The Seven Sins: Security Smells in Infrastructure as Code Scripts

Rahman, Akond; Parnin, Chris; Williams, Laurie

doi:10.1109/icse.2019.00033

Cited by 143 publications

(91 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous work has introduced generic [44] or specialized [9,36] linters that can help developers to improve their CD configurations. In contrast to previous work on CI smells that relies on historical information [44], in this paper, we proposed CD-Linter, a static analysis tool able to identify four types of CD smells in CD pipelines, right when they are introduced in the pipeline configuration.…”

Section: Discussionmentioning

confidence: 99%

“…While those smells are more similar to traditional code smells (i.e., they concern with maintainability and understandability of Puppet code), CD-Linter detects smells specific to the CI/CD configuration where developers violate principles. Rahman et al [36] implemented a linter that detects seven types of security problems in IaC scripts. Their work is complementary to ours as it deals with a very specific category of problems related to IaC scripts.…”

Section: Detection Of Smells In Development Workflowsmentioning

confidence: 99%

“…Gallaba et al, [9] achieved a high user acceptance when pointing out the misuse of four different configuration options, like executing commands in the wrong build step. Rahman et al [36] focused on security-related issues and Sharma et al [38] on Infrastructure-as-Code (IaC) smells. While these works show that semantic linting of CD pipelines is useful, they do not solve the problem of avoiding CD anti-patterns in configurations files.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Configuration smells in continuous delivery pipelines: a linter and a six-month study on GitLab

Vassallo

Proksch

Jancso

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

Section: Discussionmentioning

confidence: 99%

Section: Detection Of Smells In Development Workflowsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Configuration smells in continuous delivery pipelines: a linter and a six-month study on GitLab

Vassallo

Proksch

Jancso

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

“…Many infrastructure code analysis approaches have been proposed to identify security, availability and reliability issues. SLIC [38] detects seven security smells in Puppet manifests, including admin by default, hard-coded secret, suspicious comments, etc. FSMoVe [41] identifies ordering violations and missing notifiers in Puppet programs, which can cause the infrastructure become unavailable [3] or unreliable [39].…”

Section: Related Workmentioning

confidence: 99%

Automatically detecting risky scripts in infrastructure code

Dai¹,

Karve²,

Koper³

et al. 2020

Proceedings of the 11th ACM Symposium on Cloud Computing

View full text Add to dashboard Cite

Infrastructure code supports embedded scripting languages such as Shell and PowerShell to manage the infrastructure resources and conduct life-cycle operations. Risky patterns in the embedded scripts have widespread of negative impacts across the whole infrastructure, causing disastrous consequences. In this paper, we propose an analysis framework, which can automatically extract and compose the embedded scripts from infrastructure code before detecting their risky code patterns with correlated severity levels and negative impacts. We implement SecureCode based on the proposed framework to check infrastructure code supported by Ansible, i.e., Ansible playbooks. We integrate SecureCode with the DevOp pipeline deployed in IBM cloud and test Secure-Code on 45 IBM Services community repositories. Our evaluation shows that SecureCode can efficiently and effectively identify 3419 true issues with 116 false positives in minutes. Among the 3419 true issues, 1691 have high severity levels. CCS CONCEPTS • Computer systems organization → Reliability; Availability; • Software and its engineering → Software testing and debugging.

show abstract

“…In software engineering research, smell detection has been a key topic [16]. Several studies have used a rule-based approach to detect smells in different artifacts such as objectoriented programs [9], service descriptions [10], and infrastructure automation scripts [11,15]. The rule-based approach is also popular in industry, for instance, so-called Lint tools for Docker, Chef, TerraForm, and Puppet, However, mostly, these tools use informal rules, and operate directly on source code.…”

Section: Introductionmentioning

confidence: 99%

Towards Semantic Detection of Smells in Cloud Infrastructure Code

Kumara

Vasileiou

Meditskos

et al. 2020

Proceedings of the 10th International Conference on Web Intelligence, Mining and Semantics

View full text Add to dashboard Cite

Automated deployment and management of Cloud applications relies on descriptions of their deployment topologies, often referred to as Infrastructure Code. As the complexity of applications and their deployment models increases, developers inadvertently introduce software smells to such code specifications, for instance, violations of good coding practices, modular structure, and more. This paper presents a knowledge-driven approach enabling developers to identify the aforementioned smells in deployment descriptions. We detect smells with SPARQL-based rules over pattern-based OWL 2 knowledge graphs capturing deployment models. We show the feasibility of our approach with a prototype and three case studies. CCS Concepts: • Computer systems organization → Cloud computing; • Theory of computation → Semantics and reasoning; • General and reference → Validation.

show abstract

The Seven Sins: Security Smells in Infrastructure as Code Scripts

Cited by 143 publications

References 48 publications

Configuration smells in continuous delivery pipelines: a linter and a six-month study on GitLab

Configuration smells in continuous delivery pipelines: a linter and a six-month study on GitLab

Automatically detecting risky scripts in infrastructure code

Towards Semantic Detection of Smells in Cloud Infrastructure Code

Contact Info

Product

Resources

About