{"id":"https://openalex.org/W7124920585","doi":"https://doi.org/10.1109/cloudcom67567.2025.11331540","title":"A Threat-Oriented Study of API Security Challenges in CI/CD Pipelines","display_name":"A Threat-Oriented Study of API Security Challenges in CI/CD Pipelines","publication_year":2025,"publication_date":"2025-11-14","ids":{"openalex":"https://openalex.org/W7124920585","doi":"https://doi.org/10.1109/cloudcom67567.2025.11331540"},"language":null,"primary_location":{"id":"doi:10.1109/cloudcom67567.2025.11331540","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cloudcom67567.2025.11331540","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 lEEE International Conference on Cloud Computing Technology and Science (CloudCom)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5091239061","display_name":"Sabbir M. Saleh","orcid":"https://orcid.org/0000-0001-9944-2615"},"institutions":[{"id":"https://openalex.org/I125749732","display_name":"Western University","ror":"https://ror.org/02grkyz14","country_code":"CA","type":"education","lineage":["https://openalex.org/I125749732"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Sabbir M. Saleh","raw_affiliation_strings":["Computer Science, University of Western Ontario,London,ON,Canada"],"raw_orcid":"https://orcid.org/0000-0001-9944-2615","affiliations":[{"raw_affiliation_string":"Computer Science, University of Western Ontario,London,ON,Canada","institution_ids":["https://openalex.org/I125749732"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123402696","display_name":"Md Nafiz Al Ifat","orcid":null},"institutions":[{"id":"https://openalex.org/I125749732","display_name":"Western University","ror":"https://ror.org/02grkyz14","country_code":"CA","type":"education","lineage":["https://openalex.org/I125749732"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Md Nafiz Al Ifat","raw_affiliation_strings":["Computer Science, University of Western Ontario,London,ON,Canada"],"raw_orcid":"https://orcid.org/0009-0007-9928-7943","affiliations":[{"raw_affiliation_string":"Computer Science, University of Western Ontario,London,ON,Canada","institution_ids":["https://openalex.org/I125749732"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5000893987","display_name":"Nazim H. Madhavji","orcid":"https://orcid.org/0009-0006-5207-3203"},"institutions":[{"id":"https://openalex.org/I125749732","display_name":"Western University","ror":"https://ror.org/02grkyz14","country_code":"CA","type":"education","lineage":["https://openalex.org/I125749732"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Nazim H. Madhavji","raw_affiliation_strings":["Computer Science, University of Western Ontario,London,ON,Canada"],"raw_orcid":"https://orcid.org/0009-0006-5207-3203","affiliations":[{"raw_affiliation_string":"Computer Science, University of Western Ontario,London,ON,Canada","institution_ids":["https://openalex.org/I125749732"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5031430369","display_name":"John Steinbacher","orcid":null},"institutions":[{"id":"https://openalex.org/I4210113654","display_name":"IBM (Canada)","ror":"https://ror.org/025sxka56","country_code":"CA","type":"company","lineage":["https://openalex.org/I1341412227","https://openalex.org/I4210113654"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"John Steinbacher","raw_affiliation_strings":["Cloud Division, IBM Canada Lab,Markham,ON,Canada"],"raw_orcid":"https://orcid.org/0009-0001-6572-6326","affiliations":[{"raw_affiliation_string":"Cloud Division, IBM Canada Lab,Markham,ON,Canada","institution_ids":["https://openalex.org/I4210113654"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5091239061"],"corresponding_institution_ids":["https://openalex.org/I125749732"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.82328156,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"8"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.4203999936580658,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.4203999936580658,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.33880001306533813,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.10170000046491623,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/workflow","display_name":"Workflow","score":0.6399999856948853},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.5198000073432922},{"id":"https://openalex.org/keywords/credential","display_name":"Credential","score":0.5011000037193298},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.46549999713897705},{"id":"https://openalex.org/keywords/pipeline-transport","display_name":"Pipeline transport","score":0.45399999618530273},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.4478999972343445},{"id":"https://openalex.org/keywords/devops","display_name":"DevOps","score":0.43290001153945923},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4244000017642975},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.421099990606308},{"id":"https://openalex.org/keywords/confusion","display_name":"Confusion","score":0.4124000072479248}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7042999863624573},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.6399999856948853},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6378999948501587},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.5198000073432922},{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.5011000037193298},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.46549999713897705},{"id":"https://openalex.org/C175309249","wikidata":"https://www.wikidata.org/wiki/Q725864","display_name":"Pipeline transport","level":2,"score":0.45399999618530273},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.4478999972343445},{"id":"https://openalex.org/C9903902","wikidata":"https://www.wikidata.org/wiki/Q3025536","display_name":"DevOps","level":3,"score":0.43290001153945923},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4244000017642975},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.421099990606308},{"id":"https://openalex.org/C2781140086","wikidata":"https://www.wikidata.org/wiki/Q557945","display_name":"Confusion","level":2,"score":0.4124000072479248},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3962000012397766},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.3806999921798706},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.353300005197525},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3515999913215637},{"id":"https://openalex.org/C2780138299","wikidata":"https://www.wikidata.org/wiki/Q3404265","display_name":"Privilege (computing)","level":2,"score":0.3005000054836273},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.2994000017642975},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.28999999165534973},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.28630000352859497},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.28450000286102295},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.2818000018596649},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.2815000116825104},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.2802000045776367},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.2703000009059906},{"id":"https://openalex.org/C153185123","wikidata":"https://www.wikidata.org/wiki/Q1391624","display_name":"Sequence diagram","level":4,"score":0.26930001378059387},{"id":"https://openalex.org/C99613125","wikidata":"https://www.wikidata.org/wiki/Q165194","display_name":"Application programming interface","level":2,"score":0.2676999866962433},{"id":"https://openalex.org/C58642233","wikidata":"https://www.wikidata.org/wiki/Q8269924","display_name":"Taxonomy (biology)","level":2,"score":0.2662000060081482},{"id":"https://openalex.org/C105446022","wikidata":"https://www.wikidata.org/wiki/Q445962","display_name":"Legacy system","level":3,"score":0.26249998807907104},{"id":"https://openalex.org/C16311509","wikidata":"https://www.wikidata.org/wiki/Q4148050","display_name":"Dependency graph","level":3,"score":0.26109999418258667},{"id":"https://openalex.org/C124304363","wikidata":"https://www.wikidata.org/wiki/Q673661","display_name":"Abstraction","level":2,"score":0.25929999351501465},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.2581999897956848},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.25690001249313354},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.25589999556541443},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.251800000667572},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.2513999938964844}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/cloudcom67567.2025.11331540","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cloudcom67567.2025.11331540","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 lEEE International Conference on Cloud Computing Technology and Science (CloudCom)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":46,"referenced_works":["https://openalex.org/W1975675278","https://openalex.org/W2034963557","https://openalex.org/W2040915209","https://openalex.org/W2162739315","https://openalex.org/W2560438049","https://openalex.org/W2593989684","https://openalex.org/W2603119212","https://openalex.org/W2604848143","https://openalex.org/W2798112595","https://openalex.org/W2889806720","https://openalex.org/W2902326211","https://openalex.org/W2906752948","https://openalex.org/W2946009361","https://openalex.org/W2963834817","https://openalex.org/W2996817393","https://openalex.org/W3012308217","https://openalex.org/W3121390030","https://openalex.org/W3134221463","https://openalex.org/W3161479362","https://openalex.org/W3193339215","https://openalex.org/W3195290122","https://openalex.org/W3202451838","https://openalex.org/W4206767299","https://openalex.org/W4220682629","https://openalex.org/W4221123049","https://openalex.org/W4233279977","https://openalex.org/W4285248702","https://openalex.org/W4308562592","https://openalex.org/W4308572924","https://openalex.org/W4313047789","https://openalex.org/W4320881594","https://openalex.org/W4323519529","https://openalex.org/W4353005048","https://openalex.org/W4387583583","https://openalex.org/W4387711980","https://openalex.org/W4388483494","https://openalex.org/W4389164865","https://openalex.org/W4391183346","https://openalex.org/W4391664552","https://openalex.org/W4404356880","https://openalex.org/W4404515188","https://openalex.org/W4404579260","https://openalex.org/W4404628324","https://openalex.org/W4406866500","https://openalex.org/W4409471932","https://openalex.org/W4409640213"],"related_works":[],"abstract_inverted_index":{"APls":[0,34],"(Application":[1],"Programming":[2],"Interfaces)":[3],"playa":[4],"crucial":[5],"role":[6],"in":[7,140],"modern":[8],"software":[9],"engineering,":[10],"where":[11],"CI/CD":[12,128],"(Continuous":[13],"Integration/Continuous":[14],"Deployment)":[15],"pipelines":[16],"are":[17,43,46,50],"closely":[18],"aligned,":[19],"enabling":[20],"automated":[21],"workflows":[22],"across":[23,64],"source":[24],"control,":[25],"builds,":[26],"secrets":[27,45],"management,":[28],"and":[29,80,92,101,108,130],"deployment.":[30],"However,":[31],"these":[32,114],"same":[33],"can":[35],"expose":[36],"serious":[37],"security":[38],"risks,":[39],"especially":[40],"when":[41],"tokens":[42],"overprivileged,":[44],"hardcoded,":[47],"or":[48],"configurations":[49],"left":[51],"open.":[52],"This":[53],"paper":[54],"reviews":[55],"33":[56],"studies":[57],"to":[58,126,134],"examine":[59],"how":[60],"such":[61],"vulnerabilities":[62],"appear":[63],"different":[65],"pipeline":[66],"stages.":[67],"We":[68],"identified":[69],"recurring":[70],"issues,":[71],"including":[72],"dependency":[73],"confusion":[74],"attacks,":[75],"misconfigured":[76],"Y":[77],"AML":[78],"files,":[79],"credential":[81],"leaks":[82],"caused":[83],"by":[84],"API":[85,124],"misuse.":[86],"Despite":[87],"the":[88],"availability":[89],"of":[90],"tools":[91],"best":[93],"practices,":[94],"most":[95],"research":[96],"focuses":[97],"on":[98,113],"static":[99],"checks":[100],"overlooks":[102],"runtime":[103],"behaviours,":[104],"multi-stage":[105],"attack":[106],"paths,":[107],"privilege":[109],"escalation":[110],"risks.":[111],"Based":[112],"patterns,":[115],"we":[116],"propose":[117],"a":[118],"practical":[119],"threat":[120,138],"taxonomy":[121],"that":[122],"connects":[123],"threats":[125],"specific":[127],"stages":[129],"attacker":[131],"goals,":[132],"aiming":[133],"support":[135],"more":[136],"grounded":[137],"modelling":[139],"DevOps":[141],"environments.":[142]},"counts_by_year":[],"updated_date":"2026-01-22T23:29:09.771500","created_date":"2026-01-21T00:00:00"}