In eg a ing a Pen es ing Tool o IdM P o ocols in a
Con inuous Deli e y Pipeline∗
And ea Bisegna1,2, Robe o Ca bone1, and Sil io Ranise1,3
1Secu i y & T us , Fondazione B uno Kessle , T en o (I aly)
{a.bisegna, ca bone, anise}@ bk.eu
2DIBRIS, Uni e si y o Geno a, Geno a (I aly)
3Depa men o Ma hema ics, Uni e si y o T en o, T en o (I aly)
Abs ac
Iden i y Managemen (IdM) solu ions a e inc easingly impo an o digi al in as uc-
u es o bo h en e p ises and public adminis a ions. Thei secu i y is a manda o y p e-
equisi e o building us in cu en and u u e digi al ecosys ems. IdM solu ions a e
usually la ge-scale complex so wa e sys ems main ained and de eloped by se e al g oups
o ICT p o essionals. Con inuous Deli e y (CD) pipeline is adop ed o make main enance,
ex ension, and deploymen o such solu ions as e icien and epea able as possible. Fo
secu i y, CD pipeline is also used as a con inuous isk assessmen o quickly e alua e he
secu i y impac o changes. Se e al ools ha e been de eloped and in eg a ed in he CD
pipeline o suppo his iew in he so called De SecOps app oach wi h he no able ex-
cep ion o a ool o p o ocol pen es ing and compliance agains s anda ds such as SAML
2.0, OAu h 2.0 and OpenID Connec . To ill his gap, we p opose an app oach o in e-
g a e Mic o-Id-Gym—a ool o he au oma ed pen es ing o IdM deploymen s—in a CD
pipeline. We epo ou expe ience in doing his and discuss he ad an ages o using he
ool in he con ex o a join e o wi h Polig a ico e Zecca dello S a o I aliano o build a
digi al iden i y in as uc u e.
1 In oduc ion
Iden i y Managemen (IdM) implemen a ions exchange au hen ica ion asse ions and consis o
a se ies o messages in a p ese sequence designed o p o ec in o ma ion as i a els h ough
ne wo ks o be ween se e s. By using hi d-pa y au hen ica ion, IdM p o ocols elimina e he
necessi y o s o ing au hen ica ion in o ma ion wi hin he se ices o which hey a e used,
p o iding a solu ion ha helps p i a e and public o ganiza ions p e en he misuse o abuse o
login c eden ials and educe he isk o da a b eaches.
IdM p o ocol s anda ds—including he Secu i y Asse ion Ma kup Language 2.0 (he ea e
SAML) [1], OpenID Connec (OIDC) [2], and OAu h 2.0 (OAu h) [3]—handle use eques s
o access o se ices and deli e esponses based on he in o ma ion a use p o ides. I he
au hen ica ion me hods, such as a passwo d o a biome ic iden i ie , a e co ec , he p o ocol
allows he le el o access assigned o he use wi hin he se ice. Exis ing IdM p o ocols
suppo policies (such as allowing passwo d au hen ica ed use s o only ead inancial da a while
pe mi ing also o pe o m paymen s o hose au hen ica ed by using wo au hen ica ion ac o s)
by secu ing asse ions and ensu ing hei in eg i y du ing ans e . They include s anda ds o
secu i y o simpli y access managemen , aid in compliance, and c ea e a uni o m use expe ience.
∗This wo k was pa ially unded by he Ho izon 2020 p ojec “S a egic P og ams o Ad anced Resea ch and
Technology in Eu ope”(SPARTA), g an ag eemen No. 830892, and by he I alian Na ional Min and P in ing
House (Is i u o Polig a ico e Zecca dello S a o).
Mic o-Id-Gym Bisegna e al.
Fo ins ance, bo h SAML and OIDC suppo he so-called Single Sign-On (SSO) expe ience
whe eby one se o c eden ials allows use s o access mul iple se ices.
To ha e a obus secu i y in an IdM implemen a ion, ollowing he compliance wi h he
s anda d is ex emely impo an . In some case, like i happens in SPID [4], i is equi ed o
ensu e compliance wi h bo h he echnical and legal ules de ined in he egula ions.
