Security Support in Continuous Deployment Pipeline

Faheem Ullah, Adam Johannes Raft, Mojtaba Shahin, Mansooreh Zahedi, Muhammad Ali Babar

2017

Abstract

Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs– one incorporates security tactics while the other does not. Both CDPs have been analysed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections.

References

  1. Adams, B. and McIntosh, S. (2016) 'Modern Release Engineering in a Nutshell -- Why Researchers Should Care', IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), pp. 78-90.
  2. Anderson, K. H., et al. (2014) 'Continuous deployment system for software development.78, U.S. Patent No. 8,677,315.
  3. Anderson, K. H., Kenyon, J. L., Hollis, B. R., Edwards, J. and Reid, B. (2014). Continuous deployment system for software development. Google Patents.
  4. Aslam, T., Krsul, I. and Spafford, E. H. (1996) 'Use of a taxonomy of security faults'.
  5. Bass, L., Holz, R., Rimba, P., Tran, A. B. and Zhu, L. (2015) 'Securing a deployment pipeline', IEEE/ACM 3rd International Workshop On Release Engineering (RELENG), pp. 4-7.
  6. Chen, L. (2015) 'Continuous delivery: Huge benefits, but challenges too', IEEE Software, 32(2), pp. 50-54.
  7. Claps, G. G., Svensson, R. B. and Aurum, A. (2015) 'On the journey to continuous deployment: Technical and social challenges along the way', Information and Software Technology, 57, pp. 21-31.
  8. contributors, W. (2016) 'Continuous delivery', Wikipedia, The Free Encyclopedia.
  9. ElectricCloud (2016) 'What is Continuous Deployment, Available at http://electric-cloud.com/resources/ continuous-delivery-101/continuous-deployment/78.
  10. Ellingwood, J. (2014) 'How To Configure SSH Key-Based Authentication on a Linux Server. Available at https://www.digitalocean.com/community/tutorials/ho w-to-configure-ssh-key-based-authentication-on-alinux-server'.
  11. Ellison, R. J., Goodenough, J. B., Weinstock, C. B. and Woody, C. (2010) Evaluating and mitigating software supply chain security risks: DTIC Document.
  12. Fowler, M. (2013) 'Deployment pipeline. Available at http://martinfowler.com/bliki/DeploymentPipeline.htm l [Last Accessed: 24th Oct, 2016]78.
  13. Gaw, S. and Felten, E. W. (2006) 'Password management strategies for online accounts', Proceedings of the second symposium on Usable privacy and security, pp. 44-55.
  14. Gruhn, V., Hannebauer, C. and John, C. (2013) 'Security of public continuous integration services', Proceedings of the 9th International Symposium on Open Collaboration.
  15. Gregory, J. (2015) 'How Does Vulnerability Scanning Work. Available at https://community.qualys.com /docs/DOC-1068 [Last Accessed: 24th Oct, 2016]78.
  16. Humble, J. and Farley, D. (2010) Continuous delivery: reliable software releases through build, test, and deployment automation. Pearson Education.
  17. John Goodenough, H. F. L., and Charles B. Weinstock (2007) 'Arguing Security - Creating Security Assurance Cases. Available at https://www.us-cert.gov/bsi/ articles/knowledge/assurance-cases/arguing-securitycreating-security-assurance-cases'.
  18. Kelly, T. and Weaver, R. (2004) 'The goal structuring notation-a safety argument notation', Proceedings of the dependable systems and networks.
  19. KEMP (2016) 'Mitigate Against Internal IP Address Disclosure In Basic Authentication Header. Available at https://support.kemptechnologies.com/hc/enus/articles/204221255-mitigate-against-Internal-IPAddress-disclosure-in-Basic-Authentication-Header-78.
  20. Ko, C., Fink, G. and Levitt, K. (1994) 'Automated detection of vulnerabilities in privileged programs by execution monitoring', Computer Security Application Conference, pp. 124-144.
  21. Landwehr, C. E., Bull, A. R., McDermott, J. P. and Choi, W. S. (1993) A taxonomy of computer program security flaws, with examples: DTIC Document.
  22. Langweg, H., and Einar Snekkenes (2004) 'A classification of malicious software attacks', IPCCC.
  23. OWASP, (2015) 'Owasp Zap User Guide. Available at https://github.com/zaproxy/zap-corehelp/wiki/HelpIntro [Last Accessed: 24th Oct, 2016]78.
  24. Phillips A, S. M., de Jonge A, van Holsteijn M. (2015) 'The IT Manager's Guide to Continuous Delivery: Delivering business value in hours, not months', XebiaLabs.
  25. Rimba, P., Zhu, L., Bass, L., Kuz, I. and Reeves, S. (2015) 'Composing Patterns to Construct Secure Systems', Eleventh European conference on Dependable Computing, pp. 213-224.
  26. Serodio, D. (2016) 'Role Strategy Plugin. Available at https://wiki.jenkins-ci.org/display/JENKINS/Role+ Strategy+Plugin [Last Accessed: 24th Oct, 2016]78.
  27. Sandhu, R. S., Coynek, E. J., Feinsteink, H. L. and Youmank, C. E. (1996) 'Role-based access control models yz', IEEE computer, 29(2), pp. 38-47.
  28. Sandhu, R. S. and Samarati, P. (1994) 'Access control: principle and practice', IEEE communications magazine, 32(9), pp. 40-48.
  29. Security, B. (2016) 'How can I mitigate "ICMP Timestamp"?. Available at https://beyondsecurity .zendesk.com/hc/en-us/articles/203609549--How-canI-mitigate-ICMP-Timestamp- [Last Accessed: 7th Dec, 2016]78.
  30. Singh, A., Nordström, O., Lu, C. and Dos Santos, A. L. (2003) 'Malicious ICMP tunneling: Defense against the vulnerability'. Australasian Conference on Information Security and Privacy: Springer, 226-236.
  31. Tari, F., Ozok, A. and Holden, S. H. (2006) 'A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords', Proceedings of the second symposium on Usable privacy and security, pp. 56-66.
  32. Thompson, K. (1984) 'Reflections on trusting trust', Communications of the ACM, 27(8), pp. 761-763.
  33. 'VirtualBox Plugin. Available at https://wiki.jenkinsci.org/display/JENKINS/VirtualBox+Plugin [Last Accessed: 24 Oct, 2016]78.
Download


Paper Citation


in Harvard Style

Ullah F., Raft A., Shahin M., Zahedi M. and Ali Babar M. (2017). Security Support in Continuous Deployment Pipeline . In Proceedings of the 12th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE, ISBN 978-989-758-250-9, pages 57-68. DOI: 10.5220/0006318200570068


in Bibtex Style

@conference{enase17,
author={Faheem Ullah and Adam Johannes Raft and Mojtaba Shahin and Mansooreh Zahedi and Muhammad Ali Babar},
title={Security Support in Continuous Deployment Pipeline},
booktitle={Proceedings of the 12th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,},
year={2017},
pages={57-68},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006318200570068},
isbn={978-989-758-250-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,
TI - Security Support in Continuous Deployment Pipeline
SN - 978-989-758-250-9
AU - Ullah F.
AU - Raft A.
AU - Shahin M.
AU - Zahedi M.
AU - Ali Babar M.
PY - 2017
SP - 57
EP - 68
DO - 10.5220/0006318200570068