Towards Continuous Risk Assessment and Conformance Checking of IdM Deployments

Towa ds Con inuous Risk Assessmen and Con o mance Checking o IdM
Deploymen s
And ea Bisegna∗, Robe o Ca bone∗, Lau a C is iano∗, Pie o De Ma eis†, Sil io Ranise∗‡
∗Cen e o Cybe secu i y, Fondazione B uno Kessle , T en o, I aly
†Co-Inno a ion Lab, Dedag oup Spa, T en o, I aly
‡Depa men o Ma hema ics, Uni e si y o T en o, T en o, I aly
Emails: {a.bisegna, ca bone, l.c is iano, pdema eis, anise}@ bk.eu
Abs ac —Ensu ing e ec i e h ea in elligence sha ing, as-
sessing po en ial isks, and esponding o h ea s emain sig-
ni ican challenges, pa icula ly in complex sys ems and c i -
ical in as uc u es. En i onmen al, Social, and Go e nance
pla o ms a e eme ging as comp ehensi e solu ions ha in-
eg a e cybe secu i y wi h go e nance p inciples, enhancing
anspa ency and p oac i e isk managemen . Howe e , in e-
g a ing secu i y ools in o pla o ms ha enable con o mance
checking and con inuous isk assessmen poses challenges,
including au oma ing secu i y wo k lows and p io i izing
ulne abili ies based on se e i y and exploi abili y. This
pape p esen s an ex ended e sion o Mic o-Id-Gym (MIG),
an open-sou ce secu i y es ing ool o Iden i y Managemen
(IdM) implemen a ions. The goal o his enhancemen is o
make MIG easily in eg able in o pla o ms o con inuous
isk assessmen and mi iga ion in complex so wa e supply
chains deploying IdM solu ions c i ical o he Ze o T us
pa adigm. By suppo ing us wo hy deploymen s, MIG
ocuses on con o mance es ing as a key mechanism o ensu e
eliabili y and compliance in mul i-en i y deploymen s. The
ex ended e sion o MIG is designed o seamless in eg a-
ion in o Con inuous In eg a ion and Con inuous Deli e y
pipelines and has been alida ed in Open Au ho iza ion 2.0
and OpenID Connec deploymen s.
Index Te ms—OIDC, OAu h, Secu i y Tes ing, Con o mance
Checking, De SecOps, Con inuous Risk Assessmen
1. In oduc ion
E ec i ely sha ing h ea in elligence, e alua e isk
exposu e, and eac o h ea s in a imely manne emain
signi ican challenges, pa icula y in c i ical in as uc u es
and complex ecosys ems whe e secu i y inciden s can
ha e a - eaching e ec s. O ganiza ions need o imple-
men s onge sys ems o iden i y, e alua e, and educe
isks in eal ime as cybe h ea s con inue o change. En-
i onmen al, Social, and Go e nance (ESG) [1] pla o ms
a e becoming well-known as cu ing-edge solu ions made
This wo k has been pa ially unded by 1) he p ojec SEcu i y and
RIgh s in he Cybe Space (SERICS) (PE00000014) unde he Minis e o
dell’Uni e si `
a e della Rice ca (MUR) Na ional Reco e y and Resilience
Plan unded by he Eu opean Union—Nex - Gene a ionEU, and 2) he
join labo a o y be ween Fondazione B uno Kessle and he I alian
Go e nmen P in ing O ice and Min , I aly (Is i u o Polig a ico e Zecca
dello S a o).
o simpli y epo ing and o e s akeholde s and decision-
make s use ul in o ma ion. These pla o ms imp o e ac-
coun abili y and anspa ency o a wide audience in ad-
di ion o assis ing companies measu e, communica e, and
accomplish co po a e sus ainabili y goals. O ganiza ions
can link cybe secu i y wi h go e nance p inciples and
ensu e a mo e ho ough and p oac i e app oach o isk
managemen by including secu i y isk assessmen in o
ESG pla o ms.
