Software Open Access

Enterprise-Driven Open Source Software: A Case Study on Security Automation

Angermeir, Florian; Voggenreiter, Markus; Moyón, Fabiola; Méndez, Daniel


DataCite XML Export

<?xml version='1.0' encoding='utf-8'?>
<resource xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://datacite.org/schema/kernel-4" xsi:schemaLocation="http://datacite.org/schema/kernel-4 http://schema.datacite.org/meta/kernel-4.1/metadata.xsd">
  <identifier identifierType="DOI">10.5281/zenodo.4106329</identifier>
  <creators>
    <creator>
      <creatorName>Angermeir, Florian</creatorName>
      <givenName>Florian</givenName>
      <familyName>Angermeir</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0001-7903-8236</nameIdentifier>
      <affiliation>Technical University Munich</affiliation>
    </creator>
    <creator>
      <creatorName>Voggenreiter, Markus</creatorName>
      <givenName>Markus</givenName>
      <familyName>Voggenreiter</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0003-3964-1983</nameIdentifier>
      <affiliation>Siemens Technology, Ludwig Maximilians University Munich</affiliation>
    </creator>
    <creator>
      <creatorName>Moyón, Fabiola</creatorName>
      <givenName>Fabiola</givenName>
      <familyName>Moyón</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0003-0535-1371</nameIdentifier>
      <affiliation>Siemens Technology, Technical University Munich</affiliation>
    </creator>
    <creator>
      <creatorName>Méndez, Daniel</creatorName>
      <givenName>Daniel</givenName>
      <familyName>Méndez</familyName>
      <nameIdentifier nameIdentifierScheme="ORCID" schemeURI="http://orcid.org/">0000-0003-0619-6027</nameIdentifier>
      <affiliation>Blekinge Institute of Technology, fortiss GmbH</affiliation>
    </creator>
  </creators>
  <titles>
    <title>Enterprise-Driven Open Source Software: A Case Study on Security Automation</title>
  </titles>
  <publisher>Zenodo</publisher>
  <publicationYear>2020</publicationYear>
  <subjects>
    <subject>Security</subject>
    <subject>Secure Software Engineering</subject>
    <subject>DevSecOps</subject>
    <subject>DevOps</subject>
    <subject>Continuous Integration</subject>
    <subject>Open Source Software</subject>
  </subjects>
  <dates>
    <date dateType="Issued">2020-10-19</date>
  </dates>
  <resourceType resourceTypeGeneral="Software"/>
  <alternateIdentifiers>
    <alternateIdentifier alternateIdentifierType="url">https://zenodo.org/record/4106329</alternateIdentifier>
  </alternateIdentifiers>
  <relatedIdentifiers>
    <relatedIdentifier relatedIdentifierType="URL" relationType="IsSupplementTo">https://github.com/angrymeir/Enterprise-Driven-OSS-Case-Study-Security-Automation/tree/v1.0.1</relatedIdentifier>
    <relatedIdentifier relatedIdentifierType="DOI" relationType="IsVersionOf">10.5281/zenodo.4104321</relatedIdentifier>
  </relatedIdentifiers>
  <version>v1.0.1</version>
  <rightsList>
    <rights rightsURI="https://creativecommons.org/licenses/by/4.0/legalcode">Creative Commons Attribution 4.0 International</rights>
    <rights rightsURI="info:eu-repo/semantics/openAccess">Open Access</rights>
  </rightsList>
  <descriptions>
    <description descriptionType="Abstract">&lt;p&gt;Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators&amp;#39; demands early.&lt;br&gt;
In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines.&amp;nbsp;&lt;br&gt;
In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts.&lt;br&gt;
Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.&lt;/p&gt;</description>
  </descriptions>
</resource>
110
13
views
downloads
All versions This version
Views 11071
Downloads 1311
Data volume 18.8 MB16.0 MB
Unique views 7558
Unique downloads 1311

Share

Cite as