Enterprise-Driven Open Source Software: A Case Study on Security Automation

Security activities are essential for all software development projects to detect potential flaws early, to avoid security breaches, data loss and adhere to existing standards. The integration of security activities within the broadly utilized continuous integration (CI) pipelines are equally supported by literature as well as security experts.
This paper analyzes the tool usage of automated security activities in CI pipelines. In particular, we mine publicly available enterprise-driven open source software repositories and survey a sample of project maintainers to better understand the role security and security tools play in their CI pipelines. This shall allow, in the long-run, to better understand the extent to which security forms (or should form) part of automated pipelines, thus, facilitating the improvement of practices and standards. To increase the transparency of our results but also to allow other researchers replicate our study (and taking different perspectives), we further disclose our data (and material) to the public.

Our results indicate, among other things, that security may be very much influenced by the programming language, yet it plays a vital role in a large extent of projects. At the same time, only a small fraction of 6.83 \% of the projects appropriately consider security. This corroborates our own industry experiences and leave open an avenue for further improvements of the state of practice which we outline in the manuscript at hands.