Context:
Security smells are recurring coding patterns that are indicative of security weakness and require further inspection. As infrastructure as code (IaC) scripts, such as Ansible and Chef scripts, are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems.
Goal:
The goal of this article is to help practitioners avoid insecure coding practices while developing infrastructure as code scripts through an empirical study of security smells in Ansible and Chef scripts.
Methodology:
We conduct a replication study where we apply qualitative analysis with 1,956 IaC scripts to identify security smells for IaC scripts written in two languages: Ansible and Chef. We construct a static analysis tool called Security Linter for Ansible and Chef scripts (SLAC) to automatically identify security smells in 50,323 scripts collected from 813 open source software repositories. We also submit bug reports for 1,000 randomly selected smell occurrences.
Results:
We identify two security smells not reported in prior work: missing default in case statement and no integrity check. By applying SLAC we identify 46,600 occurrences of security smells that include 7,849 hard-coded passwords. We observe agreement for 65 of the responded 94 bug reports, which suggests the relevance of security smells for Ansible and Chef scripts amongst practitioners.
Conclusion:
We observe security smells to be prevalent in Ansible and Chef scripts, similarly to that of the Puppet scripts. We recommend practitioners to rigorously inspect the presence of the identified security smells in Ansible and Chef scripts using (i) code review, and (ii) static analysis tools.
It has been suggested that a branched sulphur chain would react more readily with the nucleophile and hence account for the fast reaction of trisulphides and higher sulphides. The reaction of triphenylphosphine with tris~lphidesl~ to give disulphides is formally analogous to its reaction with sulphoxides, when the sulphide is the principal product.20 Another analogy with sulphoxide chemistry is the reaction of diphenyl disulphide with dihydrogen disulphide to give polysulphides,21 in the same way that the sulphides give sulphoxides when treated with hydrogen peroxide.Recent studies by Barnard and his co-workers22 describe the facile thermal racemisation of di-ally1 polysulphides (7, 9). Because the racemisation of ( 7) does not take place with disproportionation or allylic rearrangement, and rate studies indicate the absence of homolytic side reactions, the authors believe the l6
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.