Stoffers, Martin and Kurnatowski, Lynn and Sonnekalb, Tim and Schreiber, Andreas (2021) Automated, Provenance-Driven Security Audit for git-Based Repositories. In: Software Product Assurance Workshop. Software Product Assurance Workshop, 2021-10-05 - 2021-10-07, Online.
PDF
- Only accessible within DLR
3MB |
Abstract
Software repositories contain much information besides the source code itself. For Open Source projects and Inner Source projects, the team composition and development process is transparent and traceable and can be evaluated at any point of time by, for example, continuous evaluation with regards to security by automated analysis. Software development is a highly complex process involving a wide range of responsibilities and people. In addition the complexity of the software itself grows over time. To cope with this different tools are used to support the development process. During the entire software development process, all these support tools produce several types of data. These large amounts of data, which are generated before, during, and after the development of a software, can be analyzed using Provenance. Provenance analysis focusing on the development of software projects provides insight into the interactions of people. These interactions can fall into different categories. To analyze the development process, we extract retrospective provenance from repositories and store it in a graph database for further analysis For conducting a security analysis of software and its development process, we integrate the extracted provenance information with bugs or vulnerabilities as reported by static analysis tools. We therefore consider individual commit snapshots in the history of the software repositories. According to the respective repository, we run certain static analysis tools on a snapshot, track their reported findings and save them into a database for later analysis. Interlinking the tools findings with provenance information is done via the respective snapshot's code commit operations. Using the combined information then allows various questions for researching on the development process and how security has been addressed. For instance: - Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs can be tested. - The usage of static analysis tools can be investigated, answering questions like how effective certain tools—or combinations thereof -- were in uncovering bugs or vulnerabilities or how understandable and usable their reports were. - Characteristics of the vulnerability management in the development process can be analyzed quantitatively, using metrics like mean time to fix, or qualitatively, using fault tree analysis. We apply our method on various software projects -- especially, internal projects in aerospace and Open Source software of social relevance -- where security of the software product is essential. This includes developing tools and visualizations for developers to investigate how software is developed, the processes used, and the details around how security issues are identified and fixed.
Item URL in elib: | https://elib.dlr.de/144724/ | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Document Type: | Conference or Workshop Item (Speech) | ||||||||||||||||||||
Title: | Automated, Provenance-Driven Security Audit for git-Based Repositories | ||||||||||||||||||||
Authors: |
| ||||||||||||||||||||
Date: | 5 October 2021 | ||||||||||||||||||||
Journal or Publication Title: | Software Product Assurance Workshop | ||||||||||||||||||||
Refereed publication: | No | ||||||||||||||||||||
Open Access: | No | ||||||||||||||||||||
Gold Open Access: | No | ||||||||||||||||||||
In SCOPUS: | No | ||||||||||||||||||||
In ISI Web of Science: | No | ||||||||||||||||||||
Status: | Accepted | ||||||||||||||||||||
Keywords: | Provenance, Secure Software Engineering, Security Audit, Repository Mining | ||||||||||||||||||||
Event Title: | Software Product Assurance Workshop | ||||||||||||||||||||
Event Location: | Online | ||||||||||||||||||||
Event Type: | Workshop | ||||||||||||||||||||
Event Start Date: | 5 October 2021 | ||||||||||||||||||||
Event End Date: | 7 October 2021 | ||||||||||||||||||||
Organizer: | European Space Agency (ESA) | ||||||||||||||||||||
HGF - Research field: | Aeronautics, Space and Transport | ||||||||||||||||||||
HGF - Program: | Space | ||||||||||||||||||||
HGF - Program Themes: | Space System Technology | ||||||||||||||||||||
DLR - Research area: | Raumfahrt | ||||||||||||||||||||
DLR - Program: | R SY - Space System Technology | ||||||||||||||||||||
DLR - Research theme (Project): | R - Secure Software Technology, R - Analytics and visualization of large space software systems | ||||||||||||||||||||
Location: | Jena , Köln-Porz , Oberpfaffenhofen | ||||||||||||||||||||
Institutes and Institutions: | Institute of Software Technology > Intelligent and Distributed Systems Institute of Data Science > Secure Digital Systems Institute of Software Technology | ||||||||||||||||||||
Deposited By: | Stoffers, Martin | ||||||||||||||||||||
Deposited On: | 27 Oct 2021 21:37 | ||||||||||||||||||||
Last Modified: | 24 Apr 2024 20:44 |
Repository Staff Only: item control page