Identity Management (IdM) solutions are increasingly important for digital infrastructures of both enterprises and public administrations. Their security is a mandatory prerequisite for building trust in current and future digital ecosystems. IdM solutions are usually large-scale complex software systems maintained and developed by several groups of ICT professionals. Continuous Delivery (CD) pipeline is adopted to make maintenance, extension, and deployment of such solutions as efficient and repeatable as possible. For security, CD pipeline is also used as a continuous risk assessment to quickly evaluate the security impact of changes. Several tools have been developed and integrated in the CD pipeline to support this view in the so called DevSecOps approach with the notable exception of a tool for protocol pentesting and compliance against standards such as SAML 2.0, OAuth 2.0 and OpenID Connect. To fill this gap, we propose an approach to integrate Micro-Id-Gym—a tool for the automated pentesting of IdM deployments—in a CD pipeline. We report our experience in doing this and discuss the advantages of using the tool in the context of a joint effort with Poligrafico e Zecca dello Stato Italiano to build a digital identity infrastructure.

Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline / Bisegna, A.; Carbone, R.; Ranise, S.. - 13136:(2021), pp. 94-110. (Intervento presentato al convegno 4th InternationalWorkshop on Emerging Technologies for Authorization and Authentication, ETAA 2021 co-located with 26th European Symposium on Research in Computer Security, ESORICS 2021 tenutosi a deu nel 2021) [10.1007/978-3-030-93747-8_7].

Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline

Ranise S.
2021-01-01

Abstract

Identity Management (IdM) solutions are increasingly important for digital infrastructures of both enterprises and public administrations. Their security is a mandatory prerequisite for building trust in current and future digital ecosystems. IdM solutions are usually large-scale complex software systems maintained and developed by several groups of ICT professionals. Continuous Delivery (CD) pipeline is adopted to make maintenance, extension, and deployment of such solutions as efficient and repeatable as possible. For security, CD pipeline is also used as a continuous risk assessment to quickly evaluate the security impact of changes. Several tools have been developed and integrated in the CD pipeline to support this view in the so called DevSecOps approach with the notable exception of a tool for protocol pentesting and compliance against standards such as SAML 2.0, OAuth 2.0 and OpenID Connect. To fill this gap, we propose an approach to integrate Micro-Id-Gym—a tool for the automated pentesting of IdM deployments—in a CD pipeline. We report our experience in doing this and discuss the advantages of using the tool in the context of a joint effort with Poligrafico e Zecca dello Stato Italiano to build a digital identity infrastructure.
2021
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Germany
Springer Science and Business Media Deutschland GmbH
978-3-030-93746-1
978-3-030-93747-8
Bisegna, A.; Carbone, R.; Ranise, S.
Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline / Bisegna, A.; Carbone, R.; Ranise, S.. - 13136:(2021), pp. 94-110. (Intervento presentato al convegno 4th InternationalWorkshop on Emerging Technologies for Authorization and Authentication, ETAA 2021 co-located with 26th European Symposium on Research in Computer Security, ESORICS 2021 tenutosi a deu nel 2021) [10.1007/978-3-030-93747-8_7].
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/333189
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact