The Seven Sins: Security Smells in Infrastructure as Code Scripts

@article{Rahman2019TheSS,
  title={The Seven Sins: Security Smells in Infrastructure as Code Scripts},
  author={Akond Ashfaque Ur Rahman and Chris Parnin and Laurie Ann Williams},
  journal={2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)},
  year={2019},
  pages={164-175}
}
Practitioners use infrastructure as code (IaC) scripts to provision servers and development environments. [] Key Method We apply qualitative analysis on 1,726 IaC scripts to identify seven security smells. Next, we implement and validate a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to identify the occurrence of each smell in 15,232 IaC scripts collected from 293 open source repositories. We identify 21,201 occurrences of security smells that include 1,326…
Security Smells in Infrastructure as Code Scripts
TLDR
This paper constructs a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to automatically identify security smells in 61,097 scripts collected from 1,093 open source software repositories, and observes security smells to be prevalent in IaC scripts.
Security Smells in Ansible and Chef Scripts
TLDR
This article identifies two security smells not reported in prior work: missing default in case statement and no integrity check and recommends practitioners to rigorously inspect the presence of the identified security smells in Ansible and Chef scripts using code review, and static analysis tools.
Characterizing Co-located Insecure Coding Patterns in Infrastructure as Code Scripts
TLDR
Practitioners can prioritize code review efforts for IaC scripts by reviewing scripts that include co-located ICPs, including hard-coded secret and suspicious comment.
Share, But be Aware: Security Smells in Python Gists
TLDR
This paper finds 13 types of security smells with 4,403 occurrences in 5,822 publicly-available Python Gists and finds no significance relation between the presence of these security smells and the reputation of the Gist author.
Testing practices for infrastructure as code
TLDR
The goal of this paper is to help practitioners improve the quality of infrastructure as code (IaC) scripts by identifying a set of testing practices for IaC scripts, and identifies six testing practices that include behavior-focused test coverage.
Automatically detecting risky scripts in infrastructure code
TLDR
This paper proposes an analysis framework, which can automatically extract and compose the embedded scripts from infrastructure code before detecting their risky code patterns with correlated severity levels and negative impacts, and implements SecureCode based on the proposed framework.
Source Code Properties of Defective Infrastructure as Code Scripts
Analyzing Infrastructure as Code to Prevent Intra-update Sniping Vulnerabilities
TLDR
This work identifies a security vulnerability that occurs during an upgrade even when the initial and final states of the infrastructure are secure, and shows that those vulnerability are possible in Amazon’s AWS and Google Cloud.
The ‘as code’ activities: development anti-patterns for infrastructure as code
TLDR
Five development anti-patterns of infrastructure as code (IaC) scripts, namely, ‘boss is not around’, “many cooks spoil”, � ‘minors are spoiler‚, ’silos‚ and ‘unfocused contribution’ are identified.
Gang of Eight: A Defect Taxonomy for Infrastructure as Code Scripts
TLDR
A taxonomy of IaC defects is developed by applying qualitative analysis on 1,448 defect-related commits collected from open source software (OSS) repositories of the Openstack organization and the quantified frequency of the defect categories may help in advancing the science of IAC script quality.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 62 REFERENCES
Security Smells in Infrastructure as Code Scripts
TLDR
This paper constructs a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to automatically identify security smells in 61,097 scripts collected from 1,093 open source software repositories, and observes security smells to be prevalent in IaC scripts.
Secure Coding Practices in Java: Challenges and Vulnerabilities
TLDR
An empirical study on StackOverflow posts aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices reveals the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
Identifying the characteristics of vulnerable code changes: an empirical study
TLDR
It is recommended that projects should create or adapt secure coding guidelines, create a dedicated security review team, ensure detailed comments during review to help knowledge dissemination, and encourage developers to make small, incremental changes rather than large changes.
Characterizing Defective Configuration Scripts Used for Continuous Deployment
  • A. Rahman, L. Williams
  • Computer Science
    2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST)
  • 2018
TLDR
This paper uses text mining techniques to extract text features from infrastructure as code (IaC) scripts and identifies three properties that characterize defective IaC scripts: filesystem operations, infrastructure provisioning, and managing user accounts.
Developers Need Support, Too: A Survey of Security Advice for Software Developers
TLDR
This paper takes a first step toward understanding and improving this guidance ecosystem by identifying and analyzing 19 general advice resources and identifying important gaps in the current ecosystem.
CrySL: Validating Correct Usage of Cryptographic APIs
TLDR
CrySL is presented, a definition language that enables cryptography experts to specify the secure usage of the cryptographic libraries that they provide and a compiler is implemented that translates a CrySL ruleset into a context- and flow-sensitive demand-driven static analysis.
Does Your Configuration Code Smell?
TLDR
This work proposes a catalog of 13 implementation and 11 design configuration smells, where each smell violates recommended best practices for configuration code, and finds that configuration smells belonging to a smell category tend to co-occur with configuration smell belonging to another smell category when correlation is computed by volume of identified smells.
Security Smells in Android
TLDR
A lightweight static analysis tool is developed and the extent to which it successfully detects several vulnerabilities in about 46 000 apps hosted by the official Android market is discussed.
Co-evolution of Infrastructure and Source Code - An Empirical Study
  • Yujuan Jiang, B. Adams
  • Computer Science
    2015 IEEE/ACM 12th Working Conference on Mining Software Repositories
  • 2015
TLDR
Through an empirical study of the version control system of 265 Open Stack projects, it is found that infrastructure files are large and churn frequently, which could indicate a potential of introducing bugs.
...
1
2
3
4
5
...