• Corpus ID: 251402512

GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code

  title={GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as Code},
  author={Nuno Saavedra and Jo{\~a}o Fernando Ferreira},
Infrastructure as Code (IaC) is the process of managing IT infrastructure via programmable configuration files (also called IaC scripts). Like other software artifacts, IaC scripts may contain security smells, which are coding patterns that can result in security weaknesses. Automated analysis tools to detect security smells in IaC scripts exist, but they focus on specific technologies such as Puppet, Ansible, or Chef. This means that when the detection of a new smell is implemented in one of… 



The Seven Sins: Security Smells in Infrastructure as Code Scripts

The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts.

Security Smells in Ansible and Chef Scripts: A Replication Study

This paper identifies two security smells not reported in prior work: missing default in case statement and no integrity check and recommends practitioners to rigorously inspect the presence of the identified security smells in Ansible and Chef scripts using code review, and static analysis tools.

Analyzing Infrastructure as Code to Prevent Intra-update Sniping Vulnerabilities

This work identifies a security vulnerability that occurs during an upgrade even when the initial and final states of the infrastructure are secure, and shows that those vulnerability are possible in Amazon’s AWS and Google Cloud.

Code Smells in Infrastructure as Code

This paper presents a catalogue of 17 code smells which were applied to Chef and whose implementation is available as Open Source and shows that IaC smells are agnostic to the applied technology and can be defined on a technology agnostic level.

Source Code Properties of Defective Infrastructure as Code Scripts

Characterizing Defective Configuration Scripts Used for Continuous Deployment

  • A. RahmanL. Williams
  • Computer Science
    2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST)
  • 2018
This paper uses text mining techniques to extract text features from infrastructure as code (IaC) scripts and identifies three properties that characterize defective IaC scripts: filesystem operations, infrastructure provisioning, and managing user accounts.

Where Are The Gaps? A Systematic Mapping Study of Infrastructure as Code Research

Gang of Eight: A Defect Taxonomy for Infrastructure as Code Scripts

A taxonomy of IaC defects is developed by applying qualitative analysis on 1,448 defect-related commits collected from open source software (OSS) repositories of the Openstack organization and the quantified frequency of the defect categories may help in advancing the science of IAC script quality.

The ‘as code’ activities: development anti-patterns for infrastructure as code

Five development anti-patterns of infrastructure as code (IaC) scripts, namely, ‘boss is not around’, “many cooks spoil”, � ‘minors are spoiler‚, ’silos‚ and ‘unfocused contribution’ are identified.

Test Suite Reduction in Idempotence Testing of Infrastructure as Code

A method for efficiently checking idempotence by combining the testing and static verification approaches is presented, which dramatically decreases the number of test cases used to check code including external scripts by applying the static verification approach.