Supporting continuous vulnerability compliance through automated identity provisioning
Pages 101 - 110
Abstract
Most applications will exhibit vulnerabilities that impact their availability, integrity, or confidentiality during their life cycle. Nevertheless, the leading cause for such vulnerabilities is not the application itself but its dependencies. Continuous compliance processes often perform vulnerability assessment in order to prevent compliance breaches during a CI/CD pipeline. However, current proposals do not extend beyond the pipeline, and thus do not take into account incident response when dynamic aspects change, such as newfound vulnerabilities. In this work, we leverage zero-trust to continuously assess vulnerability compliance and isolate workloads that do not conform to a minimum vulnerability posture. This isolation presents a trade-off between exploitation prevention and availability, which is useful for critical use cases. Our approach builds on top of SPIRE, a robust selective identity provider, and integrates response to compliance violation caused by dynamic aspects, monitored by Dependency Track. We show the approach adds no significant latency and does not hinder operational or development efforts.
References
[1]
2021. Compliance in a DevOps Culture — martinfowler.com. https://martinfowler.com/articles/devops-compliance.html. [Accessed 19-07-2024].
[2]
2024. Documents & Templates | FedRAMP.gov — fedramp.gov. https://www.fedramp.gov/documents-templates/. [Accessed 19-07-2024].
[3]
2024. Exploit Prediction Scoring System (EPSS) — first.org. https://www.first.org/epss/. [Accessed 19-07-2024].
[4]
2024. GitHub - spiffe/spiffe-helper: The SPIFFE Helper is a tool that can be used to retrieve and manage SVIDs on behalf of a workload — github.com. https://github.com/spiffe/spiffe-helper. [Accessed 19-07-2024].
[5]
2024. Graduated and Incubating Projects — cncf.io. https://www.cncf.io/projects/. [Accessed 19-07-2024].
[6]
2024. Home — scorecard.dev. https://scorecard.dev/. [Accessed 19-07-2024].
[7]
2024. Home Page | CISA — cisa.gov. https://www.cisa.gov/. [Accessed 19-07-2024].
[8]
2024. Official PCI Security Standards Council Site. https://east.pcisecuritystandards.org/. [Accessed 19-07-2024].
[9]
2024. Security levels — slsa.dev. https://slsa.dev/spec/v1.0/levels. [Accessed 19-07-2024].
[10]
2024. Signing — docs.sigstore.dev. https://docs.sigstore.dev/signing/overview. [Accessed 19-07-2024].
[11]
2024. spire/ADOPTERS.md at main · spiffe/spire — github.com. https://github.com/spiffe/spire/blob/main/ADOPTERS.md. [Accessed 19-07-2024].
[12]
2024. The Kerberos ticket — ibm.com. https://www.ibm.com/docs/en/sc-and-ds/8.4.0?topic=concepts-kerberos-ticket. [Accessed 19-07-2024].
[13]
2024. The Leading Open-Source IAM Solution — wso2.com. https://wso2.com/identity-server/. [Accessed 19-07-2024].
[14]
Vikas Agarwal, Chris Butler, Lou Degenaro, Arun Kumar, Anca Sailer, and Gosia Steinder. 2022. Compliance-as-Code for Cybersecurity Automation in Hybrid Cloud. In 2022 IEEE 15th International Conference on Cloud Computing (CLOUD). 427–437.
[15]
Andrew Babakian, Pere Monclus, Robin Braun, and Justin Lipman. 2022. A Retrospective on Workload Identifiers: From Data Center to Cloud-Native Networks. IEEE Access 10 (2022), 105518–105527.
[16]
Christoph Buck, Christian Olenberger, André Schweizer, Fabiane Völter, and Torsten Eymann. 2021. Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust. Computers & Security 110 (2021), 102436.
[17]
Baozhan Chen, Siyuan Qiao, Jie Zhao, Dongqing Liu, Xiaobing Shi, Minzhao Lyu, Haotian Chen, Huimin Lu, and Yunkai Zhai. 2021. A Security Awareness and Protection System for 5G Smart Healthcare Based on Zero-Trust Architecture. IEEE Internet of Things Journal 8, 13 (2021), 10248–10263.
[18]
CISA. 2023. When to Issue VEX Information. https://www.cisa.gov/resources-tools/resources/when-issue-vex-information/.
[19]
CISA. 2023. Zero Trust Maturity Model v2.0. https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf. [Accessed 19-07-2024].
[20]
KENNA SECURITY CYENTIA INSTITUTE. 2022. Prioritization to Prediction Volume 8: Measuring and Minimizing Exploitability.
[21]
Catherine de Weever and Marios Andreou. 2020. Zero trust network security model in containerized environments. University of Amsterdam: Amsterdam, The Netherlands (2020).
