ASOD
Workshop on Advances in Secure Software Deployments
-
Aug 02, 2024
-
SR04
-
11:00 — 12:30
Workshop Chairs
- → Jose Andre Morales
- → Hasan Yasar
Accepted Paper
SoK: Automated Software Testing for TLS Libraries
Ben Swierzy
(University of Bonn, Germany), Felix Boes
(University of Bonn, Germany), Timo Pohl
(University of Bonn, Germany), Christian Bungartz
(University of Bonn, Germany), Michael Meier
(University of Bonn, Fraunhofer FKIE, Germany)
Sok Paper
Reusable software components, typically integrated as libraries, are a central paradigm of modern software development.
By incorporating a library into their software, developers trust in its quality and its correct and complete implementation.
Since errors in a library affect all applications using it, there is a need for quality assurance tools such as automated testing that can be used by library and application developers to verify the functionality.
In the past decade, many different systems have been published that focus on the automated analysis of TLS implementations for finding bugs and security vulnerabilities.
However, all of these systems focus only on few TLS components and lack a common analysis scenario and inter-approach comparisons.
Especially, the amount of manual effort required across the whole analysis process to obtain the root cause of an error is often ignored.
In this paper, we survey and categorize literature on automated testing approaches for TLS libraries.
The results reveal a heterogeneous landscape of approaches with a trade-off between the manual effort required for setup and for result interpretation, along with major deficits in the considered performance metrics.
These imply important future directions which need to be followed to advance the current state of protocol test automation
Workshop ASOD
Workshop ASOD
By incorporating a library into their software, developers trust in its quality and its correct and complete implementation.
Since errors in a library affect all applications using it, there is a need for quality assurance tools such as automated testing that can be used by library and application developers to verify the functionality.
In the past decade, many different systems have been published that focus on the automated analysis of TLS implementations for finding bugs and security vulnerabilities.
However, all of these systems focus only on few TLS components and lack a common analysis scenario and inter-approach comparisons.
Especially, the amount of manual effort required across the whole analysis process to obtain the root cause of an error is often ignored.
In this paper, we survey and categorize literature on automated testing approaches for TLS libraries.
The results reveal a heterogeneous landscape of approaches with a trade-off between the manual effort required for setup and for result interpretation, along with major deficits in the considered performance metrics.
These imply important future directions which need to be followed to advance the current state of protocol test automation
Accuracy Evaluation of SBOM Tools for Web Applications and System-Level Software
Andreas Halbritter
(Augsburg Technical University of Applied Sciences Institute for Innovative Safety and Security, Germany), Dominik Merli
(Augsburg Technical University of Applied Sciences Institute for Innovative Safety and Security, Germany)
Full Paper
Recent vulnerabilities in software like Log4J raise the question whether the software supply chain is secured sufficiently.
Governmental initiatives in the United States (US) and the European Union (EU) demand a Software Bill of Materials (SBOM) for solving this issue. A SBOM has to be produced by using creation tools and it has to be accurate and complete. In the past, there has been research in this field of research.
However, no detailed investigation of several tools producing SBOMs has been conducted regarding accuracy and reliability. For this reason, the following work presents a selection of four popular programming languages of web application and system-level software Python, C, Rust and Typescript. They build the base for four sample software projects and their package manager. For human checking the software projects are small with a small amount of packages and a single dependency. The open-source analysis tools are differed in programming language dependent and general usable tools and run in the standard execution mode on the software projects.
The results were checked against completeness and the National Telecommunications and Information Administration (NTIA) minimum and recommended elements. There is no recommendation for a specific tool as no tool fulfills every requirement, only two tools can be recommended in a limited way. Many tools do not provide a complete SBOM, as they do not depict every test package and dependency. Governmental initiatives should define further specifications on SBOM for example regarding their accuracy and depth. Further research in this field for example proprietary tools or other programming languages is desirable.
Workshop ASOD
Workshop ASOD
Governmental initiatives in the United States (US) and the European Union (EU) demand a Software Bill of Materials (SBOM) for solving this issue. A SBOM has to be produced by using creation tools and it has to be accurate and complete. In the past, there has been research in this field of research.