In oday’s digi al economy, o ganiza ions ace he
challenge o balancing ESG objec i es—encompassing
en i onmen al, social, and go e nance goals—wi h he
c i ical need o inc ease he cybe secu i y pos u e and da a
p o ec ion.
Mo eo e , as digi al ans o ma ion accele a es, secu -
ing online se ices is pa amoun , as i di ec ly impac s
bo h use expe ience and o e all sys em secu i y. O -
ganiza ions mus implemen s ingen au hen ica ion and
au ho iza ion mechanisms o ensu e seamless ye secu e
access o digi al pla o ms and a e he base o de elop
Ze o T us app oaches o he secu i y o complex digi al
ecosys em.
In u n, Ze o T us can be seen as a p omising s a egy
o achie e he goals o Go e nance in he b oade con ex
o ESG adop ion. As a consequence, Digi al Iden i y
Manangemen (IdM) becomes he co ne s one o mos
cybe esilience s a egies ha complemen Go e nance.
Fo his eason, IdM p o ocols play a key ole in his
p ocess by p o iding s anda dized mechanisms o use
au hen ica ion, au ho iza ion, and iden i y e i ica ion. By
le e aging hi d-pa y au hen ica ion, IdM p o ocols elim-
ina e he need o s o e au hen ica ion c eden ials wi hin
he se ices hey suppo , o e ing a secu e solu ion ha
helps bo h p i a e and public o ganiza ions p e en he
misuse o abuse o login c eden ials and mi iga e he
isk o da a b eaches. IdM p o ocol s anda ds—including
Secu i y Asse ion Ma kup Language 2.0 (SAML) [10],
OpenID Connec (OIDC) [11], and Open Au ho iza ion
2.0 (OAu h) [9]—manage use access eques s and p o-
ide esponses based on he in o ma ion use s p o ide,
enhancing secu i y and in e ope abili y ac oss mul iple
pla o ms.
Al hough many secu i y ools o e specialized unc-
ionali ies, such as ulne abili y scanning, secu i y es ing,
and in usion de ec ion, hei in eg a ion in o pla o ms
ha enable con o mance checking and con inuous isk as-
sessmen p esen s signi ican challenges [16], [17]. These
ools a e o en de eloped independen ly, wi h di e en
a chi ec u es, da a o ma s, and ope a ional equi emen s,
making seamless in e ope abili y complex. Addi ionally,
pla o ms ha u ilize con o mance checking and con in-
uous isk assessmen equi e au oma ed wo k lows, s an-
da dized epo ing, and eal- ime isk assessmen capa-
bili ies, u he complica ing he in eg a ion p ocess. As
a esul , achie ing a cohesi e secu i y amewo k ha
e ec i ely le e ages mul iple ools wi hin such pla o ms
demands obus design, and au oma ion.
In summa y, he main challenges [12], [13] in le e -
aging secu i y ools and in eg a ing hem e ec i ely o
assess isk and pe o m con o mance checking a e:
•Thei inco po a ion in o au oma ed wo k lows,
as many ools a e no designed o seamless
execu ion in dynamic and con inuously e ol -
ing en i onmen s, equi ing adap abili y and non-
in e ac i e ope a ion.
•Making hem able o suppo au oma ed isk as-
sessmen and mi iga ion, as secu i y ools gene a e
la ge olumes o aw da a ha mus be con ex ual-
ized, p io i ized based on se e i y and exploi abil-
i y, and in eg a ed wi h go e nance models o
e ec i e mi iga ion.
In his pape , we p esen an ex ended e sion o Mic o-
Id-Gym (MIG) [2], an open-sou ce ool designed o
secu i y es ing o IdM deploymen s eady o be in eg a ed
in o a Con inuous In eg a ion (CI) and Con inuous Deli -
e y (CD) pipeline. The ex ension has been es ed in wo
di e en IdM deploymen s: one based on OAu h and he
o he on OIDC.
