• Corpus ID: 196831732

Security Smells in Infrastructure as Code Scripts

@article{Rahman2019SecuritySI,
  title={Security Smells in Infrastructure as Code Scripts},
  author={Akond Ashfaque Ur Rahman and Md. Rayhanur Rahman and Chris Parnin and Laurie Ann Williams},
  journal={ArXiv},
  year={2019},
  volume={abs/1907.07159}
}
Context: Security smells are coding patterns in source code that are indicative of security weaknesses. As infrastructure as code (IaC) scripts are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical… 
1 Citations

The Seven Sins: Security Smells in Infrastructure as Code Scripts

The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts.

References

SHOWING 1-10 OF 56 REFERENCES

The Seven Sins: Security Smells in Infrastructure as Code Scripts

The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts.

Source Code Properties of Defective Infrastructure as Code Scripts

Characterizing Defective Configuration Scripts Used for Continuous Deployment

  • A. RahmanL. Williams
  • Computer Science
    2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST)
  • 2018
This paper uses text mining techniques to extract text features from infrastructure as code (IaC) scripts and identifies three properties that characterize defective IaC scripts: filesystem operations, infrastructure provisioning, and managing user accounts.

Identifying the characteristics of vulnerable code changes: an empirical study

It is recommended that projects should create or adapt secure coding guidelines, create a dedicated security review team, ensure detailed comments during review to help knowledge dissemination, and encourage developers to make small, incremental changes rather than large changes.

Does Your Configuration Code Smell?

This work proposes a catalog of 13 implementation and 11 design configuration smells, where each smell violates recommended best practices for configuration code, and finds that configuration smells belonging to a smell category tend to co-occur with configuration smell belonging to another smell category when correlation is computed by volume of identified smells.

Co-evolution of Infrastructure and Source Code - An Empirical Study

  • Yujuan JiangB. Adams
  • Computer Science
    2015 IEEE/ACM 12th Working Conference on Mining Software Repositories
  • 2015
Through an empirical study of the version control system of 265 Open Stack projects, it is found that infrastructure files are large and churn frequently, which could indicate a potential of introducing bugs.

Developers Need Support, Too: A Survey of Security Advice for Software Developers

This paper takes a first step toward understanding and improving this guidance ecosystem by identifying and analyzing 19 general advice resources and identifying important gaps in the current ecosystem.

How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories

This work presents the first large-scale and longitudinal analysis of secret leakage on GitHub, finding that not only is secret leakage pervasive — affecting over 100,000 repositories — but that thousands of new, unique secrets are leaked every day.

Do They Really Smell Bad? A Study on Developers' Perception of Bad Code Smells

This study showed to developers code entities -- belonging to three systems -- affected and not by bad smells, and asked them to indicate whether the code contains a potential design problem, and if any, the nature and severity of the problem.
...