However, no detailed investigation of several tools producing SBOMs has been conducted regarding accuracy and reliability. For this reason, the following work presents a selection of four popular programming languages of web application and system-level software Python, C, Rust and Typescript. They build the base for four sample software projects and their package manager. For human checking the software projects are small with a small amount of packages and a single dependency. The open-source analysis tools are differed in programming language dependent and general usable tools and run in the standard execution mode on the software projects.
The results were checked against completeness and the National Telecommunications and Information Administration (NTIA) minimum and recommended elements. There is no recommendation for a specific tool as no tool fulfills every requirement, only two tools can be recommended in a limited way. Many tools do not provide a complete SBOM, as they do not depict every test package and dependency. Governmental initiatives should define further specifications on SBOM for example regarding their accuracy and depth. Further research in this field for example proprietary tools or other programming languages is desirable.
Enhancing Secure Deployment with Ansible: A Focus on Least Privilege and Automation for Linux
Eddie Billoir
(IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, AIRBUS Protect, France), Romain Laborde
(IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, France), Ahmad Samer Wazan
(Zayed University, France), Yves Rutschle
(AIRBUS Protect, France), Abdelmalek Benzekri
(IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, France)
Full Paper
As organisations increasingly adopt Infrastructure as Code (IaC), ensuring secure deployment practices becomes paramount. Ansible is a well-known open-source and modular tool for automating IT management tasks. However, Ansible is subject to supply-chain attacks that can compromise all managed hosts.
This article presents a semi-automated process that improves Ansible-based deployments to have fine-grained control on administrative privileges granted to Ansible tasks. We describe the integration of the RootAsRole framework to Ansible. Finally, we analyse the limit of the current implementation.
Workshop ASOD
Workshop ASOD
This article presents a semi-automated process that improves Ansible-based deployments to have fine-grained control on administrative privileges granted to Ansible tasks. We describe the integration of the RootAsRole framework to Ansible. Finally, we analyse the limit of the current implementation.
Detail ASOD 02/05
Workshop on Advances in Secure Software Deployments to be held in the conjunction with the 19th International Conference on Availability, Reliability and Security
Securely deploying software applications and systems onto diverse production environments is a constantly evolving landscape. New security requirements are continuously proposed along with routine review and revisions of existing ones. Target production environments benefit from cutting edge technology resulting in the inclusion of new hosting platforms and its associated challenges to successful deployments. The ability to build and sustain deployment environments that can address automation, security, rapid deliveries, continuous build and deploy routines, is constantly evolving requiring both novel and improved upon approaches. The Advances in Secure Software Deployments workshop (ASOD) is focused on presenting and discussing the latest in novel and applied research and practice, along with experiential findings covering all areas of secure deployments of software and systems to diverse production environments. The workshop aims to converge a community of researchers and practitioners from academia and industry who are interested in advancing the state of the art. Submissions from academia and industry covering cutting edge approaches, novel findings, and practitioner insights are welcomed.
Topics of interest include, but are not limited to 03/05
- Deployment approaches to diverse environments such as IoT, cloud, edge devices, embedded devices, enterprise installations, industrial control systems and similar
- Automating security requirements validation and evidence gathering
- Design of secure deployable artifacts such as containers, virtual machines and similar
- Post-deployment sustainment and monitoring
- Continuous secure deployments
- Deployments in insecure, air gapped, and highly regulated environments
- Secure CI/CD design and maintenance
- AI driven deployment practices
- Secure deployments under resource constraints
- Using DevSecOps in secure deployments
- Deployment rollbacks, updates, and patching
- Integration of and updates to security requirements
- Secure deployment strategies, planning, methodologies, and workflows
Workshop Chairs 04/05
Workshop Chairs
Program Committee
James Carnegie
|
Docker Inc, USA
Justin Cappos
|
New York University, USA
Altaz Valani
|
Security Compass, Canada
Martin Gilje Jaatun
|
SINTEF, Norway
Juha Röning
|
University of Oulu, Finland
Lanier Watkins
|
Johns Hopkins University, USA
Hossein Siadati
|
DataDog, USA
Submission 05/05
Submission Guidelines
The submission guidelines valid for the workshop are the same as for the ARES conference.
Important Dates
Submission Deadline
May 12, 2024
Author Notification
May 29, 2024
Proceedings Version
Jun 18, 2024
Conference
Jul 30
—
Aug 02, 2024