The ex ended e sion o MIG add esses he wo iden-
i ied challenges.
The i s challenge, ensu ing seamless in eg a ion in o
au oma ed wo k lows, was o e come by embedding MIG
wi hin a CI/CD pipeline unde he De SecOps1 ame-
wo k. This enables au oma ed secu i y es ing a di e en
s ages o de elopmen , educing eliance on manual in e -
en ions and ensu ing a consis en and epea able es ing
p ocess. By con inuously moni o ing he secu i y pos u e
o IdM deploymen s, MIG acili a es ea ly de ec ion o
ulne abili ies, allowing o ganiza ions o emedia e secu-
i y gaps be o e hey impac p oduc ion en i onmen s. Ad-
di ionally, he in eg a ion o MIG wi hin CI/CD wo k lows
enhances scalabili y and ope a ional e iciency, making i
easie o en o ce secu i y policies.
Conce ning he second challenge, MIG au oma es isk
assessmen and mi iga ion by p io i izing ulne abili ies
based on hei se e i y and impac . By con ex ualizing
secu i y indings, MIG helps secu i y eams ocus on c i -
ical h ea s and op imize esponse e o s. The epo ing
mechanism p o ides de ailed mi iga ion hin s, enabling o -
ganiza ions o implemen a ge ed secu i y imp o emen s
while ensu ing egula o y compliance. This au oma ion
educes manual wo kload, minimizes human e o , and
ensu es ha secu i y measu es a e e icien ly en o ced
ac oss e ol ing digi al en i onmen s.
The pape is s uc u ed as ollows: Sec ion 2p o ides
an o e iew o MIG, how i wo ks, how i was ex ended
o be in eg a ed in a CI/CD pipeline. Sec ion 3 epo s
1. h ps://www. edha .com/en/ opics/de ops/wha -is-de secops
wo di e en scena ios o highligh he e sa ili y o he
p oposed solu ion. Sec ion 4concludes he pape and
highligh s u u e wo k.
2. Mic o-Id-Gym
MIG [3] is a ool designed o assis sys em adminis-
a o s and es e s in secu i y es ing o implemen a ions
based on IdM p o ocols and includes a se o es s. Fo
each es ha can be execu ed in MIG, a secu i y es e
de ines bo h a session and a es , as shown in Figu e 1. The
session unc ions simila ly o a use in e ace in eg a ion
es commonly used in web applica ion es ing. I consis s
o a sequence o use ac ions pe o med by a b owse
o gene a e he HTTP messages necessa y o he es ,
allowing MIG o simula e use in e ac ions and analyze
he web applica ion’s esponse. The es , w i en in MIG-
L—a o mal and concise decla a i e language o secu i y
es ing—comp ises a sequence o ope a ions o managing
and manipula ing HTTP messages and he session. The
es also in eg a es an o acle ha au oma es he c i e ia o
e alua ing es esul s. Designed o e sa ili y, MIG-L is
adap able o all web-based IdM p o ocols, as i s p inciples
and s uc u e a e su icien ly gene ic o suppo hem.
As shown in Figu e 1, he es handle is esponsible
o in e p e ing and execu ing es s w i en in MIG-L.
When equi ed, i ac i a es he session handle , which
p ocesses he session and eplica es use ac ions wi hin
a b owse . All HTTP messages pass h ough a p oxy,
whe e hey can be in e cep ed and analyzed. The p oxy
in e ac ion componen acili a es communica ion wi h he
p oxy, ensu ing compliance wi h he es -de ined condi-
ions. The epo ing componen gene a es de ailed ou -
pu on de ec ed ulne abili ies and ecommended secu i y
measu es, o e ing aluable insigh s o secu i y es e s
and s akeholde s o imp o e cybe secu i y isk manage-
men . To execu e es s, we de ine h ee dis inc applica ion
p og amming in e aces (APIs) ha ope a e independen ly
o he unde lying echnology. These APIs— he b owse
API, p oxy API, and session API—suppo au oma ed
use in e ac ions, message in e cep ion and manipula ion,
and es session execu ion, espec i ely. They s eamline
he es ing p ocess while enhancing he lexibili y and
usabili y o MIG.
MIG [6] includes Bu p Sui e2(Bu p) as he p oxy,
Mozilla Fi e ox3(Fi e ox) as he b owse , and MIG-T4
as he secu i y es ing ool. Bo h Bu p and Fi e ox a e
con aine ized wi hin Docke o ensu e a consis en and
isola ed execu ion en i onmen .
Cu en ly, secu i y es e s pe o m es s on a Deploy-
men Unde Tes (DUT) using MIG-T h ough i s G aph-
ical Use In e ace (GUI). Howe e , in eg a ing MIG in o
a CI/CD pipeline equi es an al e na i e app oach, as
au oma ed execu ion and e ec i e es esul managemen
a e essen ial o seamless in eg a ion and au oma ion.
To add ess his limi a ion and align wi h he ongoing
de elopmen o MIG [5], MIG has been adap ed o mee
he ollowing equi emen s: (i) simula ing use ac ions
wi hin he DUT as de ined in he session, and (ii) execu -
ing es s on he HTTP messages in e cep ed by he p oxy.
2. h ps://po swigge .ne /bu p/communi ydownload
3. h ps://www.mozilla.o g/en-US/ i e ox/
4. h ps://gi hub.com/s bk/mig-
Figu e 1. High Le el A chi ec u e o MIG [6].
To achie e his, MIG has been enhanced wi h he nec-
essa y capabili ies o ope a e in headless mode—wi hou
any GUI—allowing all componen s, including Mozilla
Fi e ox, Bu p, and MIG-T, o un seamlessly.
Running Mozilla Fi e ox in headless mode
was achie ed by se ing he en i onmen a iable
MOZ_HEADLESS o 1, ollowing he app oach desc ibed
in [7]. By adding ENV MOZ_HEADLESS=1 o he
Docke ile, Mozilla Fi e ox uns wi hou launching
a isible window, op imizing sys em esou ces while
enabling seamless web in e ac ions and es s equi ed
by MIG-T. This app oach elimina es he o e head o
managing a ull b owse ins ance, ensu ing e icien
execu ion wi hin he es ing en i onmen .
Rega ding Bu p, i can be execu ed in headless mode
using he -Dja a.aw .headless= ue op ion. Ac-
co ding o O acle’s echnical esou ces on Ja a SE, his
Ja a Vi ual Machine (JVM) pa ame e disables he g aph-
ical componen s o Ja a applica ions, allowing hem o
un wi hou a display [8]. By inco po a ing his headless
op ion in o he Docke ile, we ensu ed ha Bu p uns
e icien ly in such en i onmen s.
Rega ding MIG-T, we in oduced wo APIs o acil-
i a e es execu ion and esul e ie al wi hou equi ing
in e ac ion wi h he MIG-T GUI. Speci ically, we imple-
men ed:
•/execu e An HTTP POST eques ha al-
ida es and execu es es by e i ying i s syn-
ax. The onlyValida e pa ame e can be used
(e.g., /execu e?onlyValida e= ue), al-
lowing he es o be alida ed wi hou execu ion.
•/ esul An HTTP GET eques ha checks
whe he he es execu ion is comple e and e-
ie es he esul s. MIG’s p o ides de ailed epo s,
o e ing de elope s and secu i y eams apid eed-
back and aluable insigh s in o secu i y ulne a-
bili ies, and ecommended mi iga ions o acili a e
isk assessmen and p io i iza ion o ixes.
Figu e 2illus a es a Gi Hub Wo k low in eg a ing
MIG wi hin a CI/CD pipeline o au oma ed secu i y
es ing. The p ocess ollows hese s eps:
1. Ac ion. A de elope ini ia es he p ocess by pe -
o ming an ac ion on he En i y Unde Tes (EUT) eposi-
o y. The ac ion could be, o ins ance, pushing new code
in o eposi o y o submi ing a pull eques on he main
b anch.