Gi en he many ad an ages o IdM p o ocols s anda d, hey ha e been widely adop ed
in many di e en scena ios encompassing co po a e o ganiza ions ( ypically adop ing SAML),
cloud pla o ms (e.g., Google uses bo h OIDC and OAu h), and bo h na ional and in e na ional
in as uc u es o digi al iden i y such as hose in Eu ope (e.g., SPID in I aly is based on SAML
and simila ly he eIDAS amewo k o iden i y po abili y ac oss Membe S a es is also based
on SAML). Despi e being used on a la ge scale and o many yea s, he deploymen o hese IdM
p o ocols has p o ed o be di icul and augh wi h pi alls. This is so mainly because such
p o ocols inhe i he di icul ies o designing, implemen ing, and deploying he c yp og aphic
mechanisms on op o which hey a e buil . E en assuming ha he design o IdM p o ocols
is secu e, implemen a ions add complexi y by speci ying unc ional de ails (such as message
o ma s and session s a e) while deploymen s include u he aspec s (such as p og amming
in e aces) ha a e absen a he design le el. These addi ions may b ing low-le el h ea s
(such as missing checks o he con en in ce ain message ields and ulne abili ies o unc-
ions impo ed om hi d pa y lib a ies) he eby signi ican ly enla ging he a ack su ace o
deployed IdM p o ocols. The e is a long line o pape s de o ed o he iden i ica ion o ulne a-
bili ies and a acks in deployed IdM p o ocols a design, implemen a ion, and deploymen le el
see, e.g., [5,6,7,8].
Indeed, p e en ing such a ied a acks on la ge IdM solu ions ha use complex c yp o-
g aphic mechanisms is a daun ing ask ha equi es au oma ed assis ance o mee also he s ic
empo al cons ain s o deli e ing so wa e sys ems o p oduc ion en i onmen s equen ly and
in a sa e way by adop ing he Con inuous Deli e y so wa e enginee ing me hodology. This
me hodology has s eadily gained adop ion al hough i is di icul o econcile wi h adi ional
secu i y es ing and analysis echniques such as pene a ion es ing o s a ic and dynamic anal-
ysis ha ake subs an ial ime and need expe ise o in e p e he esul s (e.g., o elimina e
alse posi i es). In his con ex , no only au oma ion becomes e en mo e impo an o iden i y
ulne abili ies bu also he capabili y o p o ide ac ionable secu i y sugges ions o so wa e de-
elope s wi h li le secu i y awa eness is c ucial o educe secu i y isks o an accep able le el.
The ad an age o ac ionable secu i y sugges ions is wo old: (i) hey speed up he p ocess o
ixing ulne abili ies while acili a ing he c ea ion o secu i y awa eness among de elope s and
(ii) hey allow secu i y expe s o ocus on mo e complex secu i y issues possibly con ibu ing
o u he dec ease secu i y isks.
In his pape , we p esen ou expe ience o in eg a ing a pen es ing ool o IdM p o ocols
(called Mic o-Id-Gym [9]) in he Con inuous Deli e y pipeline o deploying he I alian digi al
iden i y solu ion based on he elec onic iden i y ca d (Ca a d’Iden i `a Ele onica 3.0) ha we
a e collabo a ing o de elop in he con ex o a join e o wi h he I alian Na ional Min and
P in ing House (IPZS, Polig a ico e Zecca dello S a o I aliano). We desc ibe how he capabili y
o Mic o-Id-Gym o au oma ically pe o m a ba e y o es s de i ed om he IdM p o ocols
s anda ds and include ac ionable secu i y sugges ions on how o pa ch hem, no only allows o
iden i ying and ixing known secu i y p oblems bu also helps de elope s be e unde s and he
nega i e impac s o igno ing o unde es ima ing he secu i y conside a ions included in such
s anda ds while coding o deploying IdM p o ocols. This, in u n, con ibu es o inc easing
he le el o secu i y awa eness o de elope s. Mic o-Id-Gym also ha e he capabili y o c ea e a
local ai h ul copy o he sys em and gi es he possibili y o pe o m a acks ha would ha e
2
Mic o-Id-Gym Bisegna e al.
ca as ophic e ec s when pe o med in he p oduc ion en i onmen (e.g., Denial o Se ice).
