Control and Data Flow in Security Smell Detection for Infrastructure as Code: Is It Worth the Effort?

Published: May 1, 2023

Infrastructure as Code is the practice of developing and maintaining computing infrastructure through executable source code. Unfortunately, IaC has also brought about new cyber attack vectors. Prior work therefore proposed static analyses that detect security smells in files. However, they have so far remained at a shallow level, disregarding control data flow scripts under analysis, may lack awareness specific syntactic constructs. These limitations inhibit quality their results. To address these limitations, this paper, we present GASEL, novel smell detector for Ansible language. It uses graph queries on program dependence graphs to 7 smells. Our evaluation an oracle 243 real-world comparison against two state-of-the-art detectors shows syntax, flow, enables our approach substantially improve both precision recall. We further question whether additional effort required develop run such justified practice. end, investigate prevalence indirection across more than 15 000 scripts. find over 55% contain data-flow indirection, 32% require whole-project analysis detect. findings motivate need deeper tools vulnerabilities IaC.

Language: Английский

---

Come for syntax, stay for speed, write secure code: an empirical study of security weaknesses in Julia programs

Empirical Software Engineering, Journal Year: 2025, Volume and Issue: 30(2)

Published: Jan. 20, 2025

Language: Английский

---

Enhancing Software Defect Prediction in Ansible Scripts Using Code-Smell-Guided Prompting with Large Language Models in Edge-Cloud Infrastructures

Communications in computer and information science, Journal Year: 2025, Volume and Issue: unknown, P. 30 - 42

Published: Jan. 1, 2025

Language: Английский

---

Towards understanding code review practices for infrastructure-as-code: An empirical study on OpenStack projects

Empirical Software Engineering, Journal Year: 2025, Volume and Issue: 30(3)

Published: April 26, 2025

Language: Английский

---

Towards Reliable Infrastructure as Code

Published: March 1, 2023

Modern Infrastructure as Code (IaC) programs are increasingly complex and much closer to traditional software than simple configuration scripts. Their reliability is crucial because their failure prevents the deployment of applications, incorrect behavior can introduce malfunction severe security issues. Yet, engineering tools develop reliable programs, such testing verification, barely used in IaC. In fact, we observed that developers mainly rely on integration testing, a slow expensive practice increase confidence end-to-end functionality but infeasible systematically test IaC various configurations—which required ensure robustness. On other hand, fast techniques, unit cumbersome with because, today, they require significant coding overhead while only providing limited confidence.To solve this issue, envision automated tool ProTI, reducing manual boosting results. ProTI embraces modern techniques many different configurations. Out box, fuzzer for Pulumi TypeScript randomly program configurations termination, correctness, existing policy compliance. Then add specifications guide random-based value generation, additional properties, further mocking, making property-based tool. Lastly, aim at automatically verifying IaC-specific e.g., access paths between resources.

Language: Английский

---

Automated Infrastructure as Code Program Testing

IEEE Transactions on Software Engineering, Journal Year: 2024, Volume and Issue: 50(6), P. 1585 - 1599

Published: May 1, 2024

Infrastructure as Code (IaC) enables efficient deployment and operation, which are crucial to releasing software quickly. As setups can be complex, developers implement IaC programs in general-purpose programming languages like TypeScript Python, using PL-IaC solutions Pulumi AWS CDK. The reliability of such is even more relevant than traditional because a bug impacts the whole system. Yet, though testing standard development practice, it rarely used for programs. For instance, August 2022, less 1% public on GitHub implemented tests. Available program techniques severely limit velocity or require much effort.

To solve these issues, we propose Automated Configuration Testing (ACT), methodology test many configurations quickly with low ACT automatically mocks all resource definitions uses generator oracle plugins generation validation. We ProTI, tool type-based oracle, support application specifications. Our evaluation 6 081 from artificial benchmarks shows that ProTI directly applied existing programs, finds bugs where current infeasible, reusing generators oracles thanks its pluggable architecture.

Language: Английский

---

Methodology For Automating And Orchestrating Performance Evaluation Of Kubernetes Container Network Interfaces

Published: July 19, 2024

In the dynamic realm of HPC (High-performance computing) and cloud-native applications, ensuring optimal network performance for Kubernetes Container Network Interfaces (CNIs) is critical. Traditional manual methods evaluating bandwidth latency are prone to errors, time-consuming, lack consistency. This paper introduces a novel approach that leverages Ansible automate coordinate tests across diverse CNIs, profiles, configurations. By automating these processes, we eliminate potential human ensure ability replicate process, significantly reduce time required comprehensive testing. The use playbooks facilitates efficient scalable deployment, configuration, execution tests, enabling standardized benchmarking various environments. set playbooks, which will make available online, has significant real-world impact by providing DevOps teams with robust reliable tools consistently monitoring enhancing performance. This, in turn, enhances stability efficiency accelerates development cycle, ensures Kubernetes-based infrastructures can meet demanding requirements modern applications.

Language: Английский

---

Fine-Grained Just-In-Time Defect Prediction at the Block Level in Infrastructure-as-Code (IaC)

Published: April 15, 2024

Language: Английский

---

What Do Infrastructure-as-Code Practitioners Discuss: An Empirical Study on Stack Overflow

Published: Oct. 26, 2023

Background. Infrastructure-as-Code (IaC) is an emerging practice to manage cloud infrastructure resources for software systems. Modern development has evolved embrace IaC as a best consistently provisioning and managing using various tools such Terraform Ansible. However, recent studies highlighted that developers still encounter challenges with tools. Aims. We aim in this paper understand the different analyze trend of seeking assistance on Q&A platforms context IaC. To end, we conduct large-scale empirical study investigating developers' discussions Stack Overflow. Method. first collect IaC-relevant tags Overflow, constituting dataset comprises 52,692 questions 64,078 answers. Then, group into specific topics Latent Dirichlet Allocation (LDA) method, which optimize Genetic Algorithm (GA) parameter's fine-tuning. Finally, gain better insights, identified based criteria popularity difficulty. Results. Our findings reveal average yearly increase 150% terms IaC-related 135% users between 2011 2022. Furthermore, observe revolve around seven main topics: server configuration, policy networking, deployment pipelines, variable management, templating, file management. Notably, found configuration management are most popular topics, i.e., discussed among developers, while pipelines templating difficult. Conclusions. results shed light often encountered by platforms. These important implications practitioners support real-world settings researchers community needs further investigate aspects.

Language: Английский

---

Exploring the Feasibility of ChatGPT for Improving the Quality of Ansible Scripts in Edge-Cloud Infrastructures Through Code Recommendation

Communications in computer and information science, Journal Year: 2024, Volume and Issue: unknown, P. 75 - 83

Published: Jan. 1, 2024

Language: Английский

---