Abstract
Software repositories contain information about source code, software development processes, and team interactions. We combine the provenance of development processes with code security analysis results to provide fast feedback on the software’s design and security issues. Results from queries of the provenance graph drives the security analysis, which are conducted on certain events—such as commits or pull requests by external contributors. We evaluate our method on Open Source projects that are developed under time pressure and use Germany’s COVID-19 contact tracing app ‘Corona-Warn-App’ as a case study.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
Data source: https://cauldron.io/project/3860.
- 4.
All numbers are as of \(10^\mathrm{th}\) March, 2021.
- 5.
GrimoireLab: http://chaoss.github.io/grimoirelab.
- 6.
Cauldron: https://cauldron.io.
- 7.
Spikes in the graphs during 08/20–09/20 are due to parallel branch development.
- 8.
- 9.
- 10.
- 11.
All numbers are as of \(10^\mathrm{th}\) March, 2021.
- 12.
For example, https://github.com/corona-warn-app/cwa-server/issues/269.
- 13.
- 14.
References
Ahmed, N., et al.: A survey of COVID-19 contact tracing apps. IEEE Access 8, 134577–134601 (2020)
Baumgärtner, L., et al.: Mind the gap: security & privacy risks of contact tracing apps (2020)
Carroll, N., Conboy, K.: Normalising the “new normal”: changing tech-driven work practices under pandemic time pressure. Int. J. Inf. Manag. 55, 102186 (2020)
Dar, A.B., Lone, A.H., Zahoor, S., Khan, A.A., Naaz, R.: Applicability of mobile contact tracing in fighting pandemic (COVID-19): issues, challenges and solutions. Comput. Sci. Rev. 38, 100307 (2020)
De Nies, T., et al.: Git2PROV: exposing version control system content as W3C PROV. In: Proceedings of the 12th International Semantic Web Conference (Posters & Demonstrations Track), ISWC-PD 2013, vol. 1035, pp. 125–128. CEUR-WS.org (2013)
Distefano, D., Fähndrich, M., Logozzo, F., O’Hearn, P.W.: Scaling static analyses at Facebook. Commun. ACM 62(8), 62–70 (2019)
Falleri, J., Morandat, F., Blanc, X., Martinez, M., Monperrus, M.: Fine-grained and accurate source code differencing. In: ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, September 15–19, 2014, pp. 313–324. ACM, Vasteras (2014)
Gvili, Y.: Security analysis of the COVID-19 contact tracing specifications by Apple Inc. and Google Inc., Cryptology ePrint Archive, Report 2020/428 (2020)
Habib, A., Pradel, M.: How many of all bugs do we find? A study of static bug detectors. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, Montpellier, France, September 3–7, 2018, pp. 317–328. ACM (2018)
Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1172–1189 (2020)
Hatamian, M., Wairimu, S., Momen, N., Fritsch, L.: A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps. Empir. Softw. Eng. 26(3), 36 (2021)
He, W., Zhang, Z.J., Li, W.: Information technology solutions, challenges, and suggestions for tackling the COVID-19 pandemic. Int. J. Inf. Manag. 57, 102287 (2021)
Hewett, R., Kijsanayothin, P.: On modeling software defect repair time. Empir. Softw. Eng. 14, 165–186 (2009)
Johnson, B., Song, Y., Murphy-Hill, E.R., Bowdidge, R.W.: Why don’t software developers use static analysis tools to find bugs? In: Notkin, D., Cheng, B.H.C., Pohl, K. (eds.) 35th International Conference on Software Engineering, ICSE 2013, San Francisco, CA, USA, May 18–26, 2013, pp. 672–681. IEEE Computer Society (2013)
Kammüller, F., Lutz, B.: Modeling and analyzing the corona-virus warning app with the Isabelle infrastructure framework. In: Garcia-Alfaro, J., Navarro-Arribas, G., Herrera-Joancomarti, J. (eds.) DPM/CBT -2020. LNCS, vol. 12484, pp. 128–144. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-66172-4_8
Krishnamurthy, R., Heinze, T.S., Haupt, C., Schreiber, A., Meinel, M.: Scientific developers v/s static analysis tools: vision and position paper. In: Proceedings of the 12th International Workshop on Cooperative and Human Aspects of Software Engineering, CHASE@ICSE 2019, Montréal, QC, Canada, 27 May 2019, pp. 89–90. IEEE/ACM (2019)
Krishnamurthy, R., Meinel, M., Haupt, C., Schreiber, A., Mäder, P.: DLR secure software engineering: position and vision paper. In: Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment, SEAD 2018, pp. 49–50. ACM (2018)
Kuhn, C., Beck, M., Strufe, T.: Covid notions: towards formal definitions–and documented understanding–of privacy goals and claimed protection in proximity-tracing services. CoRR abs/2004.07723 (2020)
Mbunge, E.: Integrating emerging technologies into COVID-19 contact tracing: opportunities, challenges and pitfalls. Diabetes Metab. Syndr.: Clin. Res. Rev. 14(6), 1631–1636 (2020)
Mbunge, E., Akinnuwesi, B., Fashoto, S.G., Metfula, A.S., Mashwama, P.: A critical review of emerging technologies for tackling COVID-19 pandemic. Hum. Behav. Emerg. Technol. 3(1), 25–39 (2021)
