Automated, Provenance-Driven Security Audit for git-Based Repositories

Kurzfassung

Software repositories contain much information besides the source code itself. For Open Source projects and Inner Source projects, the team composition and development process is transparent and traceable and can be evaluated at any point of time by, for example, continuous evaluation with regards to security by automated analysis. Software development is a highly complex process involving a wide range of responsibilities and people. In addition the complexity of the software itself grows over time. To cope with this different tools are used to support the development process. During the entire software development process, all these support tools produce several types of data. These large amounts of data, which are generated before, during, and after the development of a software, can be analyzed using Provenance. Provenance analysis focusing on the development of software projects provides insight into the interactions of people. These interactions can fall into different categories. To analyze the development process, we extract retrospective provenance from repositories and store it in a graph database for further analysis For conducting a security analysis of software and its development process, we integrate the extracted provenance information with bugs or vulnerabilities as reported by static analysis tools. We therefore consider individual commit snapshots in the history of the software repositories. According to the respective repository, we run certain static analysis tools on a snapshot, track their reported findings and save them into a database for later analysis. Interlinking the tools findings with provenance information is done via the respective snapshot's code commit operations. Using the combined information then allows various questions for researching on the development process and how security has been addressed. For instance: - Classical hypotheses of empirical software engineering, like on the correlation of repository metrics as code churn and the number of found vulnerabilities or bugs can be tested. - The usage of static analysis tools can be investigated, answering questions like how effective certain tools—or combinations thereof -- were in uncovering bugs or vulnerabilities or how understandable and usable their reports were. - Characteristics of the vulnerability management in the development process can be analyzed quantitatively, using metrics like mean time to fix, or qualitatively, using fault tree analysis. We apply our method on various software projects -- especially, internal projects in aerospace and Open Source software of social relevance -- where security of the software product is essential. This includes developing tools and visualizations for developers to investigate how software is developed, the processes used, and the details around how security issues are identified and fixed.