Stoffers, Martin und Kurnatowski, Lynn und Sonnekalb, Tim und Schreiber, Andreas (2021) Automated, Provenance-Driven Security Audit for git-Based Repositories. In: Software Product Assurance Workshop. Software Product Assurance Workshop, 2021-10-05 - 2021-10-07, Online.
PDF
- Nur DLR-intern zugänglich
3MB |
Kurzfassung
Software repositories contain much information besides the source code itself. For Open Source projects and Inner Source projects, the team composition and development process is transparent and traceable and can be evaluated at any point of time by, for example, continuous evaluation with regards to security by automated analysis. Software development is a highly complex process involving a wide range of responsibilities and people. In addition the complexity of the software itself grows over time. To cope with this different tools are used to support the development process. During the entire software development process, all these support tools produce several types of data. These large amounts of data, which are generated before, during, and after the development of a software, can be analyzed using Provenance. Provenance analysis focusing on the development of software projects provides insight into the interactions of people. These interactions can fall into different categories. To analyze the development process, we extract retrospective provenance from repositories and store it in a graph database for further analysis For conducting a security analysis of software and its development process, we integrate the extracted provenance information with bugs or vulnerabilities as reported by static analysis tools. We therefore consider individual commit snapshots in the history of the software repositories. According to the respective repository, we run certain static analysis tools on a snapshot, track their reported findings and save them into a database for later analysis. Interlinking the tools findings with provenance information is done via the respective snapshot's code commit operations. Using the combined information then allows various questions for researching on the development process and how security has been addressed. For instance: - Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs can be tested. - The usage of static analysis tools can be investigated, answering questions like how effective certain tools—or combinations thereof -- were in uncovering bugs or vulnerabilities or how understandable and usable their reports were. - Characteristics of the vulnerability management in the development process can be analyzed quantitatively, using metrics like mean time to fix, or qualitatively, using fault tree analysis. We apply our method on various software projects -- especially, internal projects in aerospace and Open Source software of social relevance -- where security of the software product is essential. This includes developing tools and visualizations for developers to investigate how software is developed, the processes used, and the details around how security issues are identified and fixed.
elib-URL des Eintrags: | https://elib.dlr.de/144724/ | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Dokumentart: | Konferenzbeitrag (Vortrag) | ||||||||||||||||||||
Titel: | Automated, Provenance-Driven Security Audit for git-Based Repositories | ||||||||||||||||||||
Autoren: |
| ||||||||||||||||||||
Datum: | 5 Oktober 2021 | ||||||||||||||||||||
Erschienen in: | Software Product Assurance Workshop | ||||||||||||||||||||
Referierte Publikation: | Nein | ||||||||||||||||||||
Open Access: | Nein | ||||||||||||||||||||
Gold Open Access: | Nein | ||||||||||||||||||||
In SCOPUS: | Nein | ||||||||||||||||||||
In ISI Web of Science: | Nein | ||||||||||||||||||||
Status: | akzeptierter Beitrag | ||||||||||||||||||||
Stichwörter: | Provenance, Secure Software Engineering, Security Audit, Repository Mining | ||||||||||||||||||||
Veranstaltungstitel: | Software Product Assurance Workshop | ||||||||||||||||||||
Veranstaltungsort: | Online | ||||||||||||||||||||
Veranstaltungsart: | Workshop | ||||||||||||||||||||
Veranstaltungsbeginn: | 5 Oktober 2021 | ||||||||||||||||||||
Veranstaltungsende: | 7 Oktober 2021 | ||||||||||||||||||||
Veranstalter : | European Space Agency (ESA) | ||||||||||||||||||||
HGF - Forschungsbereich: | Luftfahrt, Raumfahrt und Verkehr | ||||||||||||||||||||
HGF - Programm: | Raumfahrt | ||||||||||||||||||||
HGF - Programmthema: | Technik für Raumfahrtsysteme | ||||||||||||||||||||
DLR - Schwerpunkt: | Raumfahrt | ||||||||||||||||||||
DLR - Forschungsgebiet: | R SY - Technik für Raumfahrtsysteme | ||||||||||||||||||||
DLR - Teilgebiet (Projekt, Vorhaben): | R - Sichere Softwaretechnik, R - Analytik und Visualisierung großer Raumfahrt-Softwaresysteme | ||||||||||||||||||||
Standort: | Jena , Köln-Porz , Oberpfaffenhofen | ||||||||||||||||||||
Institute & Einrichtungen: | Institut für Softwaretechnologie > Intelligente und verteilte Systeme Institut für Datenwissenschaften > Sichere Digitale Systeme Institut für Softwaretechnologie | ||||||||||||||||||||
Hinterlegt von: | Stoffers, Martin | ||||||||||||||||||||
Hinterlegt am: | 27 Okt 2021 21:37 | ||||||||||||||||||||
Letzte Änderung: | 24 Apr 2024 20:44 |
Nur für Mitarbeiter des Archivs: Kontrollseite des Eintrags