{"id":"https://openalex.org/W7127655228","doi":"https://doi.org/10.1145/3785520.3785526","title":"A Defence-Oriented Study of API Security in CI/CD Pipelines","display_name":"A Defence-Oriented Study of API Security in CI/CD Pipelines","publication_year":2025,"publication_date":"2025-11-26","ids":{"openalex":"https://openalex.org/W7127655228","doi":"https://doi.org/10.1145/3785520.3785526"},"language":null,"primary_location":{"id":"doi:10.1145/3785520.3785526","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3785520.3785526","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 10th International Conference on Cloud Computing and Internet of Things","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3785520.3785526","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5091239061","display_name":"Sabbir M. Saleh","orcid":"https://orcid.org/0000-0001-9944-2615"},"institutions":[{"id":"https://openalex.org/I125749732","display_name":"Western University","ror":"https://ror.org/02grkyz14","country_code":"CA","type":"education","lineage":["https://openalex.org/I125749732"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Sabbir M. Saleh","raw_affiliation_strings":["Computer Science University of Western Ontario, London, ON, Canada,"],"raw_orcid":"https://orcid.org/0000-0001-9944-2615","affiliations":[{"raw_affiliation_string":"Computer Science University of Western Ontario, London, ON, Canada,","institution_ids":["https://openalex.org/I125749732"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123402696","display_name":"Md Nafiz Al Ifat","orcid":null},"institutions":[{"id":"https://openalex.org/I125749732","display_name":"Western University","ror":"https://ror.org/02grkyz14","country_code":"CA","type":"education","lineage":["https://openalex.org/I125749732"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Md Nafiz Al Ifat","raw_affiliation_strings":["Computer Science University of Western Ontario, London, ON, Canada,"],"raw_orcid":"https://orcid.org/0009-0007-9928-7943","affiliations":[{"raw_affiliation_string":"Computer Science University of Western Ontario, London, ON, Canada,","institution_ids":["https://openalex.org/I125749732"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5000893987","display_name":"Nazim H. Madhavji","orcid":"https://orcid.org/0009-0006-5207-3203"},"institutions":[{"id":"https://openalex.org/I125749732","display_name":"Western University","ror":"https://ror.org/02grkyz14","country_code":"CA","type":"education","lineage":["https://openalex.org/I125749732"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Nazim H. Madhavji","raw_affiliation_strings":["Computer Science University of Western Ontario, London, ON, Canada,"],"raw_orcid":"https://orcid.org/0009-0006-5207-3203","affiliations":[{"raw_affiliation_string":"Computer Science University of Western Ontario, London, ON, Canada,","institution_ids":["https://openalex.org/I125749732"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5031430369","display_name":"John Steinbacher","orcid":null},"institutions":[{"id":"https://openalex.org/I4210113654","display_name":"IBM (Canada)","ror":"https://ror.org/025sxka56","country_code":"CA","type":"company","lineage":["https://openalex.org/I1341412227","https://openalex.org/I4210113654"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"John Steinbacher","raw_affiliation_strings":["Cloud Division IBM Canada Lab, Markham, ON, Canada,"],"raw_orcid":"https://orcid.org/0009-0001-6572-6326","affiliations":[{"raw_affiliation_string":"Cloud Division IBM Canada Lab, Markham, ON, Canada,","institution_ids":["https://openalex.org/I4210113654"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.81042975,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"33","last_page":"42"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.7067000269889832,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.7067000269889832,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.10019999742507935,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.03840000182390213,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/credential","display_name":"Credential","score":0.6288999915122986},{"id":"https://openalex.org/keywords/pipeline-transport","display_name":"Pipeline transport","score":0.6273999810218811},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.5501999855041504},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.539900004863739},{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.515999972820282},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.5145999789237976},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.5062999725341797},{"id":"https://openalex.org/keywords/enforcement","display_name":"Enforcement","score":0.48100000619888306},{"id":"https://openalex.org/keywords/resilience","display_name":"Resilience (materials science)","score":0.4652999937534332}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6689000129699707},{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.6288999915122986},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6277999877929688},{"id":"https://openalex.org/C175309249","wikidata":"https://www.wikidata.org/wiki/Q725864","display_name":"Pipeline