SlideShare a Scribd company logo

Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps (Andreas Schreiber, Tim Sonnekalb, Thomas Heinze, Lynn von Kurnatowski, Jesus M. Gonzalez-Barahona, Heather Packer)

Download as PPTX, PDF
Andreas Schreiber
Andreas Schreiber

https://iitdbgroup.github.io/ProvenanceWeek2021/virtual.html Software repositories contain information about source code, software development processes, and team interactions. We combine the provenance of development processes with code security analysis results to provide fast feedback on the software’s design and security issues. Results from queries of the provenance graph drives the security analysis, which are conducted on certain events—such as commits or pull requests by external contributors. We evaluate our method on Open Source projects that are developed under time pressure and use Germany’s COVID-19 contact tracing app ‘Corona-Warn-App’ as a case study. https://link.springer.com/chapter/10.1007/978-3-030-80960-7_6

Software
1 of 24
Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps Andreas Schreiber1, Tim Sonnekalb1, Thomas S. Heinze1, Lynn von Kurnatowski1, Jesus M. Gonzalez-Barahona2, Heather Packer3 1 German Aerospace Center (DLR), Germany 2 Universidad Rey Juan Carlos, Spain 3 University of Southampton, United Kingdom > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 1
Coronavirus “Contact Tracing Apps” German “Corona Warn App” (CWA) • App for Exposure Notification • Based on APIs by Apple and Google • Developed as Open-Source Software by SAP and Telekom • External contributors (via pull requests) • https://github.com/corona-warn-app • 12 repositories (update: 23) Our Mission • To analyze the quality of CWA and its Open- Source development process • Generate advice for other government apps > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 2 Image: © 2020 Marlene Brüggemann
Development of the “Corona Warn App” > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 3 https://cauldron.io/project/3860
Getting Knowledge from git-based Projects 1. Repository Mining • Extraction of Provenance information from git projects (files, issues, pull requests, etc.) in PROV format  Directed Acyclic Graphs (DAGs) • Tools: Git2prov, GitHub2Prov, GitLab2Prov 2. Graph Storage • Storing Provenance in graph databases  Property Graphs • Tools: Neo4j, prov-db-connector, prov2neo 3. Generate Insights • Graph analytics and graph visualization • Tools: Cypher, Neo4j Bloom, Gephi, Mathematica > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 4
Repository Mining: Extraction of Provenance Information from git Projects > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 5 Extract provenance GitHub Organization corona-warn-app git Repository cwa- server git Repository cwa-app- ios git Repository cwa-app- android git Repository cwa- website git Repository cwa- documenta tion … Graph Database Neo4j PROV JSON / RDF Git*2PROV prov2neo Contributors/ Team Query CYPHER request (PyGithub) Extract additional data MERGE
GitHub2PROV GitHub2PROV • See paper at 11th International Workshop on Theory and Practice of Provenance (TaPP 2019), Philadelphia, June 2019 • https://www.usenix.org/conferenc e/tapp2019/presentation/packer Based on Git2PROV (by de Nies et al.) • Extends the PROV model of Git2PROV > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 6
> IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 7 Provenance Graph – Example Visualization with Graphviz/dot
> IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 8 Which files have commits by team members as well as external contributors?
Query Data for Visualization from Neo4j with Cypher Queries > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 9
> IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 10
> IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 11
> IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 12
> IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 13 File (Entity) Developer (Agent) External contribution Team member contribution Project: cwa-documentation Visualization: Contributions of Team Members and External Contributors (Tool: Gephi)
Project: cwa-server Tool: Gephi > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 14 File (Entity) Developer (Agent) External contribution Team member contribution
Static Application Security Testing (SAST) Pipeline > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 15 Graph Database Neo4j GitHub Organization corona-warn-app git Repository cwa- server … commit hashes JSON QUERY Snapshot git merge <commit hash> Code Filter Static Code Analysis - PMD - Xanitizer - Infer - Spotbugs - Detect - Flowdroid Security Findings JSON SAST Database File Paths Parse results Store results with commit hashes
SAST Database Schema > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 16 tool id INTEGER name TEXT config TEXT version TEXT repo id INTEGER name TEXT url TEXT snapshot id TEXT committer_date TEXT author_date TEXT commit_message TEXT repo INTEGER branches id INTEGER branch TEXT snapshot TEXT run id INTEGER snapshot TEXT tool INTEGER success INTEGER warning id INTEGER message TEXT location TEXT severity TEXT run INTEGER
Number of Code Analysis Warnings for cwa-server Repository > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 17 Jul 2020 Sep 2020 Nov 2020 Jan 2021 Mar 2021 0 2 4 6 8 10 Date Number of warnings Jul 2020 Sep 2020 Nov 2020 Jan 2021 Mar 2021 0 5 10 15 20 25 30 35 40 45 Date Number of warnings PMD Xanitizer
Four Steps of the Provenance-driven Code Analysis > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 18 Step 2 Step 4 Step 3 Step 1 Graph Database Neo4j commit hashes DataFrame QUERY CYPHER Filter and clean results SAST Database SQLite store commit hashes Analyze and plot QUERY SQL Results Diagrams, Reports, … generate
Cypher Query for Getting Commits by External Contributors > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 19
> IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 20
0 10 20 30 40 50 0 10 20 30 40 50 60 70 External Contributors Team Members Warnings per commit Sum of commits with # warnings Distribution of Number of all SAST Warnings for Commits > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 21
−1 5 −1 0 −5 0 5 1 0 1 5 1 2 5 1 0 2 5 1 0 0 2 Changes in number of warnings induced by commit Sum of commits with # diffs (log scale) Distribution of Change in Number of SAST Warnings Caused by Commits > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 22
Current & Future Work Applying the methodology to other projects • DLR Inner Source: aerospace software • Apps with high public relevance: Luca App, CovPass App, … Automation and visual analytics • Easy setup for new projects (GitHub/GitLab) • (Public) interactive dashboard Adding additional data sources • App execution traces • Social media mentions > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 23
Thank You! Questions? Andreas Schreiber Andreas.Schreiber@dlr.de DLR Institute for Software Technology, Intelligent and Distributed Systems http://www.DLR.de/sc/ivs @onyame | @DLR_software > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 24

Recommended

Visualization of Software Architectures in Virtual Reality and Augmented Reality
Visualization of Software Architectures in Virtual Reality and Augmented RealityVisualization of Software Architectures in Virtual Reality and Augmented Reality
Visualization of Software Architectures in Virtual Reality and Augmented Reality
Andreas Schreiber
 
CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2
CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2
CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2
sundararavind
 
Enable DevSecOps using Jira Software
Enable DevSecOps using Jira Software Enable DevSecOps using Jira Software
Enable DevSecOps using Jira Software
Atlassian
 
Enable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareEnable DevSecOps using JIRA Software
Enable DevSecOps using JIRA Software
AUGNYC
 
Eu 2016 114 - 8
Eu 2016 114 - 8Eu 2016 114 - 8
Eu 2016 114 - 8
Jan Biets [jan_biets@hotmail.com]
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
Panoptica
 
Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...
Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...
Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...
HostedbyConfluent
 

Recommended

Visualization of Software Architectures in Virtual Reality and Augmented Reality
Visualization of Software Architectures in Virtual Reality and Augmented RealityVisualization of Software Architectures in Virtual Reality and Augmented Reality
Visualization of Software Architectures in Virtual Reality and Augmented Reality
Andreas Schreiber
 
CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2
CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2
CognitiveAnalyticsWithSparkAndZeppelinMeetup-v0.2
sundararavind
 
Enable DevSecOps using Jira Software
Enable DevSecOps using Jira Software Enable DevSecOps using Jira Software
Enable DevSecOps using Jira Software
Atlassian
 
Enable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareEnable DevSecOps using JIRA Software
Enable DevSecOps using JIRA Software
AUGNYC
 
Eu 2016 114 - 8
Eu 2016 114 - 8Eu 2016 114 - 8
Eu 2016 114 - 8
Jan Biets [jan_biets@hotmail.com]
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
Panoptica
 
Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...
Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...
Data governance and discoverability at AO.com | Jon Vines, AO.com and Christo...
HostedbyConfluent
 
Cyberlands Sales Deck
Cyberlands Sales DeckCyberlands Sales Deck
Cyberlands Sales Deck
Cyberlands B.V.
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking Trojan
Blueliv
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
Shawn Wells
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
Open Networking Perú (Opennetsoft)
 
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
confluent
 
A Provenance Model for Quantified Self Data
A Provenance Model for Quantified Self DataA Provenance Model for Quantified Self Data
A Provenance Model for Quantified Self Data
Andreas Schreiber
 
Primers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code ReviewPrimers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code Review
Delft University of Technology
 
STS Platform
STS PlatformSTS Platform
STS Platform
Hank Lydick
 
Software Birthmark for Theft Detection of JavaScript Programs: A Survey
Software Birthmark for Theft Detection of JavaScript Programs: A Survey Software Birthmark for Theft Detection of JavaScript Programs: A Survey
Software Birthmark for Theft Detection of JavaScript Programs: A Survey
Swati Patel
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
VESIT/University of Mumbai
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaC
Fernando Cardoso
 
Dipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application DevelopmentDipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application Development
Matthew Farina
 
Safeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply ChainSafeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply Chain
Giovanni Galloro
 
F5 Cloud Story
F5 Cloud StoryF5 Cloud Story
F5 Cloud Story
MarketingArrowECS_CZ
 
Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...
Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...
Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...
Black Duck by Synopsys
 
Provenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructureProvenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructure
Andreas Schreiber
 
Raising Awareness about Open Source Licensing at the German Aerospace Center
Raising Awareness about Open Source Licensing at the German Aerospace CenterRaising Awareness about Open Source Licensing at the German Aerospace Center
Raising Awareness about Open Source Licensing at the German Aerospace Center
Andreas Schreiber
 

More Related Content

Similar to Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps (Andreas Schreiber, Tim Sonnekalb, Thomas Heinze, Lynn von Kurnatowski, Jesus M. Gonzalez-Barahona, Heather Packer)

Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
Open Networking Perú (Opennetsoft)
 
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
confluent
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Dipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application DevelopmentDipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application Development
Matthew Farina
 

Similar to Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps (Andreas Schreiber, Tim Sonnekalb, Thomas Heinze, Lynn von Kurnatowski, Jesus M. Gonzalez-Barahona, Heather Packer) (20)

Cyberlands Sales Deck
Cyberlands Sales DeckCyberlands Sales Deck
Cyberlands Sales Deck
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking Trojan
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
 
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
Extending the Stream/Table Duality into a Trinity, with Graphs (David Allen &...
 
A Provenance Model for Quantified Self Data
A Provenance Model for Quantified Self DataA Provenance Model for Quantified Self Data
A Provenance Model for Quantified Self Data
 
Primers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code ReviewPrimers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code Review
 
STS Platform
STS PlatformSTS Platform
STS Platform
 
Software Birthmark for Theft Detection of JavaScript Programs: A Survey
Software Birthmark for Theft Detection of JavaScript Programs: A Survey Software Birthmark for Theft Detection of JavaScript Programs: A Survey
Software Birthmark for Theft Detection of JavaScript Programs: A Survey
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Protecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaCProtecting Pipeline DevOps and IaC
Protecting Pipeline DevOps and IaC
 
Dipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application DevelopmentDipping Your Toes Into Cloud Native Application Development
Dipping Your Toes Into Cloud Native Application Development
 
Safeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply ChainSafeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply Chain
 
F5 Cloud Story
F5 Cloud StoryF5 Cloud Story
F5 Cloud Story
 
Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...
Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...
Open Source Insight: Paraskevidekatriaphobia, Web APIs, Jeep Hacking, More ...
 

More from Andreas Schreiber

Telemedizin: Gesundheit, messbar für jedermann
Telemedizin: Gesundheit, messbar für jedermannTelemedizin: Gesundheit, messbar für jedermann
Telemedizin: Gesundheit, messbar für jedermann
Andreas Schreiber
 

More from Andreas Schreiber (20)

Provenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructureProvenance as a building block for an open science infrastructure
Provenance as a building block for an open science infrastructure
 
Raising Awareness about Open Source Licensing at the German Aerospace Center
Raising Awareness about Open Source Licensing at the German Aerospace CenterRaising Awareness about Open Source Licensing at the German Aerospace Center
Raising Awareness about Open Source Licensing at the German Aerospace Center
 
Open Source Licensing for Rocket Scientists
Open Source Licensing for Rocket ScientistsOpen Source Licensing for Rocket Scientists
Open Source Licensing for Rocket Scientists
 
Interactive Visualization of Software Components with Virtual Reality Headsets
Interactive Visualization of Software Components with Virtual Reality HeadsetsInteractive Visualization of Software Components with Virtual Reality Headsets
Interactive Visualization of Software Components with Virtual Reality Headsets
 
Provenance for Reproducible Data Science
Provenance for Reproducible Data ScienceProvenance for Reproducible Data Science
Provenance for Reproducible Data Science
 
Visualizing Provenance using Comics
Visualizing Provenance using ComicsVisualizing Provenance using Comics
Visualizing Provenance using Comics
 
Quantified Self Comics
Quantified Self ComicsQuantified Self Comics
Quantified Self Comics
 
Nachvollziehbarkeit mit Hinblick auf Privacy-Verletzungen
Nachvollziehbarkeit mit Hinblick auf Privacy-VerletzungenNachvollziehbarkeit mit Hinblick auf Privacy-Verletzungen
Nachvollziehbarkeit mit Hinblick auf Privacy-Verletzungen
 
Reproducible Science with Python
Reproducible Science with PythonReproducible Science with Python
Reproducible Science with Python
 
Python at Warp Speed
Python at Warp SpeedPython at Warp Speed
Python at Warp Speed
 
Open Source im DLR
Open Source im DLROpen Source im DLR
Open Source im DLR
 
Tracking after Stroke: Doctors, Dogs and All The Rest
Tracking after Stroke: Doctors, Dogs and All The RestTracking after Stroke: Doctors, Dogs and All The Rest
Tracking after Stroke: Doctors, Dogs and All The Rest
 
High Throughput Processing of Space Debris Data
High Throughput Processing of Space Debris DataHigh Throughput Processing of Space Debris Data
High Throughput Processing of Space Debris Data
 
Bericht von der QS15 Conference & Exposition
Bericht von der QS15 Conference & ExpositionBericht von der QS15 Conference & Exposition
Bericht von der QS15 Conference & Exposition
 
Telemedizin: Gesundheit, messbar für jedermann
Telemedizin: Gesundheit, messbar für jedermannTelemedizin: Gesundheit, messbar für jedermann
Telemedizin: Gesundheit, messbar für jedermann
 
Big Python
Big PythonBig Python
Big Python
 
Quantified Self mit Wearable Devices und Smartphone-Sensoren
Quantified Self mit Wearable Devices und Smartphone-SensorenQuantified Self mit Wearable Devices und Smartphone-Sensoren
Quantified Self mit Wearable Devices und Smartphone-Sensoren
 
Example Blood Pressure Report of BloodPressureCompanion
Example Blood Pressure Report of BloodPressureCompanionExample Blood Pressure Report of BloodPressureCompanion
Example Blood Pressure Report of BloodPressureCompanion
 
Beispiel-Blutdruckbericht des BlutdruckBegleiter
Beispiel-Blutdruckbericht des BlutdruckBegleiterBeispiel-Blutdruckbericht des BlutdruckBegleiter
Beispiel-Blutdruckbericht des BlutdruckBegleiter
 
Informatik für die Welt von Morgen
Informatik für die Welt von MorgenInformatik für die Welt von Morgen
Informatik für die Welt von Morgen
 

Recently uploaded

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 

Recently uploaded (20)

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 

Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps (Andreas Schreiber, Tim Sonnekalb, Thomas Heinze, Lynn von Kurnatowski, Jesus M. Gonzalez-Barahona, Heather Packer)

