Communications in computer and information science, Journal Year: 2024, Volume and Issue: unknown, P. 83 - 103
Published: Oct. 18, 2024
Language: Английский
Published: May 1, 2023
Infrastructure as Code is the practice of developing and maintaining computing infrastructure through executable source code. Unfortunately, IaC has also brought about new cyber attack vectors. Prior work therefore proposed static analyses that detect security smells in files. However, they have so far remained at a shallow level, disregarding control data flow scripts under analysis, may lack awareness specific syntactic constructs. These limitations inhibit quality their results. To address these limitations, this paper, we present GASEL, novel smell detector for Ansible language. It uses graph queries on program dependence graphs to 7 smells. Our evaluation an oracle 243 real-world comparison against two state-of-the-art detectors shows syntax, flow, enables our approach substantially improve both precision recall. We further question whether additional effort required develop run such justified practice. end, investigate prevalence indirection across more than 15 000 scripts. find over 55% contain data-flow indirection, 32% require whole-project analysis detect. findings motivate need deeper tools vulnerabilities IaC.
Language: Английский
Citations
13
Empirical Software Engineering, Journal Year: 2025, Volume and Issue: 30(2)
Published: Jan. 20, 2025
Language: Английский
Citations
0
Empirical Software Engineering, Journal Year: 2025, Volume and Issue: 30(3)
Published: Feb. 27, 2025
Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools, allowing community manage and configure cloud infrastructure using scripts. However, scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. As a result, ensuring security relies on practitioners' understanding adoption explicit policies. To understand how deal with this problem, we perform an empirical study analyzing scripted best practices present in Terraform files, applied AWS, Azure, Google Cloud. We assess these by sample 812 open-source GitHub projects. scan each project's configuration looking for policy implementation through static analysis (Checkov Tfsec). The category Access emerges most widely adopted all providers, while Encryption at rest presents neglected Regarding observe that AWS Azure similar behavior regarding attended Finally, provide guidelines limit vulnerability discuss further aspects associated policies have yet be extensively embraced within industry.
Language: Английский
Citations
0
IEEE Transactions on Software Engineering, Journal Year: 2024, Volume and Issue: 50(6), P. 1585 - 1599
Published: May 1, 2024
Infrastructure as Code (IaC) enables efficient deployment and operation, which are crucial to releasing software quickly. As setups can be complex, developers implement IaC programs in general-purpose programming languages like TypeScript Python, using PL-IaC solutions Pulumi AWS CDK. The reliability of such is even more relevant than traditional because a bug impacts the whole system. Yet, though testing standard development practice, it rarely used for programs. For instance, August 2022, less 1% public on GitHub implemented tests. Available program techniques severely limit velocity or require much effort.
To solve these issues, we propose Automated Configuration Testing (ACT), methodology test many configurations quickly with low ACT automatically mocks all resource definitions uses generator oracle plugins generation validation. We ProTI, tool type-based oracle, support application specifications. Our evaluation 6 081 from artificial benchmarks shows that ProTI directly applied existing programs, finds bugs where current infeasible, reusing generators oracles thanks its pluggable architecture.
Language: Английский
Citations
3
Proceedings of the ACM on software engineering., Journal Year: 2024, Volume and Issue: 1(FSE), P. 1865 - 1888
Published: July 12, 2024
In infrastructure as code (IaC), state reconciliation is the process of querying and comparing prior to changing infrastructure. As pivotal manage IaC-based computing at scale, defects related can create large-scale consequences. A categorization defects, i.e., reconciliation, aid in understanding nature defects. We conduct an empirical study with 5,110 where we apply qualitative analysis categorize From identified defect categories, derive heuristics design prompts for a large language model (LLM), which turn are used validation reconciliation. our study, identify 8 categories amongst 3 have not been reported previously-studied software systems. The most frequently occurring category inventory, that occur when managing inventory. Using LLM heuristics-based paragraph style prompts, 9 previously unknown 7 accepted valid 4 already fixed. Based on findings, conclude paper by providing set recommendations researchers practitioners.
Language: Английский
Citations
2
Published: July 31, 2023
This SoK paper presents findings from a survey conducted on the current state of tools and techniques used in static configuration analysis Infrastructure as Code (IaC). Our highlight increasing importance ensuring quality IaC scripts through such detecting code security smells. reveal that regular expressions are widely used, but this may not be long-term or fully automated solution for Additionally, our study found majority developed infrastructure provisioning, rather than management image building. raises concerns because configuring software is high-risk task, with malicious actors constantly targeting systems. Therefore, it crucial researchers to develop efficient advanced defects The aim provide detailed overview research field, identify areas future development.
Language: Английский
Citations
4
2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), Journal Year: 2023, Volume and Issue: unknown, P. 2042 - 2045
Published: Sept. 11, 2023
This paper presents GLITCH, a new technology-agnostic framework that enables automated polyglot code smell detection for Infrastructure as Code scripts. GLITCH uses an intermediate representation on which different detectors can be defined. It currently supports the of nine security smells and design & implementation in scripts written Ansible, Chef, Docker, Puppet, or Terraform. Studies conducted with not only show reduce effort writing analyses multiple IaC technologies, but also it has higher precision recall than current state-of-the-art tools. A video describing demonstrating is available at: https://youtu.be/E4RhCcZjWbk.
Language: Английский
Citations
4
Published: April 15, 2024
Language: Английский
Citations
1
Empirical Software Engineering, Journal Year: 2023, Volume and Issue: 29(1)
Published: Dec. 29, 2023
Language: Английский
Citations
2
Published: Oct. 18, 2023
While Terraform has gained popularity to implement the practice of infrastructure as code (IaC), there is a lack characterization static analysis for manifests. Such hinders practitioners assess how use their development process, it happened Company A, an organization who uses create automated software deployment pipelines. In this experience report, we have investigated 491 alerts that occur 10 open source and one proprietary repositories. From our observe: (i) categories appear manifests, which five are related security, (ii) resources with dependencies more than no dependencies, (iii) practitioner perceptions vary from alert category another while deciding on taking actions reported alerts. We conclude paper by providing list lessons toolsmiths improve
Language: Английский
Citations
1