SecDocker: Hardening the Continuous Integration Workflow

  1. Fernández González, David
  2. Rodríguez Lera, Francisco Javier
  3. Esteban, Gonzalo
  4. Fernández Llamas, Camino
  1. 1 Universidad de León
    info

    Universidad de León

    León, España

    ROR https://ror.org/02tzt0b78

Revista:
SN Computer Science

ISSN: 2662-995X 2661-8907

Año de publicación: 2021

Volumen: 3

Número: 1

Tipo: Artículo

DOI: 10.1007/S42979-021-00939-4 GOOGLE SCHOLAR lock_openAcceso abierto editor

Otras publicaciones en: SN Computer Science

Ver financiación

Información de financiación

Financiadores

  • Universidad de León-Instituto Nacional de Ciberseguridad
  • Universidad de León

Referencias bibliográficas

  • Bass L, Holz R, Rimba P, Tran AB, Zhu L. Securing a deployment pipeline. In: 2015 IEEE/ACM 3rd International workshop on release engineering; 2015, pp. 4–7 https://doi.org/10.1109/RELENG.2015.11.
  • Berkovich S, Kam J, Wurster G. UBCIS: Ultimate benchmark for container image scanning. In: 13th USENIX Workshop on Cyber Security Experimentation and Test (CSET 20). USENIX Association (2020). https://www.usenix.org/conference/cset20/presentation/berkovich. Available online March, 2021.
  • Bernstein D. Containers and cloud: from LXC to docker to kubernetes. IEEE Cloud Comput. 2014;1(3):81–4. https://doi.org/10.1109/MCC.2014.51.
  • Boettiger C. An introduction to docker for reproducible research. ACM SIGOPS Oper Syst Rev. 2015;49(1):71–9. https://doi.org/10.1145/2723872.2723882.
  • Bou Ghantous G, Gill A. Devops: concepts, practices, tools, benefits and challenges. In: Proceedings of the 21st Pacific-Asia conference on information systems (PACIS2017). AIS Electronic Library (AISeL) 2017
  • Chelladhurai J, Chelliah PR, Kumar SA. Securing Docker containers from Denial of Service (DoS) attacks. In: 2016 IEEE International Conference on Services Computing (SCC), pp. 856–859. IEEE 2016. https://doi.org/10.1109/SCC.2016.123.
  • Combe T, Martin A, Di Pietro R. To docker or not to docker: a security perspective. IEEE Cloud Comput. 2016;3(5):54–62. https://doi.org/10.1109/MCC.2016.100.
  • Fitzgerald B, Stol KJ. Continuous software engineering: a roadmap and agenda. J Syst Softw. 2017;123:176–89. https://doi.org/10.1016/j.jss.2015.06.063.
  • Goyal P. CIS docker community edition benchmark. PDF. https://www.cisecurity.org/benchmark/docker. Available online March, 2021.
  • Hilton M, Nelson N, Tunnell T, Marinov D, Dig D. Trade-offs in continuous integration: assurance, security, and flexibility. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, 2017;197–207 https://doi.org/10.1145/3106237.3106270.
  • Humble J, Farley D. Continuous delivery: reliable software releases through build, test, and deployment automation. London: Pearson Education; 2010.
  • Jabbari R, bin Ali N, Petersen K, Tanveer B. What is DevOps? a systematic mapping study on definitions and practices. In: Proceedings of the Scientific Workshop Proceedings of XP2016, 2016;1–11 https://doi.org/10.1145/2962695.2962707.
  • Kang H, Le M, Tao S. Container and microservice driven design for cloud infrastructure DevOps. In: 2016 IEEE International Conference on Cloud Engineering (IC2E), pp. 202–211. IEEE 2016. https://doi.org/10.1109/IC2E.2016.26.
  • Krueger T, Gehl C, Rieck K, Laskov P. Tokdoc: A self-healing web application firewall. In: Proceedings of the 2010 ACM symposium on applied computing, SAC ’10, p. 1846–1853. Association for computing machinery, New York, NY, USA 2010. https://doi.org/10.1145/1774088.1774480.
  • Lam T, Chaillan N, Ranks P. DoD enterprise DevSecOps reference design version 1.0. Tech. rep., Department of Defense, Chief information officer (2019). https://dodcio.defense.gov/Portals/0/Documents/DoDEnterprise DevSecOps Reference Design v1.0_Public Release.pdf. Accessed Mar 2021
  • Leite L, Rocha C, Kon F, Milojicic D, Meirelles P. A survey of devops concepts and challenges. ACM Comput Surv. 2019. https://doi.org/10.1145/3359981.
  • MacDonald N, Head I. DevSecOps: how to seamlessly integrate security into DevOps. Tech rep Gartner Tech Rep 2016
  • Martin A, Raponi S, Combe TRD. Docker ecosystem-vulnerability analysis. Comput Commun. 2018;122:30–43. https://doi.org/10.1016/j.comcom.2018.03.011.
  • Merkel D. Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014;2014(239):2.
  • Pahl C. Containerization and the PaaS cloud. IEEE Cloud Comput. 2015;2(3):24–31. https://doi.org/10.1109/MCC.2015.51.
  • Prandl S, Lazarescu M, Pham DS. A study of web application firewall solutions. In: Jajoda S, Mazumdar C, editors. Information systems security. Cham: Springer; 2015. p. 501–10.
  • Shahin M, Babar MA, Zhu L. Continuous integration, delivery and deployment: a systematic review on approaches, tools, challenges and practices. IEEE Access. 2017;5:3909–43. https://doi.org/10.1109/ACCESS.2017.2685629.
  • Smeds J, Nybom K, Porres I. DevOps: A definition and perceived adoption impediments. In: International conference on agile software development. Springer; 2015. pp 166–177 https://doi.org/10.1007/978-3-319-18612-2_14.
  • Souppaya M, Morello J, Scarfone K. Application container security guide. National Institute of Standards and Technology: Tech Rep; 2017.
  • Tesfatsion SK, Klein C, Tordsson J. Virtualization techniques compared: performance, resource, and power usage overheads in clouds. In: Proceedings of the 2018 ACM/SPEC international conference on performance engineering; 2018. pp. 145–156
  • Turnbull J. The Docker book: containerization is the new virtualization. James Turnbull 2014
  • Vase T. Integrating Docker to a Continuous Delivery pipeline: a pragmatic approach. Master’s thesis, University of Jyväskylän (2016). https://jyx.jyu.fi/handle/123456789/52756. Accessed Mar 2021