Security controls in infrastructure as code

Almuairfi, Sadiq; Alenezi, Mamdouh

doi:10.1016/s1361-3723(20)30109-3

Cited by 5 publications

(3 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The majority of Type VI studies were focused on how to improve tasks, processes and technologies to improve the instrumental outcomes as a measure of DevSecOps performance (McGraw, 2017;Casola et al, 2020;Almuairfi and Alenezi, 2020;Kersten, 2018). Within these group of studies, references were made to security policies, threat modelling and risk assessment processes, tasks such as code reviews, application security testing, static analysis, software composition analysis and dynamic analysis, dynamic application security testing (DAST), interactive application security testing, penetration testing, and technologies such as software containers, secure cloud applications and security tools.…”

Section: Resultsmentioning

confidence: 99%

Building Software Applications Securely with DevSecOps: A Socio-Technical Perspective

Naidoo

Möller²

2022

eccws

View full text Add to dashboard Cite

While continuous real-time software delivery practices induced by agile software development approaches create new business opportunities for organizations, these practices also present new security challenges in the DevOps environment. DevSecOps attempts to incorporate advanced automated security practices for agility in the DevOps environment. Mainstream perspectives of DevSecOps tend to overlook the collaborative role played by social actors and their relations with technologies in securing software applications in organizations. The first perspective emphasises the use of technologies such as containers, microservices, cryptographic protocols and origin authentication to secure the continuous deployment pipeline. The other dominant perspective focuses almost exclusively on the social aspects such as organizational silos, culture, and team collaboration. Such one-sided perspectives neglect the socio-technical argument that secure software applications from continuous deployment emerges when developers, quality assurers, operators and security experts combine their collective expertise together with DevSecOps technologies. The article presents a socio-technical framework of DevSecOps based on a systematic literature review. The review focused primarily, but not exclusively, on the computing and information systems literature and identified 26 peer reviewed articles from 2016 to 2020 which met the quality criteria and contributed to the analysis. The authors used a critical appraisal checklist and member checking to assess the quality of the articles. The authors then used thematic analysis to develop a comprehensive framework for DevSecOps based on the insights from these articles and a socio-technical lens. The socio-technical framework can be used by practitioners to perform a more holistic analysis of their DevSecOps practices. It highlights the key social and technical themes that underpin the effectiveness of DevSecOps and how insights about these themes can be used by practitioners to improve the instrumental and humanistic goals of DevSecOps. An interdisciplinary approach is proposed to adequately address challenging socio-technical relationships in DevSecOps. Future research can empirically test the importance of the interplay between technology and human activities to improve the overall performance of DevSecOps and other domains in cyber warfare and security.

show abstract

Section: Resultsmentioning

confidence: 99%

Building Software Applications Securely with DevSecOps: A Socio-Technical Perspective

Naidoo

Möller²

2022

eccws

View full text Add to dashboard Cite

show abstract

“…In our study, we investigate security vulnerabilities in infrastructure components. In the literature, researchers actively study the security of infrastructure as Code [17,18,19,20]. In their investigations, practitioners rely on tools for testing infrastructure security [21].…”

Section: Static Detection Of Bugsmentioning

confidence: 99%

“…In the literature, several security analyses have been conducted on IaC projects [17,18,19,20]. However, these studies are generally limited.…”

Section: Static Application Security Testingmentioning

confidence: 99%

Security Vulnerabilities in Infrastructure as Code: What, How Many, and Who?

War,

Habib,

Diallo

et al. 2023

Preprint

View full text Add to dashboard Cite

Infrastructure as Code (IaC) is a pivotal approach for deploying and managing IT systems and services using scripts, offering flexibility and numerous benefits. However, the presence of security flaws in IaC scripts can have severe consequences, as exemplified by the recurring exploits of Cloud Web Services. Recent studies in the literature have investigated IaC security issues, but they often focus on individual components (IaC tools or scripts), providing only preliminary insights. Our research extends the current knowledge by conducting a comprehensive investigation into various aspects of IaC security, encompassing its core components. We explore vulnerabilities in terms of types, their predominant locations, contributor responsibilities for introducing vulnerabilities, and more. Our methodology relies on widely adopted static security testing tools, which analyze over 1600 repositories to identify IaC vulnerabilities. Our empirical study yields valuable observations, highlighting severe and recurrent vulnerabilities within IaC, while also categorizing their severity and types. We delve deeper into vulnerability patterns, examining source code, dependencies, and manifest files across all IaC components, including tools, scripts, and add-ons (libraries or plugin tools). The study uncovers that IaC components are plagued by exploitable vulnerabilities that span all ten categories of security bugs outlined in OWASP 2021. Furthermore, our investigation reveals that even when maintainers employ security tools to address vulnerabilities, they do not integrate them systematically into their automation routines. Consequently, we propose that IT teams need to foster stronger collaboration across DevOps profiles (developers and IT operators) and break down the boundaries with security operators to enhance Infrastructure as Code's security posture through the adoption of DevSecOps practices.

show abstract