Abstract
Identity Management (IdM) solutions are increasingly important for digital infrastructures of both enterprises and public administrations. Their security is a mandatory prerequisite for building trust in current and future digital ecosystems. IdM solutions are usually large-scale complex software systems maintained and developed by several groups of ICT professionals. Continuous Delivery (CD) pipeline is adopted to make maintenance, extension, and deployment of such solutions as efficient and repeatable as possible. For security, CD pipeline is also used as a continuous risk assessment to quickly evaluate the security impact of changes. Several tools have been developed and integrated in the CD pipeline to support this view in the so called DevSecOps approach with the notable exception of a tool for protocol pentesting and compliance against standards such as SAML 2.0, OAuth 2.0 and OpenID Connect. To fill this gap, we propose an approach to integrate Micro-Id-Gym—a tool for the automated pentesting of IdM deployments—in a CD pipeline. We report our experience in doing this and discuss the advantages of using the tool in the context of a joint effort with Poligrafico e Zecca dello Stato Italiano to build a digital identity infrastructure.
This work was partially funded by the Horizon 2020 project “Strategic Programs for Advanced Research and Technology in Europe” (SPARTA), grant agreement No. 830892, and by the Italian National Mint and Printing House (Istituto Poligrafico e Zecca dello Stato).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
References
Consortium, O.: SAML V2.0 Technical Overview, March 2008. http://wiki.oasis-open.org/security/Saml2TechOverview
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID Connect core 1.0. The OpenID Foundation, p. S3 (2014)
Hardt, D.: The OAuth 2.0 Authorization Framework (RFC6749), Internet Engineering Task Force (IETF) (2012)
Digitale, A.P.L.: SPID - Regole Tecniche. https://docs.italia.it/italia/spid/spid-regole-tecniche/it/stabile/index.html
Engelbertz, N., Erinola, N., Herring, D., Somorovsky, J., Mladenov, V., Schwenk, J.: Security analysis of eIDAS-the cross-country authentication scheme in Europe. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18) (2018)
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1–10 (2008)
Jurreit, J., Fehrenbach, P., Kaspar, F.: Analysis of security vulnerabilities in Microsoft Office 365 in regard to SAML. Informatik J. 127 (2017)
Blog, T.D.: Duo Finds SAML Vulnerabilities Affecting Multiple Implementations. https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Bisegna, A., Carbone, R., Pellizzari, G., Ranise, S.: Micro-Id-Gym: a flexible tool for pentesting identity management protocols in the wild and in the laboratory. In: Saracino, A., Mori, P. (eds.) ETAA 2020. LNCS, vol. 12515, pp. 71–89. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64455-0_5
Ebert, C., Gallardo, G., Hernantes, J., Serrano, N.: DevOps. IEEE Softw. 33(3), 94–100 (2016)
DevOps: DevOps Definition. https://www.redhat.com/it/topics/devops
Security, I., Institute, P.: Cost of a Data Breach Report. https://www.ibm.com/security/data-breach
Mao, R., et al.: Preliminary findings about DevSecOps from grey literature. In: 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS), pp. 450–457. IEEE (2020)
Peterson, J.: Dynamic Application Security Testing. https://resources.whitesourcesoftware.com/blog-whitesource/dast-dynamic-application-security-testing
Myrbakken, H., Colomo-Palacios, R.: DevSecOps: a multivocal literature review. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) SPICE 2017. CCIS, vol. 770, pp. 17–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67383-7_2
Bisegna, A., Carbone, R., Martini, I., Odorizzi, V., Pellizzari, G., Ranise, S.: Micro-Id-Gym: identity management workouts with container-based microservices. Int. J. Inf. Secur. Cybercrime 8(1), 45–50 (2019)
Hirsch, F., Philpott, R., Maler, E.: Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2. 0, Committee Draft 1 (2005)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Bisegna, A., Carbone, R., Ranise, S. (2021). Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2021. Lecture Notes in Computer Science(), vol 13136. Springer, Cham. https://doi.org/10.1007/978-3-030-93747-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-93747-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93746-1
Online ISBN: 978-3-030-93747-8
eBook Packages: Computer ScienceComputer Science (R0)