An Analysis of Infrastructure as Code Security in an Industrial Setting DOI

Romina Druta,

Nicoleta Botosan-Bora,

Monica Iovan

et al.

Published: Jan. 1, 2023

As organizations increasingly host their services in the cloud, Infrastructure as Codesolutions(IaC) are widely used to automate provisioning of cloud services. These tools can introduce security weaknesses and risky changes platforms which have become a highly attractive attack surface for hackers. The purpose this research is analyze IaC industrial projects assist infrastructure system engineers order find vulnerabilities code understand features limitations current tools. Compared previous studies that focused on quality terms smells type, study evaluates static analysis tools, identified across multiple projects. Furthermore, contributes empirical understanding an setting opposed open source context. results show level practice 20 projects.Based analysis, we developed recommendations improvements discussed perceived challenges advantages using these software development teams shift-left approach security.

Language: Английский

The do’s and don’ts of infrastructure code: A systematic gray literature review DOI Creative Commons
Indika Kumara, Martín Garriga,

Angel Urbano Romeu

et al.

Information and Software Technology, Journal Year: 2021, Volume and Issue: 137, P. 106593 - 106593

Published: April 29, 2021

Infrastructure-as-code (IaC) is the DevOps tactic of managing and provisioning software infrastructures through machine-readable definition files, rather than manual hardware configuration or interactive tools. From a maintenance evolution perspective, topic has picked interest practitioners academics alike, given relative scarcity supporting patterns practices in academic literature. At same time, considerable amount gray literature exists on IaC. Thus we aim to characterize IaC compile catalog best bad for widely used languages, all using materials. In this paper, systematically analyze industrial IaC, such as blog posts, tutorials, white papers qualitative analysis techniques. We proposed distilled broad summarized taxonomy consisting 10 4 primary categories practices, respectively, both language-agnostic language-specific ones, three namely Ansible, Puppet, Chef. The reflect implementation issues, design violation of/adherence essential principles Our findings reveal critical insights concerning top languages well adopted by address (some of) those challenges. evidence that field development its infancy deserves further attention.

Language: Английский

Citations

38
Smelly variables in ansible infrastructure code DOI Open Access
Ruben Opdebeeck, Ahmed Zerouali, Coen De Roover

et al.

Published: May 23, 2022

Infrastructure as Code is the practice of automating provisioning, configuration, and orchestration network nodes using code in which variable values such configuration parameters, node hostnames, etc. play a central role. Mistakes these are an important cause infrastructure defects corresponding outages. Ansible, popular IaC language, nonetheless features semantics can confusion about value variables.

Language: Английский

Citations

23
Control and Data Flow in Security Smell Detection for Infrastructure as Code: Is It Worth the Effort? DOI
Ruben Opdebeeck, Ahmed Zerouali, Coen De Roover

et al.

Published: May 1, 2023

Infrastructure as Code is the practice of developing and maintaining computing infrastructure through executable source code. Unfortunately, IaC has also brought about new cyber attack vectors. Prior work therefore proposed static analyses that detect security smells in files. However, they have so far remained at a shallow level, disregarding control data flow scripts under analysis, may lack awareness specific syntactic constructs. These limitations inhibit quality their results. To address these limitations, this paper, we present GASEL, novel smell detector for Ansible language. It uses graph queries on program dependence graphs to 7 smells. Our evaluation an oracle 243 real-world comparison against two state-of-the-art detectors shows syntax, flow, enables our approach substantially improve both precision recall. We further question whether additional effort required develop run such justified practice. end, investigate prevalence indirection across more than 15 000 scripts. find over 55% contain data-flow indirection, 32% require whole-project analysis detect. findings motivate need deeper tools vulnerabilities IaC.

Language: Английский

Citations

13
Unix shell programming DOI Open Access
Michael Greenberg, Κωνσταντίνος Καλλάς, Nikos Vasilakis

et al.

Published: June 1, 2021

The Unix shell is a powerful, ubiquitous, and reviled tool for managing computer systems. has been largely ignored by academia industry. While many replacement shells have proposed, the persists. Two recent threads of formal practical research on enable new approaches. We can help manage shell's essential shortcomings (dynamism, power, abstruseness) address its inessential ones. Improving holds much promise development, ops, data processing.