2. T igge Pipeline. The ac ion igge s he pipeline,
execu ing he job on a unne machine. The pipeline can
also be igge ed manually.
3. Re ie e Images. The i s s ep in he Gi Hub Job5
is o e ie e he necessa y Docke images6 o se up he
execu ion en i onmen o unning he es s. The Docke
images include:
•The EUT image used o es ing e i ica ion.
•The Re e ence En i onmen (Re . En .) image
includes all he necessa y en i ies de ined by he
IdM p o ocol.
•The MIG image includes MIG-T, Fi e ox and
Bu p.
4. Build and Deploy. On he unne machine, he
Docke images a e deployed, and he ollowing con aine s
a e ins an ia ed:
•The EUT and Re . En . a e ede a ed and deployed
in he same con aine .
•MIG is deployed in a sepa a e con aine .
5. Pe o m Tes s. MIG execu es es s on he deployed
EUT con aine . The collec ed es s a e o ganized in a es
plan and a ailable in MIG eposi o y7.
6. Sa e Resul s as A i ac s. A e he es ing is
comple ed, he esul s a e collec ed and s o ed as a i ac s
5. h ps://docs.gi hub.com/en/ac ions
6. h ps://docs.docke .com/ge -s a ed/docke -concep s/ he-basics/
wha -is-an-image/
7. h ps://gi hub.com/s bk/mig
on Gi Hub o sha ing. The ou pu includes de ailed in o -
ma ion on he es s pe o med, iden i ied ulne abili ies o
compliance issues, and sugges ed mi iga ions.
7. Da a T ans e . Once MIG esul s a e s o ed as
a i ac s, he da a can be ans e ed ia i s APIs. This
can be done on demand o in eg a ed as he inal s ep in
he wo k low.
3. Case S udies
Two use cases a e p esen ed o demons a e he e -
sa ili y o he p oposed solu ion. Below, we desc ibe
Scena io 1 (S1), OAu h o En e p ise deploymen ; and
Scena io 2 (S2), he SPID/CIE OIDC deploymen in De-
elope s I alia.
S1: OAu h o En e p ise Deploymen
This scena io is based on a case s udy om he Co-
Inno a ion Lab CLEANSE8, which ocuses on enhancing
secu i y au oma ion wi hin en e p ise OAu h deploymen s.
The p ima y objec i e is o in eg a e secu i y es ing in o
he Secu i y De elopmen Li ecycle (SDL) by au oma ing
secu i y assessmen s h ough a CI/CD pipeline.
In his scena io, he EUT ac s as he OAu h Clien ,
while he Re . En . is Keycloak9, an open-sou ce iden i y
and access managemen sys em ha p o ides an OAu h
p o ocol implemen a ion. The secu i y assessmen was
conduc ed using MIG, which was in eg a ed in o he
CI/CD Gi Hub pipeline o pe o m au oma ed secu i y
es ing and compliance e i ica ion.
As pa o he secu i y e alua ion, a p ede ined se o
es s ailo ed o OAu h was execu ed o analyze he clien
implemen a ion and ensu e adhe ence o bes p ac ices
ou lined in OAu h speci ica ions. The secu i y analysis
unco e ed a miscon igu a ion in he Au ho iza ion eques ,
speci ically ela ed o he P oo Key o Code Exchange
(PKCE)10 mechanism:
•Missing PKCE implemen a ion: The absence o
he code_challenge and code_ e i ie
pa ame e s in he Au ho iza ion eques indica ed
ha PKCE was no implemen ed. PKCE is manda-
o y o clien s using he Au ho iza ion Code low,
as i p e en s C oss-Si e Reques Fo ge y (CSRF)
and au ho iza ion code injec ion a acks, he eby
s eng hening he secu i y o OAu h-based au hen-
ica ion lows. Failu e o implemen PKCE sig-
ni ican ly inc eases he isk o au ho iza ion code
in e cep ion and eplay a acks, which could lead
o unau ho ized access, session hijacking, and po-
en ial da a b eaches.
