Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Enterprise-Driven Open Source Software: A Case Study on Security Automation
Tech Univ Munich, DEU.
Siemens Technol, Mumbai, DEU.
Tech Univ Munich, DEU.
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering.ORCID iD: 0000-0003-0619-6027
2021 (English)In: 2021 IEEE/ACM 43RD INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: SOFTWARE ENGINEERING IN PRACTICE (ICSE-SEIP 2021), IEEE Computer Society, 2021, no 43rd IEEE/ACM International Conference on Software Engineering - Software Engineering in Practice (ICSE-SEIP) / 43rd ACM/IEEE International Conference on Software Engineering - New Ideas and Emerging Results (ICSE-NIER), p. 278-287Conference paper, Published paper (Refereed)
Abstract [en]

Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices. such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early. In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements or practice which we outline in this manuscript.

Place, publisher, year, edition, pages
IEEE Computer Society, 2021. no 43rd IEEE/ACM International Conference on Software Engineering - Software Engineering in Practice (ICSE-SEIP) / 43rd ACM/IEEE International Conference on Software Engineering - New Ideas and Emerging Results (ICSE-NIER), p. 278-287
Series
Proceedings - International Conference on Software Engineering, ISSN 0270-5257, E-ISSN 1558-1225 ; 43
Keywords [en]
Security, Secure Software Engineering, Continuous Integration, Open Source Software, DevOps, Industrial Companies, DevSecOps
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-22104DOI: 10.1109/ICSE-SEIP52600.2021.00037ISI: 000684234800029ISBN: 978-0-7381-4669-0 (print)OAI: oai:DiVA.org:bth-22104DiVA, id: diva2:1590784
Conference
43rd IEEE/ACM International Conference on Software Engineering - Software Engineering in Practice (ICSE-SEIP) / 43rd ACM/IEEE International Conference on Software Engineering - New Ideas and Emerging Results (ICSE-NIER)
Note

open access

Available from: 2021-09-03 Created: 2021-09-03 Last updated: 2022-12-02Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textarXiv.org

Authority records

Mendez, Daniel

Search in DiVA

By author/editor
Mendez, Daniel
By organisation
Department of Software Engineering
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 164 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf