On the Security Blind Spots of Software Composition Analysis

Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of bugs, the study of those dependencies is of utmost importance, and numerous software composition analysis tools have emerged to address those issues. A particular challenge are hidden dependencies that are the result of cloning or shading where code from a component is "inlined", and, in the case of shading, moved to different namespaces. We present an approach to detect cloned and shaded artifacts in the Maven repository. Our approach is lightweight in that it does not require the creation and maintenance of an index, and uses a custom AST-based clone detection. Our analysis focuses on the detection of vulnerabilities in artifacts which use cloning or shading. Starting with eight vulnerabilities with assigned CVEs (four of those classified as critical) and proof-of-vulnerability projects demonstrating the presence of a vulnerability in an artifact, we query the Maven repository and retrieve over 16k potential clones of the vulnerable artifacts. After running our analysis on this set, we detect 554 artifacts with the respective vulnerabilities (49 if versions are ignored). We synthesize a testable proof-of-vulnerability project for each of those. We demonstrate that existing SCA tools often miss these exposures.Comment: 16 pages, 1 figur

Tietoturvatestaaminen jatkuvan integraation prosesseissa

Modern software development processes in which changes can be deployed to production multiple times a day present a challenge from the software security point of view. In this work we explore the possibility of using existing software security testing methods and tools in continuous integration to achieve a basic level of continuous security testing. We review existing software security testing methods and tools to determine their applicability to continuous security testing. In four case studies we made selected security testing tools a part of real life software development projects' continuous integration systems and development processes. We found that continuous security testing is feasible using current security testing methods and tools. Multiple different, complementary approaches to implementing it are available depending on the level of expendable effort and security expertise at hand. Dependency verification is in most cases the best starting point for implementing continuous security testing. Good dependency verification tools, which require minimal effort and security testing expertise from the user, are available for most major programming languages.Modernit ohjelmistokehitysprosessit, joissa muutoksia voidaan viedä tuotantoon useita kertoja päivässä, ovat haastavia kehitetyn ohjelmiston tietoturvan varmistamisen kannalta. Tässä työssä tutkimme, miten olemassa olevia tietoturvatestausmetodeja ja -työkaluja voitaisiin käyttää jatkuvan integraation järjestelmissä perustason jatkuvan tietoturvatestauksen saavuttamiseksi. Käymme läpi olemassa olevia tietoturvatestausmetodeja ja -työkaluja määrittääksemme niiden soveltuvuuden jatkuvaan tietoturvatestaukseen. Testaamme myös valikoitujen tietoturvatestaustyökalujen lisäämistä neljän ohjelmistokehitysprojektin jatkuvan integraation järjestelmiin ja ohjelmistokehitysprosesseihin. Havaitsemme, että joidenkin osa-alueiden jatkuva tietoturvatestaus on mahdollista olemassa olevien tietoturvatestausmenetelmien ja -työkalujen avulla. Tarjolla on monta erilaista, toisiaan täydentävää lähestymistapaa, joista kukin vaatii eri määrän työpanosta ja tietoturvaosaamista. Havaintojemme perusteella useimmissa tapauksissa paras tapa aloittaa jatkuva tietoturvatestaaminen on kehitettävän ohjelmiston riippuvuuksien verifiointi. Siihen tarkoitettujen tietoturvatestaustyökalujen saatavuus eri ohjelmointikielille on hyvä, ja niiden käyttöönotto vaatii hyvin vähän työpanosta ja tietoturvaosaamista

Breaking Bad? Semantic versioning and impact of breaking changes in Maven Central