[22]
Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang. 2024. LLM Agents can Autonomously Exploit One-day Vulnerabilities. arxiv:https://arXiv.org/abs/2404.08144 [cs.CR]
[23]
Jerry Gamblin. 2024. 2023 CVE Data Review — jerrygamblin.com. https://jerrygamblin.com/2024/01/03/2023-cve-data-review/. [Accessed 19-07-2024].
[24]
Yuanhang He, Daochao Huang, Lei Chen, Yi Ni, Xiangjie Ma, and Yan Huo. 2022. A Survey on Zero Trust Architecture: Challenges and Future Trends. Wirel. Commun. Mob. Comput. 2022 (jan 2022), 13 pages.
[25]
Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Idris Adjerid, and Michael Roytman. 2021. Exploit Prediction Scoring System (EPSS). Digital Threats 2, 3, Article 20 (jul 2021), 17 pages.
[26]
Pontus Johnson, Robert Lagerström, Mathias Ekstedt, and Ulrik Franke. 2018. Can the Common Vulnerability Scoring System be Trusted? A Bayesian Analysis. IEEE Transactions on Dependable and Secure Computing 15, 6 (2018), 1002–1015.
[27]
Martin Kellogg, Martin Schäf, Serdar Tasiran, and Michael D. Ernst. 2021. Continuous compliance. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering (Virtual Event, Australia) (ASE ’20). Association for Computing Machinery, New York, NY, USA, 511–523.
[28]
Aditya Sirish (NYU) and Tom Hennen (Google) representing the in-toto Community. 2024. in-toto and SLSA — slsa.dev. https://slsa.dev/blog/2023/05/in-toto-and-slsa. [Accessed 19-07-2024].
[29]
Xhesika Ramaj, Mary Sánchez-Gordón, Vasileios Gkioulos, Sabarathinam Chockalingam, and Ricardo Colomo-Palacios. 2022. Holding on to Compliance While Adopting DevSecOps: An SLR. Electronics 11, 22 (2022).
[30]
Scott Rose, Oliver Borchert, Stuart Mitchell, and Sean Connelly. 2020. Zero Trust Architecture.
[31]
Sonatype. 2022. 8th State of the Software Supply Chain. https://www.sonatype.com/resources/state-of-the-software-supply-chain-2022/introduction - Access in May 8th, 2024.
[32]
Sonatype. 2023. 9th State of the Software Supply Chain. https://www.sonatype.com/state-of-the-software-supply-chain/open-source-supply-and-demand - Access in May 8th, 2024.
[33]
Steve Springett. 2024. Deploying Docker Container — docs.dependencytrack.org. https://docs.dependencytrack.org/getting-started/deploy-docker/. [Accessed 19-07-2024].
[34]
Andreas Steffens, Horst Lichter, and Marco Moscher. 2018. Towards Data-driven Continuous Compliance Testing. In Software Engineering. https://api.semanticscholar.org/CorpusID:3818261
[35]
Naeem Firdous Syed, Syed W. Shah, Arash Shaghaghi, Adnan Anwar, Zubair Baig, and Robin Doss. 2022. Zero Trust Architecture (ZTA): A Comprehensive Survey. IEEE Access 10 (2022), 57143–57179.
[36]
Synopsys. 2024. Open Source Security & Risk Analysis Report (OSSRA) | Synopsys — synopsys.com. https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html. [Accessed 19-07-2024].
[37]
Kennedy A. Torkura and Christoph Meinel. 2016. Towards Vulnerability Assessment as a Service in OpenStack Clouds. In 2016 IEEE 41st Conference on Local Computer Networks Workshops (LCN Workshops). 1–8.
Index Terms
- Supporting continuous vulnerability compliance through automated identity provisioning
Recommendations
Towards Automated Continuous Security Compliance
ESEM '24: Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and MeasurementContext: Continuous Software Engineering is increasingly adopted in highly regulated domains, raising the need for continuous compliance. Adherence to especially security regulations – a major concern in highly regulated domains – renders Continuous ...
From Ancient Fortress to Modern Cyberdefense
Establishing an effective enterprise cyberdefense mechanism is conceptually similar to building a fortress city in ancient times. The authors describe the parallels by comparing observation towers, fortified walls, gates, alarms, guards, and ...
Significance of Continuous Compliance in Automotive
EASE '22: Proceedings of the 26th International Conference on Evaluation and Assessment in Software EngineeringIn this paper, we analyse trends and challenges that the automotive domain is living the last years. We then focus on the agile transformation and the need to compliance with safety and security standards. Finally, we discuss on the significance of ...
Comments
Information & Contributors
Information
Published In
November 2024
283 pages
ISBN:9798400717406
DOI:10.1145/3697090
Copyright © 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only. Request permissions from owner/author(s).
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 10 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
LADC 2024
LADC 2024: 13th Latin-American Symposium on Dependable and Secure Computing
November 26 - 29, 2024
Recife, Brazil
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 30Total Downloads
- Downloads (Last 12 months)30
- Downloads (Last 6 weeks)14
Reflects downloads up to 08 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format