  • 1. Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps Andreas Schreiber1, Tim Sonnekalb1, Thomas S. Heinze1, Lynn von Kurnatowski1, Jesus M. Gonzalez-Barahona2, Heather Packer3 1 German Aerospace Center (DLR), Germany 2 Universidad Rey Juan Carlos, Spain 3 University of Southampton, United Kingdom > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 1
  • 2. Coronavirus “Contact Tracing Apps” German “Corona Warn App” (CWA) • App for Exposure Notification • Based on APIs by Apple and Google • Developed as Open-Source Software by SAP and Telekom • External contributors (via pull requests) • https://github.com/corona-warn-app • 12 repositories (update: 23) Our Mission • To analyze the quality of CWA and its Open- Source development process • Generate advice for other government apps > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 2 Image: © 2020 Marlene Brüggemann
  • 3. Development of the “Corona Warn App” > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 3 https://cauldron.io/project/3860
  • 4. Getting Knowledge from git-based Projects 1. Repository Mining • Extraction of Provenance information from git projects (files, issues, pull requests, etc.) in PROV format  Directed Acyclic Graphs (DAGs) • Tools: Git2prov, GitHub2Prov, GitLab2Prov 2. Graph Storage • Storing Provenance in graph databases  Property Graphs • Tools: Neo4j, prov-db-connector, prov2neo 3. Generate Insights • Graph analytics and graph visualization • Tools: Cypher, Neo4j Bloom, Gephi, Mathematica > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 4
  • 5. Repository Mining: Extraction of Provenance Information from git Projects > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 5 Extract provenance GitHub Organization corona-warn-app git Repository cwa- server git Repository cwa-app- ios git Repository cwa-app- android git Repository cwa- website git Repository cwa- documenta tion … Graph Database Neo4j PROV JSON / RDF Git*2PROV prov2neo Contributors/ Team Query CYPHER request (PyGithub) Extract additional data MERGE
  • 6. GitHub2PROV GitHub2PROV • See paper at 11th International Workshop on Theory and Practice of Provenance (TaPP 2019), Philadelphia, June 2019 • https://www.usenix.org/conferenc e/tapp2019/presentation/packer Based on Git2PROV (by de Nies et al.) • Extends the PROV model of Git2PROV > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 6
  • 7. > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 7 Provenance Graph – Example Visualization with Graphviz/dot
  • 8. > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 8 Which files have commits by team members as well as external contributors?
  • 9. Query Data for Visualization from Neo4j with Cypher Queries > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 9
  • 10. > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 10
  • 11. > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 11
  • 12. > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 12
  • 13. > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 13 File (Entity) Developer (Agent) External contribution Team member contribution Project: cwa-documentation Visualization: Contributions of Team Members and External Contributors (Tool: Gephi)
  • 14. Project: cwa-server Tool: Gephi > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 14 File (Entity) Developer (Agent) External contribution Team member contribution
  • 15. Static Application Security Testing (SAST) Pipeline > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 15 Graph Database Neo4j GitHub Organization corona-warn-app git Repository cwa- server … commit hashes JSON QUERY Snapshot git merge <commit hash> Code Filter Static Code Analysis - PMD - Xanitizer - Infer - Spotbugs - Detect - Flowdroid Security Findings JSON SAST Database File Paths Parse results Store results with commit hashes
  • 16. SAST Database Schema > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 16 tool id INTEGER name TEXT config TEXT version TEXT repo id INTEGER name TEXT url TEXT snapshot id TEXT committer_date TEXT author_date TEXT commit_message TEXT repo INTEGER branches id INTEGER branch TEXT snapshot TEXT run id INTEGER snapshot TEXT tool INTEGER success INTEGER warning id INTEGER message TEXT location TEXT severity TEXT run INTEGER
  • 17. Number of Code Analysis Warnings for cwa-server Repository > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 17 Jul 2020 Sep 2020 Nov 2020 Jan 2021 Mar 2021 0 2 4 6 8 10 Date Number of warnings Jul 2020 Sep 2020 Nov 2020 Jan 2021 Mar 2021 0 5 10 15 20 25 30 35 40 45 Date Number of warnings PMD Xanitizer
  • 18. Four Steps of the Provenance-driven Code Analysis > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 18 Step 2 Step 4 Step 3 Step 1 Graph Database Neo4j commit hashes DataFrame QUERY CYPHER Filter and clean results SAST Database SQLite store commit hashes Analyze and plot QUERY SQL Results Diagrams, Reports, … generate
  • 19. Cypher Query for Getting Commits by External Contributors > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 19
  • 20. > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 20
  • 21. 0 10 20 30 40 50 0 10 20 30 40 50 60 70 External Contributors Team Members Warnings per commit Sum of commits with # warnings Distribution of Number of all SAST Warnings for Commits > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 21
  • 22. −1 5 −1 0 −5 0 5 1 0 1 5 1 2 5 1 0 2 5 1 0 0 2 Changes in number of warnings induced by commit Sum of commits with # diffs (log scale) Distribution of Change in Number of SAST Warnings Caused by Commits > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 22
  • 23. Current & Future Work Applying the methodology to other projects • DLR Inner Source: aerospace software • Apps with high public relevance: Luca App, CovPass App, … Automation and visual analytics • Easy setup for new projects (GitHub/GitLab) • (Public) interactive dashboard Adding additional data sources • App execution traces • Social media mentions > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 23
  • 24. Thank You! Questions? Andreas Schreiber Andreas.Schreiber@dlr.de DLR Institute for Software Technology, Intelligent and Distributed Systems http://www.DLR.de/sc/ivs @onyame | @DLR_software > IPAW 2021 > A. Schreiber et al. • Provenance-based Security Audits and its Application to COVID-19 Contact Tracing Apps > 19.07.2021 DLR.de • Chart 24