ASOD

Workshop on Advances in Secure Software Deployments

Aug 02, 2024
SR04
11:00 — 12:30

Workshop Chairs

→ Jose Andre Morales
→ Hasan Yasar

Accepted Paper

SoK: Automated Software Testing for TLS Libraries

Ben Swierzy (University of Bonn, Germany), Felix Boes (University of Bonn, Germany), Timo Pohl (University of Bonn, Germany), Christian Bungartz (University of Bonn, Germany), Michael Meier (University of Bonn, Fraunhofer FKIE, Germany)

Sok Paper

Reusable software components, typically integrated as libraries, are a central paradigm of modern software development.
By incorporating a library into their software, developers trust in its quality and its correct and complete implementation.
Since errors in a library affect all applications using it, there is a need for quality assurance tools such as automated testing that can be used by library and application developers to verify the functionality.
In the past decade, many different systems have been published that focus on the automated analysis of TLS implementations for finding bugs and security vulnerabilities.

However, all of these systems focus only on few TLS components and lack a common analysis scenario and inter-approach comparisons.
Especially, the amount of manual effort required across the whole analysis process to obtain the root cause of an error is often ignored.
In this paper, we survey and categorize literature on automated testing approaches for TLS libraries.
The results reveal a heterogeneous landscape of approaches with a trade-off between the manual effort required for setup and for result interpretation, along with major deficits in the considered performance metrics.
These imply important future directions which need to be followed to advance the current state of protocol test automation

Workshop ASOD Workshop ASOD

Accuracy Evaluation of SBOM Tools for Web Applications and System-Level Software

Andreas Halbritter (Augsburg Technical University of Applied Sciences Institute for Innovative Safety and Security, Germany), Dominik Merli (Augsburg Technical University of Applied Sciences Institute for Innovative Safety and Security, Germany)

Full Paper

Recent vulnerabilities in software like Log4J raise the question whether the software supply chain is secured sufficiently.
Governmental initiatives in the United States (US) and the European Union (EU) demand a Software Bill of Materials (SBOM) for solving this issue. A SBOM has to be produced by using creation tools and it has to be accurate and complete. In the past, there has been research in this field of research.

However, no detailed investigation of several tools producing SBOMs has been conducted regarding accuracy and reliability. For this reason, the following work presents a selection of four popular programming languages of web application and system-level software Python, C, Rust and Typescript. They build the base for four sample software projects and their package manager. For human checking the software projects are small with a small amount of packages and a single dependency. The open-source analysis tools are differed in programming language dependent and general usable tools and run in the standard execution mode on the software projects.

The results were checked against completeness and the National Telecommunications and Information Administration (NTIA) minimum and recommended elements. There is no recommendation for a specific tool as no tool fulfills every requirement, only two tools can be recommended in a limited way. Many tools do not provide a complete SBOM, as they do not depict every test package and dependency. Governmental initiatives should define further specifications on SBOM for example regarding their accuracy and depth. Further research in this field for example proprietary tools or other programming languages is desirable.

Workshop ASOD Workshop ASOD

Enhancing Secure Deployment with Ansible: A Focus on Least Privilege and Automation for Linux

Eddie Billoir (IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, AIRBUS Protect, France), Romain Laborde (IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, France), Ahmad Samer Wazan (Zayed University, France), Yves Rutschle (AIRBUS Protect, France), Abdelmalek Benzekri (IRIT, Université de Toulouse, CNRS, Toulouse INP, UT3, France)

Full Paper

As organisations increasingly adopt Infrastructure as Code (IaC), ensuring secure deployment practices becomes paramount. Ansible is a well-known open-source and modular tool for automating IT management tasks. However, Ansible is subject to supply-chain attacks that can compromise all managed hosts.

This article presents a semi-automated process that improves Ansible-based deployments to have fine-grained control on administrative privileges granted to Ansible tasks. We describe the integration of the RootAsRole framework to Ansible. Finally, we analyse the limit of the current implementation.

Workshop ASOD Workshop ASOD

Detail ASOD 02/05

Workshop on Advances in Secure Software Deployments to be held in the conjunction with the 19th International Conference on Availability, Reliability and Security

Securely deploying software applications and systems onto diverse production environments is a constantly evolving landscape. New security requirements are continuously proposed along with routine review and revisions of existing ones. Target production environments benefit from cutting edge technology resulting in the inclusion of new hosting platforms and its associated challenges to successful deployments. The ability to build and sustain deployment environments that can address automation, security, rapid deliveries, continuous build and deploy routines, is constantly evolving requiring both novel and improved upon approaches. The Advances in Secure Software Deployments workshop (ASOD) is focused on presenting and discussing the latest in novel and applied research and practice, along with experiential findings covering all areas of secure deployments of software and systems to diverse production environments. The workshop aims to converge a community of researchers and practitioners from academia and industry who are interested in advancing the state of the art. Submissions from academia and industry covering cutting edge approaches, novel findings, and practitioner insights are welcomed.

Topics of interest include, but are not limited to 03/05

Deployment approaches to diverse environments such as IoT, cloud, edge devices, embedded devices, enterprise installations, industrial control systems and similar
Automating security requirements validation and evidence gathering
Design of secure deployable artifacts such as containers, virtual machines and similar
Post-deployment sustainment and monitoring
Continuous secure deployments
Deployments in insecure, air gapped, and highly regulated environments
Secure CI/CD design and maintenance
AI driven deployment practices
Secure deployments under resource constraints
Using DevSecOps in secure deployments
Deployment rollbacks, updates, and patching
Integration of and updates to security requirements
Secure deployment strategies, planning, methodologies, and workflows

Workshop Chairs 04/05

Workshop Chairs

Jose Andre Morales

Carnegie Mellon University, USA

josemora@andrew.cmu.edu

Hasan Yasar

Carnegie Mellon University, USA

hyasar@cmu.edu

Program Committee

James Carnegie | Docker Inc, USA

Justin Cappos | New York University, USA

Altaz Valani | Security Compass, Canada

Martin Gilje Jaatun | SINTEF, Norway

Juha Röning | University of Oulu, Finland

Lanier Watkins | Johns Hopkins University, USA

Hossein Siadati | DataDog, USA

Submission 05/05

Submission Guidelines

The submission guidelines valid for the workshop are the same as for the ARES conference.

More Information

Important Dates

Submission Deadline May 12, 2024

Author Notification May 29, 2024

Proceedings Version Jun 18, 2024

Conference Jul 30 — Aug 02, 2024