SecCo: Automated Services to Secure Containers in the DevOps Paradigm

Containers are core building blocks for creating applications based on the microservice paradigm. However, assessing their security is complex, especially when deployed in distributed and heterogeneous scenarios. Moreover, developers and IT operators should only focus on integration and delivery processes without dealing with tasks to guarantee securing requirements. To overcome such issues, in this paper, we introduce the ideas at the basis of Project SecCo (Securing Containers), i.e., an architecture for extending and improving current security assessment methodologies into the continuous integration and continuous delivery DevOps pipeline. To this end, SecCo proposes a framework able to orchestrate new automatic security services to prevent and reduce security vulnerabilities in the design, implementation, and deployment phases, and to identify and mitigate, at runtime, attempts to exploit them. The paper also showcases the main research challenges to be addressed for pursuing the vision of SecCo

Ambush from All Sides: Understanding Security Threats in Open-Source Software CI/CD Pipelines

The continuous integration and continuous deployment (CI/CD) pipelines are widely adopted on Internet hosting platforms, such as GitHub. With the popularity, the CI/CD pipeline faces various security threats. However, current CI/CD pipelines suffer from malicious code and severe vulnerabilities. Even worse, people have not been fully aware of its attack surfaces and the corresponding impacts. Therefore, in this paper, we conduct a large-scale measurement and a systematic analysis to reveal the attack surfaces of the CI/CD pipeline and quantify their security impacts. Specifically, for the measurement, we collect a data set of 320,000+ CI/CD pipeline-configured GitHub repositories and build an analysis tool to parse the CI/CD pipelines and extract security-critical usages. Besides, current CI/CD ecosystem heavily relies on several core scripts, which may lead to a single point of failure. While the CI/CD pipelines contain sensitive information/operations, making them the attacker's favorite targets. Inspired by the measurement findings, we abstract the threat model and the attack approach toward CI/CD pipelines, followed by a systematic analysis of attack surfaces, attack strategies, and the corresponding impacts. We further launch case studies on five attacks in real-world CI/CD environments to validate the revealed attack surfaces. Finally, we give suggestions on mitigating attacks on CI/CD scripts, including securing CI/CD configurations, securing CI/CD scripts, and improving CI/CD infrastructure

Long-Term Risks and Short-Term Regulations: Modeling the Transition from Enhanced Oil Recovery to Geologic Carbon Sequestration

Recent policy debates suggest that geologic carbon sequestration (GS) likely will play an important role in a carbon-constrained future. As GS evolves from the analogous technologies and practices of enhanced oil recovery (EOR) operations to a long-term, dedicated emissions mitigation option, regulations must evolve simultaneously to manage the risks associated with underground migration and surface tresspass of carbon dioxide (CO2). In this paper, we develop a basic engineering-economic model of four illustrative strategies available to a sophisticated site operator to better understand key deployment pathways in the transition from EOR to GS operations. All of these strategies focus on whether or not a sophisticated site operator would store CO2 in a geologic formation. We evaluate these strategies based on illustrative scenarios of (a) oil and CO2 prices; (b) leakage estimates; and (c) transportation, injection, and monitoring costs, as obtained from our understanding of the literature. Major results reveal that CO2 storage in depleted hydrocarbon reservoirs after oil recovery is associated with the greatest net revenues (i.e., the “most-preferred” strategy) under a range of scenarios. This finding ultimately suggests that GS regulatory design should anticipate the use of the potentially leakiest, or “worst,” sites first.carbon sequestration, enhanced oil recovery, leakage, regulatory design, risk management

Security Support in Continuous Deployment Pipeline

Continuous Deployment (CD) has emerged as a new practice in the software industry to continuously and automatically deploy software changes into production. Continuous Deployment Pipeline (CDP) supports CD practice by transferring the changes from the repository to production. Since most of the CDP components run in an environment that has several interfaces to the Internet, these components are vulnerable to various kinds of malicious attacks. This paper reports our work aimed at designing secure CDP by utilizing security tactics. We have demonstrated the effectiveness of five security tactics in designing a secure pipeline by conducting an experiment on two CDPs - one incorporates security tactics while the other does not. Both CDPs have been analyzed qualitatively and quantitatively. We used assurance cases with goal-structured notations for qualitative analysis. For quantitative analysis, we used penetration tools. Our findings indicate that the applied tactics improve the security of the major components (i.e., repository, continuous integration server, main server) of a CDP by controlling access to the components and establishing secure connections

CCS Networks for the UK: Benefits, Impacts and Regulation

What benefits might be offered by developing well planned CCS networks? A review of the drivers for and barriers to the coherent development of CCS networks in the UK is used to synthesise a limited set of possible network topologies. The benefits offered by each topology for UK carbon dioxide and other atmospheric emissions are estimated. Other potential benefits are considered qualitatively, and a range of uncertainties identified. The complexity of CCS networks means that addressing these uncertainties is a challenging task, and the need for a whole systems approach is evaluated. Finally, implications for CCS regulation and policy are highlighted

Energy security issues in contemporary Europe

Throughout the history of mankind, energy security has been always seen as a means of protection from disruptions of essential energy systems. The idea of protection from disorders emerged from the process of securing political and military control over energy resources to set up policies and measures on managing risks that affect all elements of energy systems. The various systems placed in a place to achieve energy security are the driving force towards the energy innovations or emerging trends in the energy sector. Our paper discusses energy security status and innovations in the energy sector in European Union (EU). We analyze the recent up-to-date developments of the energy policy and exploitation of energy sources, as well as scrutinize the channels of energy streaming to the EU countries and the risks associated with this energy import. Moreover, we argue that the shift to the low-carbon production of energy and the massive deployment of renewable energy sources (RES) might become the key issue in ensuring the energy security and independency of the EU from its external energy supplies. Both RES, distributed energy resources (DER) and “green energy” that will be based on the energy efficiency and the shift to the alternative energy supply might change the energy security status quo for the EU

European Energy Security. ZEI Discussion Paper C260 2020

In the wake of the European Union’s (EU) enlargements in 2004 and 2007, which saw the accession of 12 new member states, lengthy debates and discussion took place on the burden of onboarding the new member states, the difficulty of ensuring their compliance with EU rules and regulations and the dependence of many of these states on a single supplier for their energy needs. This paper aims to assess the EU’s efforts to form a comprehensive energy security policy in recent decades, paying particular attention to the development of the theory of energy security and the main developments of the EU’s energy security policy in recent years. The Energy Union, a flagship initiative launched by the European Commission in 2015, will be assessed through an examination of its governance structure and achievements in specific policy domains