Following he iden i ica ion o his miscon igu a ion,
he esul s we e sha ed wi h he de elopmen eam, along
wi h ecommended mi iga ion s a egies also e u ned by
MIG. As a esul , he iden i ied issue was success ully
ixed, imp o ing he secu i y pos u e o he OAu h clien
and ensu ing compliance wi h OAu h secu i y bes p ac-
ices.
8. h ps://www.deda.g oup/deda/inno azione/co-inno a ion-lab
9. h ps://www.keycloak.o g/
10. h ps://www. c-edi o .o g/in o/ c7636
This use case demons a es how MIG enables ea ly
de ec ion and mi iga ion o secu i y miscon igu a ions,
ensu ing au oma ed compliance e i ica ion and s eng h-
ening secu i y wi hin en e p ise OAu h deploymen s.
S2: SPID/CIE OIDC deploymen in De elop-
e s I alia
As pa o a long- e m collabo a ion wi h he I alian
Go e nmen P in ing O ice and Min (Is i u o Polig a ico
e Zecca dello S a o), we de eloped a se o compliance
and secu i y es s o SPID/CIE OIDC [14] deploymen s.
This na ional digi al iden i y solu ion is based on he
OIDC s anda d and le e ages he I alian elec onic iden i y
ca d (CIE). The es s a e a ailable on Gi Hub11, o e ing
esou ces o he communi y o de elope s who design and
de elop code o I alian digi al public se ices.
The goal o his scena io is o e i y he compliance o
he OpenID P o ide (OP) and he Relying Pa y (RP) o
he SPID/CIE OIDC Fede a ion SDK deploymen 12, wi h
he SPID/CIE OIDC speci ica ions [14] by using MIG in
a CI/CD pipeline and execu ing a se o es s a ailable in
Gi Hub13.
In his scena io, he Re . En . con ains he EUT, con-
igu ed as ei he an OP and a RP. Addi ionally, he T us
Ancho (TA) is included in he Re . En . o ensu e he
in eg i y and us wo hiness o he au hen ica ion p ocess.
A e unning he es s o he OP, wo issues we e
iden i ied in he Au ho iza ion eques :
•The clien _id and esponse_ ype pa am-
e e s could be edi ed and emo ed, con a y o
he equi emen ha hey should be p esen bo h
as que y pa ame e s and inside he JSON Web
Token (JWT) eques objec . This ulne abili y
weakens he in eg i y o he Au ho iza ion eques ,
po en ially allowing a acke s o manipula e e-
ques pa ame e s, bypass access con ols, and gain
unau ho ized access o p o ec ed esou ces.
•The p esence and co ec ness o he scope pa-
ame e in he URL we e no p ope ly alida ed,
despi e he equi emen ha i mus be sen as
que y pa ame e and inside he JWT eques
objec , wi h bo h alues being he same. This mis-
ma ch occu ed because he JWT eques objec
supp essed he URL alues. Imp ope alida ion
o he scope pa ame e can lead o p i ilege
escala ion, whe e an a acke could eques b oade
pe missions han in ended, esul ing in unau ho-
ized access o sensi i e da a o unc ionali ies.
