Abstract
Software development has passed from being rigid and not very flexible, to be automated with constant changes. This happens due to the creation of continuous integration and delivery environments. Nevertheless, developers often rely on such environments due to the large number of amenities they offer. They focus on authentication only, without taking into consideration other aspects of security such as the integrity of the source code and of the compiled binaries. The source code of a software project must not be maliciously modified. Notwithstanding, there is no safe method to verify that its integrity has not been violated. Trusted computing technology, in particular, the Trusted Platform Module (TPM) can be used to implement that secure method.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
References
Black duck. https://www.blackducksoftware.com/. Accessed 3 July 2020
IBM’s TPM 2.0 TSS. https://sourceforge.net/projects/ibmtpm20tss/. Accessed 19 June 2020
Jfrog. https://jfrog.com/. Accessed 3 July 2020
The secure shell (SSH) public key file format. https://tools.ietf.org/html/rfc4716
Security monkey. https://securitymonkey.readthedocs.io/en/latest/quickstart.html/. Accessed 3 July 2020
Servico Antibotnet. https://www.osi.es/es/servicio-antibotnet/info/mirai. Accessed 19 June 2020
Snyk. https://snyk.io/. Accessed 3 July 2020
Harpaz, O., Goldberg, D.: The Nanshou Campaign - Hackers Arsenal Grows Stronger (2013). https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/. Accessed 19 June 2020
Arthur, W., Challener, D., Goldman, K.: Platform security technologies that use TPM 2.0. A Practical Guide to TPM 2.0, pp. 331–348. Apress, Berkeley, CA (2015). https://doi.org/10.1007/978-1-4302-6584-9_22
Bass, L., Holz, R., Rimba, P., Tran, A.B., Zhu, L.: Securing a deployment pipeline. In: 2015 IEEE/ACM 3rd International Workshop on Release Engineering, pp. 4–7. IEEE (2015)
Bass, L., Weber, I., Zhu, L.: DevOps: a software architect’s perspective. sei series in software engineering. Addison-Wesley, New York (2015). http://my.safaribooksonline.com/9780134049847
Bennetts, S.: Owasp zed attack proxy. AppSec USA (2013)
Bird, J.: DevOpsSec: Securing Software Through Continuous Delivery. O’Reilly Media, Sebastopol (2016)
Chacon, S., Straub, B.: Pro Git. Springer Nature, Switzerland (2014)
Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016)
Dheerendra, M., Sourav, M., Saru, K., Khurram, K.M., Ankita, C.: Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5), 41 (2014)
Felten, E: The Linux Backdoor Attempt of 2003. https://freedom-to-tinker.com/2013/10/09/the-linux-backdoor-attempt-of-2003/
Guan, H., Chen, W.R., Li, H., Wang, J.: Stride-based risk assessment for web application. In: Applied Mechanics and Materials, vol. 58, pp. 1323–1328. Trans Tech Publ (2011)
Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on World Wide Web, pp. 40–52 (2004)
Humble, J., Farley, D.G.: Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Addison-Wesley, Upper Saddle River (2010). http://my.safaribooksonline.com/9780321601919
Ellingwood, J.: An Introduction to CI/CD Best Practices (2013). https://www.digitalocean.com/community/tutorials/an-introduction-to-ci-cd-best-practices. Accessed 19 June 2020
Krusche, S., Lichter, H., Riehle, D., Steffens, A.: Report of the 2nd workshop on continuous software engineering. In: CSE@ SE, pp. 1–6 (2017)
Kuusela, J., et al.: Security testing in continuous integration processes (2017)
Lee, T., Won, G., Cho, S., Park, N., Won, D.: Detection and mitigation of web application vulnerabilities based on security testing. In: Park, J.J., Zomaya, A., Yeo, S.-S., Sahni, S. (eds.) NPC 2012. LNCS, vol. 7513, pp. 138–144. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35606-3_16
Lipke, S.: Building a secure software supply chain (2017)
Microsoft: BitLocker most frequenly asked questions. https://docs.microsoft.com/es-es/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq. Accessed 19 June 2020
Milka, G.: Anatomy of account takeover. In: Enigma 2018 (Enigma 2018) (2018)
Mohan, V., Othmane, L.B.: Secdevops: is it a marketing buzzword?-mapping research on security in devops. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 542–547. IEEE (2016)
OWASP: pen web application security project (OWASP) howpublished = https://www.owasp.org/. Accessed 2 July 2020
Rahman, A.A.U., Williams, L.: Software security in devops: synthesizing practitioners’ perceptions and practices. In: 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED), pp. 70–76. IEEE (2016)
Rimba, P., Zhu, L., Bass, L., Kuz, I., Reeves, S.: Composing patterns to construct secure systems. In: 2015 11th European Dependable Computing Conference (EDCC), pp. 213–224. IEEE (2015)
Kumari, S., Das, A.K., Li, X., Wu, F., Khan, M.K., Jiang, Q., Hafizul Islam, S.K.: A provably secure biometrics-based authenticated key agreement scheme for multi-server environments. Multimed. Tools Appl. 77(2), 2359–2389 (2017). https://doi.org/10.1007/s11042-017-4390-x
Sathyanarayanan, N., Nanda, M.N.: Two layer cloud security set architecture on hypervisor. In: 2018 Second International Conference on Advances in Electronics, Computers and Communications (ICAECC), pp. 1–5. IEEE (2018)
Schneider, C.: Security devops-staying secure in agile projects. OWASP AppSec Europe (2015)
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_19
Tichy, M., Goedicke, M., Bosch, J., Fitzgerald, B.: Rapid continuous software engineering. J. Syst. Softw. 133, 159 (2017)
Ullah, F., Raft, A.J., Shahin, M., Zahedi, M., Babar, M.A.: Security support in continuous deployment pipeline. arXiv preprint arXiv:1703.04277 (2017)
XebiaLabs: Behaviour driven development security. https://xebialabs.com/technology/bdd-security/. Accessed 3 July 2020
Acknowledgment
This research has been funded by the Marie Skłodowska-Curie SealedGRID grant agreement No. 777996 and the H2020-SC1-FA-DTS-2018-1 CUREX under grant agreement No. 826404.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Muñoz, A., Farao, A., Correia, J.R.C., Xenakis, C. (2020). ICITPM: Integrity Validation of Software in Iterative Continuous Integration Through the Use of Trusted Platform Module (TPM). In: Boureanu, I., et al. Computer Security. ESORICS 2020. Lecture Notes in Computer Science(), vol 12580. Springer, Cham. https://doi.org/10.1007/978-3-030-66504-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-66504-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-66503-6
Online ISBN: 978-3-030-66504-3
eBook Packages: Computer ScienceComputer Science (R0)