Finally, we show how he ool can help iden i y alse posi i es by classi ying es s in wo classes,
namely passi e and ac i e. The o me only pe o ms checks wi hou modi ying messages while
he la e also in e e e wi h he low o he p o ocols by injec ing sui ably c a ed messages
wi h he goal o moun ing an a ack. Ou indings ha e been expe imen ally alida ed by
in eg a ing Mic o-Id-Gym in he Con inuous Deli e y pipeline in as uc u e o e ed by Gi Lab.
The expe imen s we e conduc ed in he con ex o he deploymen o a new e sion o he I alian
digi al iden i y solu ion based on he elec onic iden i y ca d.
S uc u e o he pape . In Sec ion 2, we gi e an o e iew o he De SecOps philosophy
and ools used in De SecOps oge he wi h a pen es ing ool o IdM p o ocols. In Sec ion 3,
we desc ibe he scena io and i s equi emen s, while in Sec ion 4we de ail he design and he
implemen a ion o he p oposed solu ion. To e alua e he e ec i eness o he solu ion, Sec ion 5
epo s he use o he in eg a ion in a eal scena io. We conclude and gi e an o e iew o u u e
wo k in Sec ion 6.
2 Backg ound on De Ops, De SecOps and Pen es ing
T adi ionally, ope a ions and de elopmen eams ha e wo ked independen ly. This sepa a ion
has c ea ed an en i onmen illed wi h communica ion and alignmen p oblems esul ing in
p oduc ions delays. In esponse o hese issues De Ops was bo n. De Ops’s goal is o b idge
he gap be ween he wo eams o imp o e communica ion and collabo a ion, c ea e smoo he
p ocesses and align s a egies and objec i es o as e and mo e e icien deli e y [10]. The e m
De Ops o igina es om he union o de elopmen and ope a ions and desc ibes he app oaches
o be adop ed o accele a e he p ocesses ha allow an idea o mo e om de elopmen o
elease in a p oduc ion en i onmen , whe e i can p o ide alue o he use . Such app oaches
equi e equen communica ion be ween he wo eams. In De Ops, de elope s who ypically
c ea e code in a s anda d de elopmen en i onmen wo k closely wi h ope a ions s a o speed
up so wa e c ea ion, es ing, and elease [11].
Secu i y has become an impo an and challenging goal in he De Ops philosophy and in
he So wa e De elopmen Li e Cycle (SDLC). This was done wi h De SecOps, an ex ension
o De Ops whose pu pose is o in eg a e secu i y con ols and p ocesses in o he De Ops o
p omo e he collabo a ion among secu i y, de elopmen and ope a ions eams. The De SecOps
p ocess equi es he in eg a ion o planning, design, and elease, which is ypically ob ained
by a collabo a i e ool chain o echnologies o acili a e coope a ion, p o ide mo e secu e de-
elopmen p ocesses and, acco ding o [12], allows companies o sa e money in case o da a
b eaches due o he e ec i eness o an o ganiza ion’s inciden esponse and con ainmen p o-
cesses. Mo eo e , adop ing De SecOps p ac ices o au oma ic building deploymen elimina es
a la ge numbe o manual s eps ha could in oduce many oppo uni ies o make mis akes.
2.1 Secu i y p ac ices in De SecOps
As epo ed in Table 1se e al s a e-o - he-a secu i y p ac ices can be used in De SecOps o
ensu e ha au oma ion and secu i y a e handled con inuously h oughou he SDLC [13]. In
his sec ion we p o ide mo e de ails abou he Dynamic Applica ion Secu i y Tes ing (DAST)
p ac ices since he ool we p opose belongs o his clus e o p ac ice e en i in he indus ial
3
Mic o-Id-Gym Bisegna e al.
con ex ,1 he e a e di e en classi ica ions o he secu i y p ac ices in De SecOps and acco ding
o hem he ool we in eg a ed is classi ied as a Pen es ing Tool.