Language: Английский

Citations

19
Static Analysis of Infrastructure as Code: a Survey DOI
Michele Chiari, Michele De Pascalis, Matteo Pradella

et al.

Published: March 1, 2022

The increasing use of Infrastructure as Code (IaC) in DevOps leads to benefits speed and reliability deployment operation, but extends infrastructure challenges typical software systems. IaC scripts can contain defects that result security issues the deployed infrastructure: techniques for detecting preventing them are needed. We analyze survey current state research this respect by conducting a literature review on static analysis IaC. describe techniques, defect categories platforms targeted tools literature.

Language: Английский

Citations

11
FindICI: Using machine learning to detect linguistic inconsistencies between code and natural language descriptions in infrastructure-as-code DOI Creative Commons
Nemania Borovits, Indika Kumara, Dario Di Nucci

et al.

Empirical Software Engineering, Journal Year: 2022, Volume and Issue: 27(7)

Published: Sept. 20, 2022

Linguistic anti-patterns are recurring poor practices concerning inconsistencies in the naming, documentation, and implementation of an entity. They impede readability, understandability, maintainability source code. This paper attempts to detect linguistic Infrastructure-as-Code (IaC) scripts used provision manage computing environments. In particular, we consider between logic/body IaC code units their short text names. To this end, propose FindICI a novel automated approach that employs word embedding classification algorithms. We build use abstract syntax tree create embeddings by machine learning techniques inconsistent units. evaluated our with two experiments on Ansible tasks systematically extracted from open repositories for various models Classical deep different methods showed comparable satisfactory results detecting related top-10 modules.

Language: Английский

Citations

10
SoK: Static Configuration Analysis in Infrastructure as Code Scripts DOI

Pandu Ranga Reddy Konala,

Vimal Kumar, David Bainbridge

et al.

Published: July 31, 2023

This SoK paper presents findings from a survey conducted on the current state of tools and techniques used in static configuration analysis Infrastructure as Code (IaC). Our highlight increasing importance ensuring quality IaC scripts through such detecting code security smells. reveal that regular expressions are widely used, but this may not be long-term or fully automated solution for Additionally, our study found majority developed infrastructure provisioning, rather than management image building. raises concerns because configuring software is high-risk task, with malicious actors constantly targeting systems. Therefore, it crucial researchers to develop efficient advanced defects The aim provide detailed overview research field, identify areas future development.

Language: Английский

Citations

4
A Modern Approach to Securing Critical Infrastructure in Energy Transmission Networks: Integration of Cryptographic Mechanisms and Biometric Data DOI Open Access
Anna Manowska, Martin Boroš, Muhammad Hassan

et al.

Electronics, Journal Year: 2024, Volume and Issue: 13(14), P. 2849 - 2849

Published: July 19, 2024

Energy security is a crucial issue for political, environmental, and economic reasons. This article presents modern approach to securing critical infrastructure in energy transmission networks, which are managed by advanced IT systems. paper focuses on the integration of cryptographic mechanisms with biometric data, providing an additional layer protection against cyber threats. The discussed solutions enable management systems enhancing their resilience cyberattacks. use command-line interface (CLI) combination biometrics allows precise execution tasks such as network monitoring, firewall management, automation tasks. makes these more reliable secure, essential stability

Language: Английский

Citations

1
Infrastructure-as-Code Ecosystems DOI
Ruben Opdebeeck, Ahmed Zerouali, Coen De Roover

et al.

Springer eBooks, Journal Year: 2023, Volume and Issue: unknown, P. 215 - 245

Published: Jan. 1, 2023

Language: Английский

Citations

2
The future of the shell DOI Open Access
Michael Greenberg, Κωνσταντίνος Καλλάς, Nikos Vasilakis

et al.

Published: June 1, 2021

The Unix shell is fifty years old, and it continues to be the primary way configure, deploy, manage systems of all kinds. What do next hold? command-line interface 21st century?

Language: Английский

Citations

5