Enterprise-Driven Open Source Software: A Case Study on Security AutomationSEIP
Fri 28 May 2021 07:20 - 07:40 at Blended Sessions Room 2 - 3.5.2. Continuous Integration, Feature Models and Program Transformation
Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators’ demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts.
Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.
Thu 27 MayDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
19:20 - 20:10 | 3.5.2. Continuous Integration, Feature Models and Program TransformationNIER - New Ideas and Emerging Results / SEIP - Software Engineering in Practice at Blended Sessions Room 2 +12h Chair(s): Antonia Bertolino CNR-ISTI | ||
19:20 20mPaper | Enterprise-Driven Open Source Software: A Case Study on Security AutomationSEIP SEIP - Software Engineering in Practice Florian Angermeir Technical University of Munich, Markus Voggenreiter Siemens - LMU, Fabiola Moyon Siemens / TUM, Daniel Mendez Blekinge Institute of Technology Pre-print Media Attached | ||
19:40 15mPaper | Towards Automated Testing and Debugging of Feature ModelsNIER NIER - New Ideas and Emerging Results Viet-Man Le Graz University of Technology, Alexander Felfernig Graz University of Technology, Mathias Uta Siemens Gas and Power, David Benavides Universidad de Sevilla, Jose Galindo University of Seville, Trang Tran Graz University of Technology Link to publication Pre-print Media Attached | ||
19:55 15mPaper | Towards Modal Software EngineeringNIER NIER - New Ideas and Emerging Results Ramy Shahin University of Toronto Pre-print Media Attached | ||
Fri 28 MayDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
07:20 - 08:10 | 3.5.2. Continuous Integration, Feature Models and Program TransformationNIER - New Ideas and Emerging Results / SEIP - Software Engineering in Practice at Blended Sessions Room 2 | ||
07:20 20mPaper | Enterprise-Driven Open Source Software: A Case Study on Security AutomationSEIP SEIP - Software Engineering in Practice Florian Angermeir Technical University of Munich, Markus Voggenreiter Siemens - LMU, Fabiola Moyon Siemens / TUM, Daniel Mendez Blekinge Institute of Technology Pre-print Media Attached | ||
07:40 15mPaper | Towards Automated Testing and Debugging of Feature ModelsNIER NIER - New Ideas and Emerging Results Viet-Man Le Graz University of Technology, Alexander Felfernig Graz University of Technology, Mathias Uta Siemens Gas and Power, David Benavides Universidad de Sevilla, Jose Galindo University of Seville, Trang Tran Graz University of Technology Link to publication Pre-print Media Attached | ||
07:55 15mPaper | Towards Modal Software EngineeringNIER NIER - New Ideas and Emerging Results Ramy Shahin University of Toronto Pre-print Media Attached | ||