In gene al DAST p ac ice uses a black-box secu i y es ing me hod ha examines an appli-
ca ion while i is unning, by de ec ing common ulne abili ies [14]. The pe o med es s can
de ec laws du ing he au hen ica ion o au ho iza ion p ocess pe o ming clien -side, inap-
p op ia e command execu ion, SQL injec ion, e oneous in o ma ion disclosu e, in e aces, and
API endpoin s a acks bu also pe o m pene a ion es ing and ulne abili y scanning [15]. A
lis o DAST ools is p o ided by OWASP.2Two o he mos well-known ools in his con ex
a e OWASP Zed A ack P oxy3(ZAP) and Bu p Sui e P o essional Comme cial Edi ion4(Bu p
PRO). They obse e he HTTP a ic o he applica ion in use and c ea e ale s on any ulne -
abili ies hey can de ec h ough egula usage and a emp a a ie y o a acks by eplaying
modi ied HTTP a ic. These ools ha e been designed mainly o suppo manual es ing,
bu hey also p o ide API’s ha could allow in eg a ion in o a De SecOps pipeline. A good
example on how o in eg a e DAST in o De SecOps is epo ed in Gi Hub5whe e bo h ZAP
and Bu p P o a e eady o be added in he pipeline o conduc an ac i e eal ime ulne abili y
scan and e u n a secu i y scan epo as esul .
The limi o he a ailable DAST ools when deploying IdM solu ions is ha hey a e co e ing
only pa ially he possible secu i y es s needed o p oduce a secu i y assessmen . In ac , he e
is no s a e-o - he-a DAST ool which e i ies he secu i y aspec s in IdM implemen a ion in
Table 1: S a e-o - he-a secu i y p ac ices in De SecOps.
Secu i y P ac ice Desc ip ion
Secu i y P ac ice A ailabili y
Th ea Modeling
P ocess ha de ines, classi ies, and analyses po en ial h ea s, assess-
ing hei isk and he app op ia e coun e measu e du ing he plan
phase.
P e-commi Hooks Check whe he a code con ains s ings ha ma ch speci ied pa e ns
o help no o leak c eden ials.
IDE Plugins Au oma ically pe o m code analysis as he de elope s open, edi , and
sa e ile in he IDE o ge ea ly wa ning o ulne abili ies.
Dependency Analysis Technique used o de ec ulne abili ies con ained wi hin a p ojec ’s
dependencies.
Uni Tes ing P ocess o so wa e es ing whe e indi idual uni s/componen s o a
so wa e a e es ed.
S a ic Applica ion Secu i y
Tes ing
Tes ing me hodology ha analyses sou ce code o ind secu i y ul-
ne abili ies ha make an applica ion suscep ible o a acks.
Dynamic Applica ion Secu i y
Tes ing
Type o black-box secu i y es ha scans web applica ions o ul-
ne abili ies. I wo ks by simula ing ex e nal a acks on an applica ion
while i is unning.
In as uc u e As Code Ins ead o con igu ing he ha dwa e physically, i is managed h ough
he de ini ion o iles.
Sec e s Managemen Tools and me hods o managing sensi i e pa s o an IT ecosys em.
Con igu a ion Managemen Con ol o he con igu a ion o an in o ma ion sys em wi h he goal
o enabling secu i y and managing isk.
Ve sion Con ol P ac ice o acking and managing changes o so wa e code.
Con aine Secu i y Scanning P ac ice o secu ing con aine s.
1h ps://dzone.com/a icles/shi ing-le -de secops
2h ps://owasp.o g/www-communi y/Vulne abili y_Scanning_Tools
3h ps://www.owasp.o g/index.php/OWASP_Zed_A ack_P oxy_P ojec
4h ps://po swigge .ne /bu p/p o
5h ps://gi hub.com/jacksingle on/das -pipeline
4
Mic o-Id-Gym Bisegna e al.
e ms o compliance wi h he s anda ds and de ec ulne abili ies coming om scien i ic pape s.
2.2 O e iew o Mic o-Id-Gym
Mic o-Id-Gym [9] is a ool which assis s sys em adminis a o s and es e s in he pen es ing o
IdM p o ocol implemen a ions. Mo e p ecisely, Mic o-Id-Gym conside s web p o ocols whe e
a Se ice P o ide (SP) elies on a us ed hi d-pa y, called Iden i y P o ide (IdP), o
use au hen ica ion. SAML, OIDC and OAu h a e h ee o he mos known s anda dized
p o ocols p o iding his au hen ica ion pa e n (modulo di e en names used o e e o he
a o emen ioned en i ies).