transport","level":2,"score":0.6273999810218811},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.5501999855041504},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.539900004863739},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.515999972820282},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.5145999789237976},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.5062999725341797},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.48100000619888306},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.4652999937534332},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.4250999987125397},{"id":"https://openalex.org/C99613125","wikidata":"https://www.wikidata.org/wiki/Q165194","display_name":"Application programming interface","level":2,"score":0.41830000281333923},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.4034000039100647},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.34220001101493835},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3400999903678894},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.32600000500679016},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.27970001101493835},{"id":"https://openalex.org/C105446022","wikidata":"https://www.wikidata.org/wiki/Q445962","display_name":"Legacy system","level":3,"score":0.2782000005245209},{"id":"https://openalex.org/C116537","wikidata":"https://www.wikidata.org/wiki/Q2169973","display_name":"Service provider","level":3,"score":0.27630001306533813},{"id":"https://openalex.org/C47487241","wikidata":"https://www.wikidata.org/wiki/Q5227230","display_name":"Data access","level":2,"score":0.2563000023365021},{"id":"https://openalex.org/C184842701","wikidata":"https://www.wikidata.org/wiki/Q370563","display_name":"Cloud computing security","level":3,"score":0.25600001215934753},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.25360000133514404},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.2522999942302704}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3785520.3785526","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3785520.3785526","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 10th International Conference on Cloud Computing and Internet of Things","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3785520.3785526","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3785520.3785526","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 10th International Conference on Cloud Computing and Internet of Things","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":23,"referenced_works":["https://openalex.org/W2037789405","https://openalex.org/W2040915209","https://openalex.org/W2133933998","https://openalex.org/W2593989684","https://openalex.org/W2603119212","https://openalex.org/W2946009361","https://openalex.org/W2963834817","https://openalex.org/W2966008409","https://openalex.org/W2996817393","https://openalex.org/W3134221463","https://openalex.org/W3161479362","https://openalex.org/W3193339215","https://openalex.org/W4233279977","https://openalex.org/W4285248702","https://openalex.org/W4323519529","https://openalex.org/W4353005048","https://openalex.org/W4388483494","https://openalex.org/W4404515188","https://openalex.org/W4404579260","https://openalex.org/W4404628324","https://openalex.org/W4405522777","https://openalex.org/W4406866500","https://openalex.org/W4415746249"],"related_works":[],"abstract_inverted_index":{"Current":[0],"CI/CD":[1,53,112,144],"(Continuous":[2],"Integration/Continuous":[3],"Deployment)":[4],"pipelines":[5,26],"rely":[6],"heavily":[7],"on":[8,56],"APIs":[9],"(Application":[10],"Programming":[11],"Interfaces)":[12],"to":[13,141],"automate":[14],"builds,":[15],"deployments,":[16],"and":[17,60,90,105,107,122,137,152],"service":[18],"orchestration.":[19],"However,":[20],"the":[21,57,143],"growing":[22],"complexity":[23],"of":[24,49,71],"these":[25,130],"has":[27],"revealed":[28],"new":[29],"challenges,":[30],"including":[31,80],"credential":[32],"management,":[33],"access":[34,82],"control,":[35],"runtime":[36,120],"enforcement,":[37,89],"etc.,":[38],"in":[39,154],"securing":[40],"API":[41,50,156],"endpoints.":[42],"This":[43,148],"study":[44,149],"presents":[45],"a":[46,68,134],"defence-oriented":[47],"analysis":[48,115],"security":[51],"within":[52],"pipelines,":[54],"focusing":[55],"tools,":[58,97],"practices,":[59],"challenges":[61],"that":[62],"outline":[63,138],"real-world":[64],"protection":[65],"approaches.":[66],"Through":[67],"systematic":[69],"review":[70],"34":[72],"peer-reviewed":[73],"articles,":[74],"we":[75,132],"identified":[76],"key":[77],"defensive":[78],"mechanisms,":[79],"role-based":[81],"control":[83],"(RBAC),":[84],"secrets":[85],"vaults,":[86],"Policy-as-Code":[87],"(PaC)":[88],"multi-factor":[91],"authentication.":[92],"We":[93],"evaluated":[94],"widely":[95],"adopted":[96],"such":[98],"as":[99],"HashiCorp":[100],"Vault,":[101],"Open":[102],"Policy":[103],"Agent,":[104],"Snyk,":[106],"examined":[108],"their":[109],"deployment":[110],"across":[111,125,158],"stages.":[113],"Our":[114],"reveals":[116],"unstable":[117],"adoption,":[118],"limited":[119],"observability,":[121],"fragmented":[123],"enforcement":[124],"cloud":[126],"platforms.":[127],"To":[128],"address":[129],"gaps,":[131],"propose":[133],"defence-mapping":[135],"framework":[136],"actionable":[139],"proposals":[140],"secure":[142],"pipeline":[145],"by":[146],"design.":[147],"supports":[150],"practitioners":[151],"researchers":[153],"advancing":[155],"resilience":[157],"DevSecOps":[159],"workflows.":[160]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-02-06T00:00:00"}
