/27/2021

Integration of Security Standards in DevOps Pipelines: An Industry Case Study

In the last decade, companies adopted DevOps as a fast path to deliver s...
research
03/14/2021

On the combination of static analysis for software security assessment – a case study of an open-source e-government project

Static Application Security Testing (SAST) is a popular quality assuranc...
research
08/06/2022

PREPRINT: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?

The OpenSSF Scorecard project is an automated tool to monitor the securi...
research
11/14/2022

Jenkins Pipelines: A Novel Approach to Machine Learning Operations (MLOps)

Machine Learning is a widely popular field that is being used in an incr...
research
04/19/2022

Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects

Integrating security activities into the software development lifecycle ...
research
09/03/2020

The Sound of Silence: Mining Security Vulnerabilities from Secret Integration Channels in Open-Source Projects

Public development processes are a key characteristic of open source pro...
research
03/29/2023

Analyzing the Effects of CI/CD on Open Source Repositories in GitHub and GitLab

Numerous articles emphasize the benefits of implementing Continuous Inte...

Please sign up or login with your details

Forgot password? Click here to reset