Mic o-Id-Gym suppo s wo main ac i i ies: pen es ing o IdM p o ocol implemen a ions
and c ea ing sandboxes wi h an IdM p o ocol deploymen . The o me consis s o ools wi h a
GUI o suppo pen es ing ac i i ies on he Sys em Unde Tes (SUT), namely a P oxy, a se
o Pen es ing Tools, and wo ools called MSC D awe and MSC STIX Visualize . The la e
can be ca ied ou by ec ea ing locally a sandbox o an IdM p o ocol implemen a ion and i
can be done by uploading he p op ie a y implemen a ion o by composing a new one choosing
he ins ances p o ided by he ool. The capabili y o c ea ing a local copy o he SUT allows
o pe o ming pen es ing ac i i ies ha may cause se e e dis up ions such as Denial o Se e
(DoS) a acks.
All he exchanged HTTP messages in e cep ed by he P oxy, du ing he au hen ica ion p o-
cess pe o med on he SUT, allows he Pen es ing Tools o execu e he a ailable au oma ed
es s. The ool e i ies whe he he SUT su e s om he ulne abili ies es ed au oma ically
by he ool and p o ides de ails o he disco e ed ulne abili ies. In addi ion, he MSC D awe
au oma ically c ea es a Message Sequence Cha o he au hen ica ion low by using he in o -
ma ion collec ed by he P oxy. Thus he pen es e can ecognize a a glance whe he he SUT
ollows he expec ed low o no .
The esul s o each execu ed es a e epo ed in a box inside he ool whe e he use inds
a ecap wi h (i) he check pe o med oge he wi h a b ie desc ip ion, (ii) he s a us o he
execu ed es (Success ul o Failed) and, in case o ailu e, (iii) he po ion o HTTP message
ha is no complian wi h he s anda d oge he wi h (i ) di e en sugges ions o mi iga e he
iden i ied laws.
Mic o-Id-Gym pe o ms es s on bo h he IdP and SP in au oma ic manne and i suppo s
he ollowing es ca ego ies in he IdM p o ocol deploymen : (i) pe o ming gene al secu i y
web checks on any collec ed HTTP message, no s ic ly ela ed o he p o ocol implemen a ions
bu mo e in gene al ela ed o web secu i y, (ii) e i ying he compliance wi h a gi en s anda d
in e ms o o ma o he messages, and manda o y ields, and (iii) moun ing speci ic a acks
o spo any alse posi i es among he ulne abili ies epo ed by p e ious es s.
The es s execu ed by he ool can be passi e o ac i e. Passi e es s analyze he a ic gen-
e a ed du ing he au hen ica ion low o disco e compliance issues such as missing pa ame e s
equi ed by one o he suppo ed s anda ds, namely SAML, OAu h and OIDC. Ins ead ac i e
es s modi y he exchanged messages o e i y how he SUT eac s o he malicious messages
injec ed by an a acke [9]. Since passi e es s pe o m a s a ic analysis, hey can be execu ed
all a once on he a ic collec ed when he au hen ica ion p ocess is comple ed. This is no he
case o ac i e es s as each o hem uns independen ly because i pe o ms some modi ica ions
o he messages ela ed o ha es . Pe o ming mul iple modi ica ions simul aneously would
makes i mo e complex o iden i y he oo -cause o he alied es . Fo ins ance, an ac i e
es consis s o checking i he elays a e pa ame e used o p e en CSRF a acks can be
ampe ed wi h du ing he au hen ica ion low. In case he au hen ica ion p ocess is comple ed
5
Mic o-Id-Gym Bisegna e al.
despi e he modi ica ion, i means he SUT does no manage co ec ly he elays a e pa ame-
e and i migh expose he use o CSRF a acks [16]. In case he SUT no ices he change, he
es ails meaning ha he SUT pe o ms adequa e e i ica ion on he elays a e pa ame e .
Cu en ly Mic o-Id-Gym suppo s h ee s anda ds, SAML, OIDC and OAu h. As ega ds
SAML a comp ehensi e lis o all he au oma ed es s a e epo ed in Table 2, whe e, o each
es , we speci y: (i) a name o iden i y he secu i y es (e.g., Session Replay), (ii) he a ge
o he es (SP o IdP), (iii) he ype o es Passi e (P) o Ac i e (A), (i ) he desc ip ion o
he secu i y es , and ( ) he desc ip ion o he mi iga ion.
