{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T22:16:43Z","timestamp":1770243403145,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":57,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,26]]},"DOI":"10.1145\/3785520.3785526","type":"proceedings-article","created":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T09:02:02Z","timestamp":1770195722000},"page":"33-42","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["A Defence-Oriented Study of API Security in CI\/CD Pipelines"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9944-2615","authenticated-orcid":false,"given":"Sabbir M.","family":"Saleh","sequence":"first","affiliation":[{"name":"Computer Science University of Western Ontario, London, ON, Canada,"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-9928-7943","authenticated-orcid":false,"given":"Md Nafiz Al","family":"Ifat","sequence":"additional","affiliation":[{"name":"Computer Science University of Western Ontario, London, ON, Canada,"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-5207-3203","authenticated-orcid":false,"given":"Nazim H.","family":"Madhavji","sequence":"additional","affiliation":[{"name":"Computer Science University of Western Ontario, London, ON, Canada,"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-6572-6326","authenticated-orcid":false,"given":"John","family":"Steinbacher","sequence":"additional","affiliation":[{"name":"Cloud Division IBM Canada Lab, Markham, ON, Canada,"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,2,4]]},"reference":[{"key":"e_1_3_3_1_1_2","volume-title":"April. Advancing DevSecOps in SMEs: Challenges and Best Practices for Secure CI\/CD Pipelines. In 2025 13th International Symposium on Digital Forensics and Security (ISDFS) (pp. 1-6). IEEE.","author":"Cheenepalli J.","unstructured":"Cheenepalli, J., Hastings, J.D., Ahmed, K.M. and Fenner, C., 2025, April. Advancing DevSecOps in SMEs: Challenges and Best Practices for Secure CI\/CD Pipelines. In 2025 13th International Symposium on Digital Forensics and Security (ISDFS) (pp. 1-6). IEEE."},{"key":"e_1_3_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/3714464"},{"key":"e_1_3_3_1_3_2","unstructured":"Dhandapani Sowmiya. \"Enhancing Software Supply Chain Security Through STRIDE-Based Threat Modelling of CI\/CD Pipelines.\" arXiv preprint arXiv:2506.06478 (2025)."},{"key":"e_1_3_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.5220\/0013018500003825"},{"key":"e_1_3_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/IISA62523.2024.10786669"},{"key":"e_1_3_3_1_6_2","first-page":"137","volume-title":"Blockchain, Cloud Computing","author":"Afifah H.","year":"2024","unstructured":"A. S. Afifah, H. Kabetta, I. K. Setia Buana and H. Setiawan, \"Code Obfuscation in CI\/CD Pipelines for Enhanced DevOps Security,\" 2024 International Conference on Artificial Intelligence, Blockchain, Cloud Computing, and Data Analytics (ICoABCD), Indonesia, 2024, pp. 137-142."},{"key":"e_1_3_3_1_7_2","doi-asserted-by":"crossref","unstructured":"Rajapakse R.N. Zahedi M. Babar M.A. and Shen H. 2022. Challenges and solutions when adopting DevSecOps: A systematic review. Information and software technology 141 p.106700.","DOI":"10.1016\/j.infsof.2021.106700"},{"key":"e_1_3_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/CIoT63799.2024.10757084"},{"key":"e_1_3_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2685629"},{"key":"e_1_3_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3064953"},{"key":"e_1_3_3_1_11_2","article-title":"Microservices Security Threat Modelling in DevOps Pipelines","author":"Yogeswara Reddy Avuthu","year":"2023","unstructured":"Yogeswara Reddy Avuthu (2023) Microservices Security Threat Modelling in DevOps Pipelines. Journal of Mathematical & Computer Applications.","journal-title":"Journal of Mathematical & Computer Applications."},{"key":"e_1_3_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3174092"},{"key":"e_1_3_3_1_13_2","volume-title":"Rayyan\u2014a web and mobile app for systematic reviews. Syst Rev 5, 210","author":"Ouzzani M.","year":"2016","unstructured":"Ouzzani, M., Hammady, H., Fedorowicz, Z. and Elmagarmid, A., Rayyan\u2014a web and mobile app for systematic reviews. Syst Rev 5, 210 (2016)."},{"key":"e_1_3_3_1_14_2","volume-title":"Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering (EASE '14)","author":"Claes Wohlin","year":"2014","unstructured":"Claes Wohlin. 2014. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering (EASE '14). Association for Computing Machinery, New York, NY, USA, Article 38, 1\u201310."},{"key":"e_1_3_3_1_15_2","doi-asserted-by":"publisher","unstructured":"Cohen J. Weighted kappa: Nominal Scale Agreement with Provision for Scaled Disagreement or Partial Credit. Psychol Bull. 1968 Oct;70(4):213-20. doi: 10.1037\/h0026256. PMID: 19673146.","DOI":"10.1037\/h0026256"},{"key":"e_1_3_3_1_16_2","unstructured":"Kitchenham B.A. and S. Charters (2007) Guidelines for performing systematic literature reviews in software engineering Technical Report EBSE-2007-01 School of Computer Science and Mathematics Keele University."},{"key":"e_1_3_3_1_17_2","volume-title":"Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security.","author":"Zheng E.","unstructured":"Zheng, E., Gates-Idem, P. and Lavin, M., 2018, April. Building a virtually air-gapped secure environment in AWS: with principles of devops security program and secure software delivery. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security."},{"key":"e_1_3_3_1_18_2","volume-title":"Proceedings of the 26th European Conference on Pattern Languages of Programs (pp. 1-17)","author":"Bondel G.","unstructured":"Bondel, G., Landgraf, A. and Matthes, F., 2021, July. API management patterns for public, partner, and group web API initiatives with a focus on collaboration. In Proceedings of the 26th European Conference on Pattern Languages of Programs (pp. 1-17)."},{"key":"e_1_3_3_1_19_2","volume-title":"October. Secure Development Workflows in CI\/CD Pipelines. In 2022 IEEE Secure Development Conference (SecDev)","author":"Bajpai P.","unstructured":"Bajpai, P. and Lewis, A., 2022, October. Secure Development Workflows in CI\/CD Pipelines. In 2022 IEEE Secure Development Conference (SecDev)"},{"key":"e_1_3_3_1_20_2","volume-title":"November. CI\/CD Pipeline with Vulnerability Mitigation. In 2023 International Conference on Recent Advances in Science and Engineering Technology (ICRASET) (pp. 1-6). IEEE.","author":"Nalini M.K.","unstructured":"Nalini, M.K., Mahalakshmi, B.S., Khandelwal, N., Pai, N. and Sharan, L., 2023, November. CI\/CD Pipeline with Vulnerability Mitigation. In 2023 International Conference on Recent Advances in Science and Engineering Technology (ICRASET) (pp. 1-6). IEEE."},{"key":"e_1_3_3_1_21_2","volume-title":"2021 Fifth World Conference on Smart Trends in Systems Security and Sustainability (WorldS4) (pp. 152-156)","author":"Abhishek M.K.","unstructured":"Abhishek, M.K. and Rao, D.R., 2021, July. Framework to secure docker containers. In 2021 Fifth World Conference on Smart Trends in Systems Security and Sustainability (WorldS4) (pp. 152-156). IEEE."},{"key":"e_1_3_3_1_22_2","volume-title":"Proceedings of the 2019 3rd international conference on cloud and big data computing.","author":"Alonso J.","unstructured":"Alonso, J., Stefanidis, K., Orue-Echevarria, L., Blasi, L., Walker, M., Escalante, M., L\u00f3pez, M.J. and Dutkowski, S., 2019, August. DECIDE: an extended devops framework for multi-cloud applications. In Proceedings of the 2019 3rd international conference on cloud and big data computing."},{"key":"e_1_3_3_1_23_2","doi-asserted-by":"crossref","first-page":"106834","DOI":"10.1016\/j.petrol.2019.106834","article-title":"Architectures and algorithms of an autonomous small-scale drilling agent","volume":"188","author":"Geekiyanage S.C.H.","year":"2020","unstructured":"Geekiyanage, S.C.H., Loeken, E.A. and Sui, D., 2020. Architectures and algorithms of an autonomous small-scale drilling agent. Journal of Petroleum Science and Engineering, 188, p.106834.","journal-title":"Journal of Petroleum Science and Engineering"},{"key":"e_1_3_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2930000"},{"key":"e_1_3_3_1_25_2","volume-title":"2018 25th Australasian Software Engineering Conference (ASWEC) (pp. 191-200)","author":"Almalki J.","unstructured":"Almalki, J. and Shen, H., 2018, November. Developing cross-organisational service-based software systems through decentralised interface-oriented continuous integration. In 2018 25th Australasian Software Engineering Conference (ASWEC) (pp. 191-200). IEEE."},{"key":"e_1_3_3_1_26_2","volume-title":"September. Software for Improve the Security of Kubernetes-based CI\/CD Pipeline. In 2023 13th International Conference on Advanced Computer Information Technologies (ACIT).","author":"Shevchuk R.","unstructured":"Shevchuk, R., Karpinski, M., Kasianchuk, M., Yakymenko, I., Melnyk, A. and Tykhyi, R., 2023, September. Software for Improve the Security of Kubernetes-based CI\/CD Pipeline. In 2023 13th International Conference on Advanced Computer Information Technologies (ACIT)."