Rega ding he RP es esul s, one issue was iden i ied
du ing he analysis:
•The iss pa ame e was emo ed om he au hen-
ica ion esponse wi hou igge ing any e o a
he RP. Despi e edi ing he iss pa ame e wi h
an a bi a y alue, he RP ailed o alida e i
co ec ly, which esul ed in a secu i y ulne a-
bili y. The lack o p ope alida ion o he iss
11. h ps://gi hub.com/s bk/mig/ ee/mas e / es plans/spid-cie-oidc/
12. h ps://gi hub.com/i alia/spid-cie-oidc-django
13. h ps://gi hub.com/s bk/mig/ ee/mas e / es plans/spid-cie-oidc/
implemen a ions/spid-cie-oidc-django
Figu e 2. Gi Hub Wo k low in eg a ing MIG o au oma ed secu i y es ing in a CI/CD pipeline.
pa ame e leads o a mix-up a ack [15], whe e an
a acke can exploi a malicious OP o impe sona e
a legi ima e se e and ick he RP in o accep ing
in alid au hen ica ion da a. This a ack allows o
s eal au ho iza ion codes o access okens. Once in
possession o hese, he a acke can gain unau ho-
ized access o he ic im’s esou ces, po en ially
leading o se e e p i acy b eaches o da a he .
This issue unde lines he c i ical need o p ope
alida ion o all au hen ica ion pa ame e s, includ-
ing he iss pa ame e , o ensu e ha au hen i-
ca ion lows canno be manipula ed by malicious
ac o s. Failu e o alida e he iss pa ame e p op-
e ly c ea es a high-se e i y ulne abili y, exposing
au hen ica ion lows o manipula ion, unau ho ized
access, and po en ial da a b eaches.
All epo ed issues we e add essed by he de elope s,
leading o an imp o ed secu i y pos u e o he implemen-
a ions.
4. Conclusions and Fu u e Wo k
This pape p esen s an ex ended e sion o MIG, an
open-sou ce secu i y es ing ool designed o IdM de-
ploymen s and sui able o in eg a ion in o pla o ms ha
suppo con o mance checking and con inuous isk assess-
men . Aligned wi h De SecOps p inciples, MIG enables
secu i y assessmen s o IdM deploymen s in a CI/CD
pipeline by au oma ing es ing p ocesses and p o iding
ailo ed mi iga ion hin s. The ansi ion o MIG om a
GUI-based applica ion o a CI/CD-compa ible pla o m
enhances scalabili y and accessibili y, allowing o as e ,
mo e consis en , and epea able analyses.
The ex ended e sion o MIG imp o es in eg a ion
wi h a ious secu i y amewo ks, accele a es needs anal-
ysis o add essing high-se e i y ulne abili ies, and en-
ables e icien mi iga ion p ocedu es. By combining ul-
ne abili y de ec ion wi h a ge ed mi iga ion hin s, MIG
s eng hens cybe secu i y p ac ices.
Fo u u e wo k, we plan o implemen an al e na i e
a chi ec u e whe e he Re . En . and MIG a e deployed
in sepa a e con aine s and p o ide MIG as a se ice.
Re e ences
[1] T.-T. Li, K. Wang, T. Sueyoshi, and D. D. Wang, “ESG: Resea ch
P og ess and Fu u e P ospec s,” Sus ainabili y, ol. 13, no. 21, p.
11663, Oc obe 2021.
[2] A. Bisegna, R. Ca bone, I. Ma ini, V. Odo izzi, G. Pellizza i, and
S. Ranise, “Mic o-Id-Gym: Iden i y Managemen Wo kou s wi h
Con aine -Based Mic ose ices,” In e na ional Jou nal o In o ma-
ion Secu i y and Cybe c ime, ol. 8, no. 1, pp. 45–50, 2019.
[3] A. Bisegna, M. Bi ussi, R. Ca bone, L. Compagna, A. Sudhodanan,
and S. Ranise, “CSRFing he SSO wa es: Secu i y es ing o
SSO-based accoun linking p ocess,” in P oc. IEEE Eu . Symp.
Secu . P i acy (Eu oS&P), Vienna, Aus ia, 2024, pp. 139–154,
doi: 10.1109/Eu oSP60621.2024.00016.