In o de o use he Pen es ing Tools p o ided by Mic o-Id-Gym, he pen es e needs o in-
s all in his de ice he ool which le e ages he P oxy, Bu p Communi y Edi ion,6because
he in e ac ions wi h he GUI o he ool is equi ed. The pen es e is also equi ed o p o-
ide an au hen ica ion ace which con ains a lis o use ac ions o in e ac wi h he b owse
used o comple e he au hen ica ion p ocess in he SUT. The au hen ica ion ace (e.g., isi
www.example.com, click on Login bu on, e c.) can be easily eco ded by he pen es e and
he Pen es ing Tools e i y he co ec ness (i.e., he co ec execu ion) be o e unning he au-
oma ed passi e and ac i e es s.
3 Scena io and Requi emen s
IdM solu ions a e inc easingly impo an o digi al in as uc u es o bo h en e p ises and
public adminis a ions and hey a e a p e- equisi e o building us in cu en and u u e
digi al ecosys ems. Un o una ely, hei secu e deploymen is a non- i ial ac i i y ha equi es
a good le el o secu i y awa eness [5].
Fo he sake o conc e eness we now desc ibe he I alian digi al iden i y in as uc u e based
on he na ional elec onic iden i y ca d, which we ha e deeply s udied as pa o a collabo a ion
wi h IPZS. The scena io gi en by IPZS consis s o an IdP based on SAML SSO p o ocol and
(a s ub) SP equi ed o comple e he au hen ica ion p ocess. IPZS is adop ing De Ops in he
de elopmen s age: a e each commi made by de elope s in he eposi o y, an au oma ic build
is c ea ed and he deploymen in he SUT is pe o med. In his scena io, so a , he pen es ing
ac i i ies a e pe o med manually and ou side o he De Ops pipeline by unning Mic o-Id-Gym
unde he esponsibili y o he Secu i y Team (ST). F om he IPZS pe spec i e his low looked
oo cumbe some and e o p one due o he s eps equi ed by he pen es ing ac i i ies and so,
in o de o make he p ocess sho e and as e , we in oduced De SecOps. We decided hen
o in eg a e Mic o-Id-Gym in he SDLC.
The e o e, o educe he edundan asks, o make builds less e o -p one and deploymen s
mo e secu e, we designed and implemen ed a solu ion joining he main ad an ages o Con inuous
In eg a ion and Con inuous Deli e y (CI/CD) and in eg a e Mic o-Id-Gym as a known and
alid ool o he pen es ing ac i i ies equi ed by IPZS. Du ing he p ocess o in eg a ion we
encoun e ed some issues due o he cons ain s gi en by he ool i sel and he solu ion adop ed
is desc ibed in Sec ion 4.
F om he a o emen ioned scena io, we iden i y wo challenges (C1 and C2) and om hem
we de i e some unc ional and secu i y equi emen s.
[C1] Au oma ed assis ance. To enable he deploymen au oma ion ha leads o epea able
and eliable deploymen s ac oss he SDLC. Indeed, he p ocess o pe o m a deploymen o a
SAML SSO implemen a ion con ains many c i ical s eps like he ede a ion p ocess. Mo eo e
he au oma ic pen es ing p o ides a se o pen es ing ools o he au oma ic secu i y analysis
6h ps://po swigge .ne /bu p
6
Mic o-Id-Gym Bisegna e al.
o he IdM p o ocols by iden i ying secu i y issues and helps o main ain compliance wi h he
s anda d in o de o elimina e basic secu i y issues and allow he secu i y expe s o ocus mo e
on complex secu i y issues. F om C1, we de i e he ollowing wo equi emen s:
R1 in eg a ion in he SDLC: o au oma ically pe o m pen es ing on a solu ion based on IdM
p o ocols which in ol es se e al en i ies ha in e ac wi h each o he based on complex
c yp og aphic mechanisms.
R2 alse posi i es elimina ion: hanks o he au oma ion and he capabili ies o he pen es ing
ool, i is possible o pe o m passi e es s ha iden i y ulne abili ies and h ough he
ac i e es s o moun a acks which help elimina ing any alse posi i es de ec ed by he
passi e es s.