},{"key":"e_1_3_3_1_27_2","volume-title":"2023 International Conference on Informatics Engineering, Science & Technology (INCITEST) (pp. 1-7). IEEE.","author":"Mooduto A.","unstructured":"Mooduto, A., Rijanto, E. and Pamuji, G.C., 2023, October. Optimization of Software Development Automation via CICD, Dependency Track, and AWS CodePipeline Integration. In 2023 International Conference on Informatics Engineering, Science & Technology (INCITEST) (pp. 1-7). IEEE."},{"key":"e_1_3_3_1_28_2","volume-title":"IEEE","author":"Bello","year":"2022","unstructured":"Bello, Yahuza, et al. \"Continuous integration and continuous delivery framework for SDS.\" 2022 IEEE Canadian Conference on Electrical and Computer Engineering (CCECE). IEEE, 2022."},{"key":"e_1_3_3_1_29_2","volume-title":"2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC) (pp. 0529-0535)","author":"Mahboob J.","unstructured":"Mahboob, J. and Coffman, J., 2021, January. A kubernetes ci\/cd pipeline with asylo as a trusted execution environment abstraction framework. In 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC) (pp. 0529-0535). IEEE."},{"key":"e_1_3_3_1_30_2","volume-title":"Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 1985-1996)","author":"Banerjee","unstructured":"Banerjee, Subarno, et al. \u201cCompositional taint analysis for enforcing security policies at scale.\u201d In Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 1985-1996)."},{"key":"e_1_3_3_1_31_2","first-page":"31","volume-title":"Tamilnadu","year":"2022","unstructured":"V. S. N, L. Mohan Saini and H. Mohan, \"Cloud Computing in Automation Testing,\" 2022 International Conference on Edge Computing and Applications (ICECAA), Tamilnadu, India, 2022, pp. 31-36."},{"issue":"1","key":"e_1_3_3_1_32_2","doi-asserted-by":"crossref","first-page":"403","DOI":"10.1109\/TDSC.2023.3253572","article-title":"Ambush from all sides: Understanding security threats in open-source software ci\/cd pipelines","volume":"21","author":"Pan Z.","year":"2023","unstructured":"Pan, Z., Shen, W., Wang, X., Yang, Y., Chang, R., Liu, Y., Liu, C., Liu, Y. and Ren, K., 2023. Ambush from all sides: Understanding security threats in open-source software ci\/cd pipelines. IEEE Transactions on Dependable and Secure Computing, 21(1), pp.403-418.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_3_1_33_2","volume-title":"Proceedings of the 15th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 1-12)","author":"Rajapakse R.N.","unstructured":"Rajapakse, R.N., Zahedi, M. and Babar, M.A., 2021, October. An empirical analysis of practitioners' perspectives on security tool integration into devops. In Proceedings of the 15th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) (pp. 1-12)."},{"key":"e_1_3_3_1_34_2","volume-title":"USA","author":"J\u00fanior R. C. A.","year":"2022","unstructured":"R. S. de O. J\u00fanior, R. C. A. da Silva, M. S. Santos, D. W. Albuquerque, H. O. Almeida and D. F. S. Santos, \"An Extensible and Secure Architecture based on Microservices,\" 2022 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 2022."},{"key":"e_1_3_3_1_35_2","first-page":"1","volume-title":"Bosnia and Herzegovina","author":"Raili\u0107 M.","year":"2021","unstructured":"N. Raili\u0107 and M. Savi\u0107, \"Architecting Continuous Integration and Continuous Deployment for Microservice Architecture,\" 2021 20th International Symposium INFOTEH-JAHORINA (INFOTEH), East Sarajevo, Bosnia and Herzegovina, 2021, pp. 1-5."},{"key":"e_1_3_3_1_36_2","volume-title":"European Conference on Software Architecture (pp. 3-18)","author":"Genfer P.","unstructured":"Genfer, P. and Zdun, U., 2022, September. Avoiding excessive data exposure through microservice APIs. In European Conference on Software Architecture (pp. 3-18). Cham: Springer International Publishing."},{"key":"e_1_3_3_1_37_2","volume-title":"Secco: Automated services to secure containers in the devops paradigm.\" Proceedings of the 2023 International Conference on Research in Adaptive and Convergent Systems","author":"Verderame","year":"2023","unstructured":"Verderame, Luca, et al. \"Secco: Automated services to secure containers in the devops paradigm.\" Proceedings of the 2023 International Conference on Research in Adaptive and Convergent Systems. 2023."},{"key":"e_1_3_3_1_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW.2019.00021"},{"key":"e_1_3_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSA-C.2019.00026"},{"key":"e_1_3_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.30"},{"key":"e_1_3_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/RELENG.2015.11"},{"key":"e_1_3_3_1_42_2","volume-title":"Sinaia","author":"Walker L.","year":"2023","unstructured":"M. Walker, L. Klingel, S. Oechsle, M. Neubauer, A. Lechler and A. Verl, \"Safeguarded Continuous Deployment of Control Containers through Real-Time Simulation,\" 2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA), Sinaia, Romania, 2023."