Abstract
During the past decade, software development has evolved from a rigid, linear process to a highly automated and flexible one, thanks to the emergence of continuous integration and delivery environments. Nowadays, more and more development teams rely on such environments to build their complex projects, as the advantages they offer are numerous. On the security side however, most environments seem to focus on the authentication part, neglecting other critical aspects such as the integrity of the source code and the compiled binaries. To ensure the soundness of a software project, its source code must be secured from malicious modifications. Yet, no method can accurately verify that the integrity of the project’s source code has not been breached. This paper presents P2ISE, a novel integrity preserving tool that provides strong security assertions for developers against attackers. At the heart of P2ISE lies the TPM trusted computing technology which is leveraged to ensure integrity preservation. We have implemented the P2ISE and quantitatively assessed its performance and efficiency.
Highlights
We propose the P2ISE, a novel tool that is tailored to the Continuous Integration (CI)/Continuous Delivery (CD) concept and employs trusted computing technologies, such as secure elements, to ensure the integrity of software projects
This extended version includes: (i) a detailed model of possible threats in the study architecture; a precise justification of the need to use a secure element as a trust anchor; (ii) a summary of different benchmarking tests that have been carried out to analyze different projects that exhibit a variety in terms of size and conditions, which demonstrate with real figures the impact that the proposed solution has in terms of performance; and (iii) a discussion related to the security features of P2ISE
P2ISE, a novel integrity preserving tool for CI/CD pipelines based on the use of secure elements
Summary
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. We can define CI’s primary goal as providing a set of tools to build, package and test applications in an automated and consistent way This consistency allows the teams to increase the frequency of committing code changes, improving both collaboration and software quality. Despite the increasing popularity of CI/CD tools among the developers community and the all attention they have been getting, to the best of our knowledge, there is no work in the literature proposing a way to guarantee the integrity of software projects as part of the CI/CD pipelines. This paper identifies and analyzes the security gap that exists in the CI/CD pipeline regarding a software project’s integrity To this end, we propose the P2ISE, a novel tool that is tailored to the CI/CD concept and employs trusted computing technologies, such as secure elements, to ensure the integrity of software projects.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have