[C2] Inc easing secu i y awa eness. To enable he secu e deploymen o IdM p o ocols which
is a complex and e o p one ac i i y ha equi es a high le el o secu i y awa eness in se e al
and he e ogeneous aspec s. Indeed, de elope s ge bogged down in he my iads o secu i y
p ac ices ha hey a e equi ed o ame when ying o deploy o unde s and IdM solu ions.
The e a e plen y secu i y indica ions o SAML, OAu h and OIDC sp ead in di e en sou ces
and mos o hem a e no easy o unde s and o a de elope wi h limi ed secu i y skills.
The Pen es ing Tools iden i y ulne abili ies in he implemen a ion bu also p o ide secu i y
mi iga ions wi h he aim o inc ease he secu i y awa eness o he de elope s. F om C2, we
ob ain he ollowing equi emen s:
R3 compliance wi h he s anda ds: ai h ully adop ing he bes p ac ices in o de o achie e
secu i y by checking he compliance wi h a gi en s anda d in e ms o o ma o he
messages, and manda o y ields. Following he sugges ions indica ed in he s anda d
inc eases he secu i y o he p o ocol implemen a ion.
R4 collabo a ion suppo : he coope a ion among de elope s is c i ical especially when senio
de elope s a e helping less skilled de elope s o ix ulne abili ies epo ed in he secu i y
issue message p o ided by he ST and con aining ac ionable sugges ions.
We also iden i y wo equi emen s ha a e common o bo h challenges:
R5 mi iga ion: p o ide o he de elope s a comp ehensi e and ac ionable analysis o he
op ions o mi iga e he disco e ed ulne abili ies. The de ails o he mi iga ions p o ided
by he ool will imp o e he secu i y awa eness among he de elope s.
R6 no i ica ion: ST and de elope s should ha e access o he es epo wi h di e en le els
o de ails in o de o simpli y he p oblems o mi iga ions. The es epo con ains
di e en in o ma ion acco ding o he audience; o de elope mo e aspec s ela ed o
he implemen a ion and mi iga ions while o secu i y specialis only aspec ela ed o
secu i y.
4 Con inuous Deli e y Solu ion o Pen es ing o IdM
P o ocols
4.1 Design
As depic ed in Fig. 1, he p oposed solu ion is composed o wo main componen s. The o me ,
loca ed in he bo om o he igu e, is in cha ge o handle he eposi o y wi h he sou ce code
7
Mic o-Id-Gym Bisegna e al.
o he en i ies (IdP and SP) and he CI/CD Sys em—indeed o sa is y he R1—and which was
he s a ing poin o a classic CI.
The la e —ou con ibu ion iden i ied on he op pa o he igu e—aims o pe o m he
pen es ing on he IdM deploymen while inc easing he secu i y awa eness among he de el-
ope s. Mo eo e he ed a ows in he igu e indica e he ope a ions which a e au oma ically
execu ed, while he black dashed a ows indica e ha he ope a ions equi e a human in e en-
ion.
When he de elope pushes new code in he eposi o y, a no i ica ion will be sen o he ST
and he build and deploymen phases will s a .
The sou ce code o he SP and IdP will be buil , ede a ed and bo h deployed in he SUT.
The sen no i ica ion no i ies he ST ha he au oma ic pene a ion es ing on he SUT has
been execu ed and es epo s a e a ailable. The pene a ion es ing will check he compliance
wi h he s anda d (i complies wi h R3) by execu ing passi e es s, and moun speci ic a acks
by execu ing ac i e es s o spo alse posi i es ulne abili ies iden i ied by he passi e es s
( ul ill R2).
The no i ica ion also con ains some in o ma ion needed o execu e he Pen es ing Tools
and o allow he communica ion be ween he eposi o y, he CI/CD sys em, he SUT and he
Pen es ing Tools. Whe he he ST decides o pe o m pen es ing on he deployed solu ion,
he Pen es ing Tools will au oma ically c ea e secu i y eedback and a es epo wi h all he
disco e ed ulne abili ies in a ool o eam collabo a ion (i complies wi h R4) and accessible
by bo h de elope s and ST ( ul ill R6). The ool o he eam collabo a ion will be used by
he de elope s o e ie e in o ma ion abou mi iga ions and by he ST o help he de elope s
on he ixes. This s age is hus help ul o inc ease secu i y awa eness on he de elope s. The
es epo con ains di e en le els o con en acco dingly o he ole played in he SDLC.