ust like any software, libraries evolve to incorporate new features, bug fixes, security patches, and refactorings. However, when a library evolves, it may break the contract previously established with its clients by introducing Breaking Changes (BCs) in its API. These changes might trigger compile-time, link-time, or run-time errors in client code. As a result, clients may hesitate to upgrade their dependencies, raising security concerns and making future upgrades even more difficult.Understanding how libraries evolve helps client developers to know which changes to expect and where to expect them, and library developers to understand how they might impact their clients. In the most extensive study to date, Raemaekers et al. investigate to what extent developers of Java libraries hosted on the Maven Central Repository (MCR) follow semantic versioning conventions to signal the introduction of BCs and how these changes impact client projects. Their results suggest that BCs are widespread without regard for semantic versioning, with a significant impact on this http URL this paper, we conduct an external and differentiated replication study of their work. We identify and address some limitations of the original protocol and expand the analysis to a new corpus spanning seven more years of the MCR. We also present a novel static analysis tool for Java bytecode, Maracas, which provides us with: (i) the set of all BCs between two versions of a library; and (ii) the set of locations in client code impacted by individual BCs. Our key findings, derived from the analysis of 119, 879 library upgrades and 293, 817 clients, contrast with the original study and show that 83.4% of these upgrades do comply with semantic versioning. Furthermore, we observe that the tendency to comply with semantic versioning has significantly increased over time. Finally, we find that most BCs affect code that is not used by any client, and that only 7.9% of all clients are affected by BCs. These findings should help (i) library developers to understand and anticipate the impact of their changes; (ii) libra

Déploiement continue des applications pervasives en milieux dynamiques

Driven by the emergence of new computing environments, dynamically evolving software systems makes it impossible for developers to deploy software with human-centric processes. Instead, there is an increasing need for automation tools that continuously deploy software into execution, in order to push updates or adapt existing software regarding contextual and business changes. Existing solutions fall short on providing fault-tolerant, reproducible deployments that would scale on heterogeneous environments. This thesis focuses especially on enabling continuous deployment solutions for dynamic execution platforms, such as would be found in Pervasive Computing environments. It adopts an approach based on a transactional, idempotent process for coordinating deployment actions. The thesis proposes a set of deployment tools, including a deployment manager capable of conducting deployments and continuously adapting applications according to the changes in the current state of the target platform. The implementation of these tools, Rondo, also allows developers and administrators to code application deployments thanks to a deployment descriptor DSL. Using the implementation of Rondo, the propositions of this thesis are validated in several industrial and academic projects by provisioning frameworks as well as on installing application and continuous reconfigurations.L'émergence des nouveaux types d'environnements informatiques amplifie le besoin pour des systèmes logiciels d'être capables d'évoluer dynamiquement. Cependant, ces systèmes rendent très difficile le déploiement de logiciels en utilisant des processus humains. Il y a donc un besoin croissant d'outils d'automatisation qui permettent de déployer et reconfigurer des systèmes logiciels sans en interrompre l'exécution. Le processus de déploiement continu et automatisé permet de mettre à jour ou d'adapter un logiciel en exécution en fonction des changements contextuels et des exigences opérationnelles. Les solutions existantes ne permettent pas des déploiements reproductibles et tolérant aux pannes dans des environnements fluctuants, et donc requérant une adaptation continue. Cette thèse se concentre en particulier sur des solutions de déploiement continu pour les plates-formes d'exécution dynamiques, tels que celle utilisé dans les environnements ubiquitaires. Elle adopte une approche basée sur un processus transactionnel et idempotent pour coordonner les actions de déploiement. La thèse propose, également, un ensemble d'outils, y compris un gestionnaire de déploiement capable de mener des déploiements discret, mais également d'adapter les applications continuellement en fonction des changements contextuels. La mise en œuvre de ces outils, permet notamment aux développeurs et aux administrateurs de développer des déploiements d'applications grâce à un langage spécifique suivant les principes de l‘infrastructure-as-code. En utilisant l'implantation de Rondo, les propositions de cette thèse sont validées dans plusieurs projets industriels et académiques à la fois pour l'administration de plates-formes ubiquitaires ainsi que pour l'installation d'applications et leurs reconfigurations continues

Cyber Threats and NATO 2030: Horizon Scanning and Analysis

The book includes 13 chapters that look ahead to how NATO can best address the cyber threats, as well as opportunities and challenges from emerging and disruptive technologies in the cyber domain over the next decade. The present volume addresses these conceptual and practical requirements and contributes constructively to the NATO 2030 discussions. The book is arranged in five short parts...All the chapters in this book have undergone double-blind peer review by at least two external experts.https://scholarworks.wm.edu/asbook/1038/thumbnail.jp