[4] A. Bisegna, R. Ca bone, G. Pellizza i, and S. Ranise, “Mic o-
Id-Gym: A Flexible Tool o Pen es ing Iden i y Managemen
P o ocols in he Wild and in he Labo a o y,” in P oceedings o
he In e na ional Wo kshop on Eme ging Technologies o Au ho-
iza ion and Au hen ica ion, Sp inge , 2020, pp. 71–89.
[5] A. Bisegna, R. Ca bone, and S. Ranise, “In eg a ing a Pen es ing
Tool o IdM P o ocols in a Con inuous Deli e y Pipeline,” in P o-
ceedings o he In e na ional Wo kshop on Eme ging Technologies
o Au ho iza ion and Au hen ica ion, Sp inge , 2021, pp. 94–110,
doi: 10.1007/978-3-030-93747-8 7.
[6] A. Bisegna, M. Bi ussi, R. Ca bone, and S. Ranise, “Enhancing
Secu i y Tes ing o Iden i y Managemen Implemen a ions: In o-
ducing Mic o-Id-Gym Language and Mic o-Id-Gym Tes ing Tool,”
IEEE Secu i y and P i acy, ol. 22, no. 6, pp. 50–61, No .-Dec.
2024, doi: 10.1109/MSEC.2024.3450277.
[7] A. Pe unicic, “Running Selenium wi h Headless Fi e ox,”
In oli, July 2017. [Online]. A ailable:h ps://in oli.com/blog/
unning-selenium-wi h-headless- i e ox/.
[8] R. Ananie and A. Redko, “Using Headless Mode in he Ja a SE
Pla o m,” O acle, June 2006. [Online]. A ailable: h ps://www.
o acle.com/ echnical- esou ces/a icles/ja ase/headless.h ml.
[9] D. Ha d , V. To s ensson, and A. Pa ecki, “OAu h 2.1,” In e ne -
D a d a -ie -oau h- 2-1-11, In e ne Enginee ing Task Fo ce,
Jan. 2024. [Online]. A ailable: h ps://da a acke .ie .o g/doc/h ml/
d a -ie -oau h- 2-1-11.
[10] OASIS Secu i y Se ices Technical Commi ee, “SAML
2.0 Technical O e iew,” OASIS, [Online]. A ail-
able: h ps://docs.oasis-open.o g/secu i y/saml/Pos 2.0/
ss c-saml- ech-o e iew-2.0.h ml.
[11] OpenID Founda ion, “How OpenID Connec Wo ks,” [Online].
A ailable: h ps://openid.ne /de elope s/how-connec -wo ks/.
[12] Lacewo k, “4 Reasons Why SecOps Is S ill P e y
Di icul ,” [Online]. A ailable: h ps://www.lacewo k.com/
blog/esg-4- easons-why-secops-is-s ill-p e y-di icul .

[13] An ilogic, “ESG Repo : Secu i y Ope a ions Challenges and P i-
o i ies,” [Online]. A ailable: h ps://www.an ilogic.com/ epo -esg.
[14] Agenzia pe l’I alia Digi ale (AgID), “SPID CIE OIDC Doc-
umen a ion,” [Online]. A ailable: h ps://docs.i alia.i /i alia/spid/
spid-cie-oidc-docs/i / e sione-co en e/index.h ml.
[15] D. Fe , “Mix-Up Re isi ed: New and Imp o ed A acks on Fede -
a ed Login,” [Online]. A ailable: h ps://daniel e .de/2020/05/04/
mix-up- e isi ed/.
[16] R. Bischo be ge and E. Duss, “SAML Raide —SAML2 Bu p
Ex ension,” [Online]. A ailable: h ps://gi hub.com/SAMLRaide /
SAMLRaide .
[17] R. Thaqi, K. Vishi, and B. Rexha, “Enhancing Bu p Sui e wi h
Machine Lea ning Ex ension o Vulne abili y Assessmen o Web
Applica ions,” Jou nal o Applied Secu i y Resea ch, ol. 18, no.
4, pp. 789–807, 2023.