持续集成工具缺陷检测技术研究

Defect-Detecting Technique of Continuous Integration

持续集成是当今软件开发过程中普遍使用的工具之一。由于管理人员安全意识缺失和错误的安全策略,攻击者可轻松利用缺陷实现用户提权、敏感数据窃取、远程命令执行等目的。在介绍持续集成工具架构和基本组成基础之上,重点分析其存在的缺陷和常见的攻击面,研究攻击者利用这些缺陷所能实现的登陆绕过、远程命令执行、反序列化漏洞等攻击手段。利用缺陷检测技术对这些组件进行检测,集成整合并实现自动化检测平台,呈现出更直观全面的系统安全性评估结果。

Continuous integration is commonly used in today＇s software development. Due to the lack of security awareness and the wrong security strategy, the attacker can easily exploit defect and achieve higher rights, acquire sensitive data, execute remote command and reach other purposes. Based on introduction of the architecture and basic components of continuous integration tools, this paper focuses on the existing defects and common attack surface of the continuous integration tools, also discusses the password cracking, remote command execution, and Java deserialization vulnerabilities on this platform. By using the defect detection technology to detect these components and achieving integraied integration and implementation of automated testing platform, a more intuitive and comprehensive assessment of system security could be acquired.