elib
DLR-Header
DLR-Logo -> http://www.dlr.de
DLR Portal Home | Imprint | Privacy Policy | Contact | Deutsch
Fontsize: [-] Text [+]

Automated, Provenance-Driven Security Audit for git-Based Repositories

Stoffers, Martin and Kurnatowski, Lynn and Sonnekalb, Tim and Schreiber, Andreas (2021) Automated, Provenance-Driven Security Audit for git-Based Repositories. In: Software Product Assurance Workshop. Software Product Assurance Workshop, 05. Okt. - 07. Okt. 2021, Online.

[img] PDF - Only accessible within DLR
3MB

Abstract

Software repositories contain much information besides the source code itself. For Open Source projects and Inner Source projects, the team composition and development process is transparent and traceable and can be evaluated at any point of time by, for example, continuous evaluation with regards to security by automated analysis. Software development is a highly complex process involving a wide range of responsibilities and people. In addition the complexity of the software itself grows over time. To cope with this different tools are used to support the development process. During the entire software development process, all these support tools produce several types of data. These large amounts of data, which are generated before, during, and after the development of a software, can be analyzed using Provenance. Provenance analysis focusing on the development of software projects provides insight into the interactions of people. These interactions can fall into different categories. To analyze the development process, we extract retrospective provenance from repositories and store it in a graph database for further analysis For conducting a security analysis of software and its development process, we integrate the extracted provenance information with bugs or vulnerabilities as reported by static analysis tools. We therefore consider individual commit snapshots in the history of the software repositories. According to the respective repository, we run certain static analysis tools on a snapshot, track their reported findings and save them into a database for later analysis. Interlinking the tools findings with provenance information is done via the respective snapshot's code commit operations. Using the combined information then allows various questions for researching on the development process and how security has been addressed. For instance: - Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs can be tested. - The usage of static analysis tools can be investigated, answering questions like how effective certain tools—or combinations thereof -- were in uncovering bugs or vulnerabilities or how understandable and usable their reports were. - Characteristics of the vulnerability management in the development process can be analyzed quantitatively, using metrics like mean time to fix, or qualitatively, using fault tree analysis. We apply our method on various software projects -- especially, internal projects in aerospace and Open Source software of social relevance -- where security of the software product is essential. This includes developing tools and visualizations for developers to investigate how software is developed, the processes used, and the details around how security issues are identified and fixed.

Item URL in elib:https://elib.dlr.de/144724/
Document Type:Conference or Workshop Item (Speech)
Title:Automated, Provenance-Driven Security Audit for git-Based Repositories
Authors:
AuthorsInstitution or Email of AuthorsAuthor's ORCID iD
Stoffers, Martinmartin.stoffers (at) dlr.dehttps://orcid.org/0000-0003-2987-4345
Kurnatowski, LynnLynn.Kurnatowski (at) dlr.dehttps://orcid.org/0000-0001-5144-702X
Sonnekalb, Timtim.sonnekalb (at) dlr.dehttps://orcid.org/0000-0002-0067-1790
Schreiber, Andreasandreas.schreiber (at) dlr.dehttps://orcid.org/0000-0001-5750-5649
Date:5 October 2021
Journal or Publication Title:Software Product Assurance Workshop
Refereed publication:No
Open Access:No
Gold Open Access:No
In SCOPUS:No
In ISI Web of Science:No
Status:Accepted
Keywords:Provenance, Secure Software Engineering, Security Audit, Repository Mining
Event Title:Software Product Assurance Workshop
Event Location:Online
Event Type:Workshop
Event Dates:05. Okt. - 07. Okt. 2021
Organizer:European Space Agency (ESA)
HGF - Research field:Aeronautics, Space and Transport
HGF - Program:Space
HGF - Program Themes:Space System Technology
DLR - Research area:Raumfahrt
DLR - Program:R SY - Space System Technology
DLR - Research theme (Project):R - Secure Software Technology, R - Analytics and visualization of large space software systems
Location: Jena , Köln-Porz , Oberpfaffenhofen
Institutes and Institutions:Institute for Software Technology > Intelligent and Distributed Systems
Institute of Data Science > Secure Digital Systems
Institute for Software Technology
Deposited By: Stoffers, Martin
Deposited On:27 Oct 2021 21:37
Last Modified:27 Oct 2021 21:37

Repository Staff Only: item control page

Browse
Search
Help & Contact
Information
electronic library is running on EPrints 3.3.12
Copyright © 2008-2017 German Aerospace Center (DLR). All rights reserved.