McPhillips, T., Bowers, S., Belhajjame, K., Ludäscher, B.: Retrospective provenance without a runtime provenance recorder. In: Proceedings of the 7th USENIX Conference on Theory and Practice of Provenance, TaPP 2015. USENIX Association, USA (2015)
Moreau, L., et al.: The provenance of electronic data. Commun. ACM 51(4), 52–58 (2008)
Nagappan, N., Ball, T.: Static analysis tools as early indicators of pre-release defect density. In: Proceedings of 27th International Conference on Software Engineering, 2005, ICSE 2005, pp. 580–586. ACM (2005)
Nagappan, N., Ball, T.: Use of relative code churn measures to predict system defect density. In: 27th International Conference on Software Engineering (ICSE 2005), 15–21 May 2005, pp. 284–292. ACM, St. Louis (2005)
Oyetoyan, T.D., Milosheska, B., Grini, M., Soares Cruzes, D.: Myths and facts about static application security testing tools: an action research at telenor digital. In: Garbajosa, J., Wang, X., Aguiar, A. (eds.) XP 2018. LNBIP, vol. 314, pp. 86–103. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91602-6_6
Packer, H.S., Chapman, A., Carr, L.: GitHub2PROV: provenance for supporting software project management. In: 11th International Workshop on Theory and Practice of Provenance (TaPP 2019). USENIX Association, Philadelphia (June 2019)
Pasquier, T., et al.: Runtime analysis of whole-system provenance. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 1601–1616. ACM, New York (2018)
Robles, G., Gonzalez-Barahona, J.M., Merelo, J.J.: Beyond source code: the importance of other artifacts in software development (a case study). J. Syst. Softw. 79(9), 1233–1248 (2006). Fourth Source Code Analysis and Manipulation Workshop (SCAM 2004)
Schreiber, A., de Boer, C.: Modelling knowledge about software processes using provenance graphs and its application to git-based version control systems. In: 42nd International Conference on Software Engineering Workshops. IEEE/ACM, Seoul, Republic of Korea (May 2020)
Schreiber, A., de Boer, C., von Kurnatowski, L.: GitLab2PROV–provenance of software projects hosted on GitLab. In: 13th International Workshop on Theory and Practice of Provenance (TaPP 2021). USENIX Association (July 2021)
Schreiber, A., Struminski, R.: Visualizing the provenance of personal data using comics. Computers 7(1), 12 (2018)
Smith, J., Do, L.N.Q., Murphy-Hill, E.R.: Why can’t Johnny fix vulnerabilities: a usability evaluation of static analysis tools for security. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS) (2020)
Sonnekalb, T., Heinze, T.S., von Kurnatowski, L., Schreiber, A., Gonzalez-Barahona, J.M., Packer, H.: Towards automated, provenance-driven security audit for git-based repositories: applied to Germany’s Corona-Warn-App. In: Proceedings of the 3rd ACM SIGSOFT International Workshop on Software Security from Design to Deployment (SEAD 2020). ACM, New York (2020)
Sun, R., Wang, W., Xue, M., Tyson, G., Camtepe, S., Ranasinghe, D.C.: An empirical assessment of global COVID-19 contact tracing applications. In: Proceedings of the 43rd International Conference on Software Engineering (ICSE 2021) (June 2021)
Trautsch, A., Herbold, S., Grabowski, J.: A longitudinal study of static analysis warning evolution and the effects of PMD on software quality in apache open source projects. Empir. Softw. Eng. 25(6), 5137–5192 (2020)
Vaudenay, S.: Analysis of DP3T: between scylla and charybdis. Cryptology ePrint Archive, Report 2020/399 (2020)
Vaudenay, S.: Centralized or decentralized? The contact tracing dilemma. Cryptology ePrint Archive, Report 2020/531 (2020)
Verborgh, R., Magliacane, S., Schreiber, A., Korolev, V.: GIT2PROV: improved error handling (July 2020). https://doi.org/10.5281/zenodo.3942169
Wang, Z., Feng, Y., Wang, Y., Jones, J.A., Redmiles, D.: Unveiling elite developers’ activities in open source projects. ACM Trans. Softw. Eng. Methodol. 29(3), 1–35 (2020)
Zimmermann, T., Weisgerber, P., Diehl, S., Zeller, A.: Mining version histories to guide software changes. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 563–572. IEEE (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Schreiber, A., Sonnekalb, T., Heinze, T.S., von Kurnatowski, L., Gonzalez-Barahona, J.M., Packer, H. (2021). Provenance-Based Security Audits and Its Application to COVID-19 Contact Tracing Apps. In: Glavic, B., Braganholo, V., Koop, D. (eds) Provenance and Annotation of Data and Processes. IPAW IPAW 2020 2021. Lecture Notes in Computer Science(), vol 12839. Springer, Cham. https://doi.org/10.1007/978-3-030-80960-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-80960-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80959-1
Online ISBN: 978-3-030-80960-7
eBook Packages: Computer ScienceComputer Science (R0)