Workshop on Advances in Secure Software Deployments
  • Date
    Aug 02, 2024
  • Location
  • Duration
    11:00 — 12:30
Workshops Lettering

Workshop Chairs

Workshop Chairs Logo Workshop Chairs Logo
  • → Jose Andre Morales
  • → Hasan Yasar

Accepted Paper

SoK: Automated Software Testing for TLS Libraries
Ben Swierzy (University of Bonn, Germany), Felix Boes (University of Bonn, Germany), Timo Pohl (University of Bonn, Germany), Christian Bungartz (University of Bonn, Germany), Michael Meier (University of Bonn, Fraunhofer FKIE, Germany)
Sok Paper
Reusable software components, typically integrated as libraries, are a central paradigm of modern software development. 
By incorporating a library into their software, developers trust in its quality and its correct and complete implementation.
Since errors in a library affect all applications using it, there is a need for quality assurance tools such as automated testing that can be used by library and application developers to verify the functionality.
In the past decade, many different systems have been published that focus on the automated analysis of TLS implementations for finding bugs and security vulnerabilities.

However, all of these systems focus only on few TLS components and lack a common analysis scenario and inter-approach comparisons.
Especially, the amount of manual effort required across the whole analysis process to obtain the root cause of an error is often ignored.
In this paper, we survey and categorize literature on automated testing approaches for TLS libraries.
The results reveal a heterogeneous landscape of approaches with a trade-off between the manual effort required for setup and for result interpretation, along with major deficits in the considered performance metrics.
These imply important future directions which need to be followed to advance the current state of protocol test automation
Workshop ASOD
Accuracy Evaluation of SBOM Tools for Web Applications and System-Level Software
Andreas Halbritter (Augsburg Technical University of Applied Sciences Institute for Innovative Safety and Security, Germany), Dominik Merli (Augsburg Technical University of Applied Sciences Institute for Innovative Safety and Security, Germany)
Full Paper
Recent vulnerabilities in software like Log4J raise the question whether the software supply chain is secured sufficiently.
Governmental initiatives in the United States (US) and the European Union (EU) demand a Software Bill of Materials (SBOM) for solving this issue. A SBOM has to be produced by using creation tools and it has to be accurate and complete. In the past, there has been research in this field of research.

However, no detailed investigation of several tools producing SBOMs has been conducted regarding accuracy and reliability. For this reason, the following work presents a selection of four popular programming languages of web application and system-level software Python, C, Rust and Typescript. They build the base for four sample software projects and their package manager. For human checking the software projects are small with a small amount of packages and a single dependency. The open-source analysis tools are differed in programming language dependent and general usable tools and run in the standard execution mode on the software projects.

The results were checked against completeness and the National Telecommunications and Information Administration (NTIA) minimum and recommended elements. There is no recommendation for a specific tool as no tool fulfills every requirement, only two tools can be recommended in a limited way. Many tools do not provide a complete SBOM, as they do not depict every test package and dependency. Governmental initiatives should define further specifications on SBOM for example regarding their accuracy and depth. Further research in this field for example proprietary tools or other programming languages is desirable.
Workshop ASOD
Enhancing Secure Deployment with Ansible: A Focus on Least Privilege and Automation for Linux
Eddie Billoir (IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, AIRBUS Protect, France), Romain Laborde (IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, France), Ahmad Samer Wazan (Zayed University, France), Yves Rutschle (AIRBUS Protect, France), Abdelmalek Benzekri (IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, France)
Full Paper
As organisations increasingly adopt Infrastructure as Code (IaC), ensuring secure deployment practices becomes paramount. Ansible is a well-known open-source and modular tool for automating IT management tasks. However, Ansible is subject to supply-chain attacks that can compromise all managed hosts.

This article presents a semi-automated process that improves Ansible-based deployments to have fine-grained control on administrative privileges granted to Ansible tasks. We describe the integration of the RootAsRole framework to Ansible. Finally, we analyse the limit of the current implementation.
Workshop ASOD

Detail ASOD 02/05

Topics of interest include, but are not limited to 03/05

  • Deployment approaches to diverse environments such as IoT, cloud, edge devices, embedded devices, enterprise installations, industrial control systems and similar
  • Automating security requirements validation and evidence gathering
  • Design of secure deployable artifacts such as containers, virtual machines and similar
  • Post-deployment sustainment and monitoring
  • Continuous secure deployments
  • Deployments in insecure, air gapped, and highly regulated environments
  • Secure CI/CD design and maintenance
  • AI driven deployment practices
  • Secure deployments under resource constraints
  • Using DevSecOps in secure deployments
  • Deployment rollbacks, updates, and patching
  • Integration of and updates to security requirements
  • Secure deployment strategies, planning, methodologies, and workflows

Workshop Chairs 04/05

Workshop Chairs

Workshop Chairs Logo
Jose Andre Morales
Carnegie Mellon University, USA
Workshop Chairs Logo
Hasan Yasar
Carnegie Mellon University, USA

Program Committee

James Carnegie | Docker Inc, USA
Justin Cappos | New York University, USA
Altaz Valani | Security Compass, Canada
Martin Gilje Jaatun | SINTEF, Norway
Juha Röning | University of Oulu, Finland
Lanier Watkins | Johns Hopkins University, USA
Hossein Siadati | DataDog, USA

Submission 05/05

Important Dates

Submission Deadline May 12, 2024
Author Notification May 29, 2024
Proceedings Version Jun 18, 2024
Conference Jul 30 — Aug 02, 2024
Register here!
Join us at ARES 2024 in Vienna, Austria