Actions in the Wild: Usability and ease of use of open source security tools - OCX 2024
0"Eclipse Tractus-X" [1] is the official open-source project in the Catena-X [2] ecosystem supported by the Eclipse Foundation [3], serves as the official open-source initiative. It has a central landing page on GitHub [4] with all the information the developer community needs to use or contribute to our open-source software and community. The goal is to provide an environment to create a digital infrastructure that enables seamless data exchange and collaboration across the entire supply chain ecosystem. Tractus-X consists of 60 repositories and has three active Special Interest Groups (SIG); SIG-Release, SIG-Infra and SIG-Security [5]. SIG-security specifically focuses on engaging in security-related activities and collaborating with other SIG’s to build a comprehensive understanding and influence the project's security framework. With constant engagements and meaningful contributions coming from around180 contributors, the project encourages members to progress towards to become a committer [6]. The engagement of the security related activities was systematically conducted and refined through their integration into the GitHub platform, leveraging its capabilities to automate and streamline security checks. With the possibility to implement “security-by-design” approach, the project has evolved throughout various security controls across the Software Development Life Cycle (SDLC). With the help of CodeQl to perform Static Application Security Testing (SAST), Dependabot to perform Software Composition Analysis (SCA), Trivy to perform Infrastructure-as-Code (IAC) scanning and many other open-source tools are implemented to tighten the security measures. The developers' insights led to practical adjustments, making the tools more user-friendly and effective. This strategy not only reduced risks but also enabled a deeper understanding and smoother adoption of open-source security tools, leading to a more secure and streamlined software development lifecycle. With this talk, the attendees of the session would ideally learn something new about the vulnerability analysis, lessons learnt and best practices while implementing such open-source tools based on real scenarios that was experienced during the development of Tractus-X. The criticality and the impact of the vulnerabilities identified will be presented with the respective Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) scores and how an automated approach using GitHub actions plays a vital role in continuous monitoring of the presence of vulnerabilities. The takeaway of this brief explanation would include how the CVE scoring is performed and what parameters are looked upon to derive the CVSS score , e.g., CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This would substantially provide a deeper insight to the audience especially to understand why certain tools differ from CVSS score for a particular CVE and understand how CVSS score differs from certain security databases in contrast to National Vulnerability Database (NVD). [1] Hello from Eclipse Tractus-X | Eclipse Tractus-X (eclipse-tractusx.github.io) [2] Catena-X Automotive Network | Catena-X [3] The Community for Open Collaboration and Innovation | The Eclipse Foundation [4] Eclipse Tractus-X (github.com) [5] eclipse-tractusx/sig-security (github.com) [6] sig-security/security-committer-pathway.md at main · eclipse-tractusx/sig-security (github.com) Attendee Pre-requisites -Nice to have knowledge on GitHub actions -Interest to learn about CVE and CVSS scores