},{"key":"e_1_3_3_1_43_2","doi-asserted-by":"crossref","unstructured":"Fel\u00edcio D. Sim\u00e3o J. and Datia N. 2023. RapiTest: Continuous Black-Box Testing of RESTful Web APIs. Procedia Computer Science 219.","DOI":"10.1016\/j.procs.2023.01.322"},{"key":"e_1_3_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786850"},{"key":"e_1_3_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev56634.2023.00018"},{"key":"e_1_3_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCE50685.2021.9427677"},{"key":"e_1_3_3_1_47_2","first-page":"1","volume-title":"Durban","author":"Doukoure E.","year":"2018","unstructured":"G. A. K. Doukoure and E. Mnkandla, \"Facilitating the Management of Agile and Devops Activities: Implementation of a Data Consolidator,\" 2018 International Conference on Advances in Big Data, Computing and Data Communication Systems (icABCD), Durban, South Africa, 2018, pp. 1-6,"},{"key":"e_1_3_3_1_48_2","volume-title":"Proceedings of the 4th International Workshop on Rapid Continuous Software Engineering (RCoSE '18)","author":"Thomas F.","year":"2018","unstructured":"Thomas F. D\u00fcllmann, Christina Paule, and Andr\u00e9 van Hoorn. 2018. Exploiting DevOps Practices for Dependable and Secure Continuous Delivery Pipelines. In Proceedings of the 4th International Workshop on Rapid Continuous Software Engineering (RCoSE '18). ACM, New York, NY, USA."},{"key":"e_1_3_3_1_49_2","volume-title":"USA","author":"Brady S.","year":"2020","unstructured":"K. Brady, S. Moon, T. Nguyen and J. Coffman, \"Docker Container Security in Cloud Computing,\" 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2020."},{"key":"e_1_3_3_1_50_2","first-page":"1","volume-title":"USA","author":"Torkura M. I. H.","year":"2018","unstructured":"K. A. Torkura, M. I. H. Sukmana, T. Strauss, H. Graupner, F. Cheng and C. Meinel, \"CSBAuditor: Proactive Security Risk Analysis for Cloud Storage Broker Systems,\" 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 2018, pp. 1-10."},{"key":"e_1_3_3_1_51_2","volume-title":"no. 3","author":"Zissis","year":"2012","unstructured":"Zissis, Dimitrios, and Dimitrios Lekkas. \"Addressing cloud computing security issues.\" Future Generation computer systems 28, no. 3 (2012)."},{"key":"e_1_3_3_1_52_2","volume-title":"Proceedings of the 20th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2025","author":"Saleh S.M.","year":"2025","unstructured":"Saleh, S.M.; Madhavji, N.; Steinbacher, J. Towards a Blockchain-Based CI\/CD Framework to Enhance Security in Cloud Environments. In Proceedings of the 20th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE 2025), Porto, Portugal, 4\u20136 April 2025."},{"key":"e_1_3_3_1_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3689938.3694779"},{"key":"e_1_3_3_1_54_2","volume-title":"IEEE\/ACIS International Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel\/Distributed Computing (SNPD 2024-Winter)","author":"Saleh S.M.","year":"2024","unstructured":"Saleh, S.M.; Madhavji, N.; Steinbacher, J, \"Enhancing Cloud Security through Topic Modelling, \"28th IEEE\/ACIS International Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel\/Distributed Computing (SNPD 2024-Winter), December 04-06, 2024. IEEE."},{"key":"e_1_3_3_1_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME64153.2025.00101"},{"key":"e_1_3_3_1_56_2","doi-asserted-by":"crossref","unstructured":"Zhang He Muhammad Ali Babar and Paolo Tell. \"Identifying relevant studies in software engineering.\" Information and Software Technology 53 no. 6 (2011): 625-637.","DOI":"10.1016\/j.infsof.2010.12.010"},{"key":"e_1_3_3_1_57_2","unstructured":"Caldiera Victor R. Basili Gianluigi and H. Dieter Rombach. \"The goal question metric approach.\" Encyclopedia of software engineering (1994)."}],"event":{"name":"CCIOT 2025: 2025 10th International Conference on Cloud Computing and Internet of Things","location":"Ho Chi Minh , Vietnam","acronym":"CCIOT 2025"},"container-title":["Proceedings of the 2025 10th International Conference on Cloud Computing and Internet of Things"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3785520.3785526","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T09:02:45Z","timestamp":1770195765000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3785520.3785526"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,26]]},"references-count":57,"alternative-id":["10.1145\/3785520.3785526","10.1145\/3785520"],"URL":"https:\/\/doi.org\/10.1145\/3785520.3785526","relation":{},"subject":[],"published":{"date-parts":[[2025,11,26]]},"assertion":[{"value":"2026-02-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}