The de elope s will ha e access o only a b ie ecap o he s a us o he ulne abili ies and
mi iga ions and indeed sa is ies R5 while ST all he de ails abou mi iga ions.
4.2 Implemen a ion
4.2.1 CI/CD Sys em
We adop ed Gi Lab CI/CD7which is a ool buil in o Gi Lab o so wa e de elopmen o
suppo CI and CD. A he eposi o y’s oo in he Gi Lab CI/CD he e is a con igu a ion
ile used o c ea e a CD pipeline which execu es jobs con ained in s ages. We implemen ed he
h ee ope a ions ma ked wi h ed on in Fig. 1by in e p e ing h ee s ages in he pipeline:
(i) Send No i ica ions, (ii) Build, and (iii) Deploy. The i s s age is in cha ge o no i y he
ST abou he changes in he eposi o y. We decided o send an email which con ains he
au hen ica ion ace and pa ame e equi ed by Gi Lab o c ea e Issues namely P ojec Id
and Hos URL. The second s age is esponsible o build he sou ce code, he hi d one will
se up he webse e and deploy he solu ion in he SUT. These jobs ge execu ed by he Gi Lab
Runne agen which is an open-sou ce applica ion w i en in Go ha wo ks wi h Gi Lab CI/CD
o un jobs in a pipeline. Gi Lab Runne is igge ed by e e y push o he cen al eposi o y i
acon igu a ion ile is a ailable (unless explici ly con igu ed no o).
4.2.2 In eg a ion o Mic o-Id-Gym
Gi en he in e ope abili y o Mic o-Id-Gym wi h any ope a i e sys em and i s capabili y o
pe o m compliance checks, we decided o in eg a e i in he solu ion and use o pe o m he
7h ps://www.gi lab.com
8
Mic o-Id-Gym Bisegna e al.
Figu e 1: High Le el A chi ec u e o he p oposed solu ion.
pen es ing ac i i ies in he SUT. The in eg a ion o he ool i sel is immedia e also conside ing
i s lexibili y o adap in any scena io and i needs no so wa e de elopmen no pa icula skills.
The ool c ea es au oma ically Gi Lab issues in he eposi o y o hose es s whe e ulne -
abili ies ha e been disco e ed. In o de o g an Mic o-Id-Gym o ead and w i e access o he
Gi Lab Reposi o y, a Gi Lab oken,P ojec Id and Hos URL a e equi ed. Fo he o me ,
which is a pe sonal access oken used o au hen ica e wi h he Gi Lab API, is equi ed he use
o e ie e i om his Gi Lab p o ile.
Mic o-Id-Gym will also gene a e a epo o he es esul s which will be au oma ically added
a Slack8channel, a collabo a ion eam ool, accessible by he de elope s and ST.
5 Use Case: SAML SSO implemen a ion
As an icipa ed in Sec ion 3, we had o assess an IdP based on SAML and i s compliance wi h
SPID9. The implemen a ion is gi en by IPZS in a con ex o a join -lab and i is he I alian
digi al iden i y in as uc u e based on he na ional elec onic iden i y ca d. In his scena io
we ha e o assess whe he he SAML au hen ica ion p ocess ollows he ules de ined by he
s anda d p o ocol [1] o a oid secu i y issues and lack o compliance wi h he echnical ules
p o ided by SPID. The scena io consis s o he IdP p o ided by IPZS and a s ub SP equi ed
o comple e he au hen ica ion p ocess.
To assess he IPZS p o ided scena io, we used he solu ion epo ed in Sec ion 4excluding
he pa ela ed o he eam collabo a ion ool because i will be a u u e wo k.
The con en o he email sen o he ST is depic ed in Fig. 3and con ains all he de ails o
use Mic o-Id-Gym. In de ail, i p o ides: (i) name o he de elope who changes he eposi o y
8h ps://slack.com/
9h ps://www.spid.go .i /
9
