Loading [MathJax]/extensions/MathMenu.js
The Seven Sins: Security Smells in Infrastructure as Code Scripts | IEEE Conference Publication | IEEE Xplore
Access provided by:

MIT Libraries

Sign Out
Access provided by:

MIT Libraries

Sign Out
ADVANCED SEARCH
Conferences >2019 IEEE/ACM 41st Internatio...

The Seven Sins: Security Smells in Infrastructure as Code Scripts

PDF
Akond Rahman; Chris Parnin; Laurie Williams
All Authors

Abstract:

Practitioners use infrastructure as code (IaC) scripts to provision servers and development environments. While developing IaC scripts, practitioners may inadvertently in...Show More

Metadata

Abstract:

Practitioners use infrastructure as code (IaC) scripts to provision servers and development environments. While developing IaC scripts, practitioners may inadvertently introduce security smells. Security smells are recurring coding patterns that are indicative of security weakness and can potentially lead to security breaches. The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts. We apply qualitative analysis on 1,726 IaC scripts to identify seven security smells. Next, we implement and validate a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to identify the occurrence of each smell in 15,232 IaC scripts collected from 293 open source repositories. We identify 21,201 occurrences of security smells that include 1,326 occurrences of hard-coded passwords. We submitted bug reports for 1,000 randomly-selected security smell occurrences. We obtain 212 responses to these bug reports, of which 148 occurrences were accepted by the development teams to be fixed. We observe security smells can have a long lifetime, e.g., a hard-coded secret can persist for as long as 98 months, with a median lifetime of 20 months.
Published in: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)
Date of Conference: 25-31 May 2019
Date Added to IEEE Xplore: 26 August 2019
ISBN Information:

ISSN Information:

DOI: 10.1109/ICSE.2019.00033
Conference Location: Montreal, QC, Canada
References is not available for this document.
Contents

I. Introduction

Infrastructure as code (IaC) scripts help practitioners to provision and configure their development environment and servers at scale [1]. IaC scripts are also known as configuration scripts [2] [1] or configuration as code scripts [1] [3]. Commercial IaC tool vendors, such as Chef

https://www.chef.io/chef/

and Puppet [4], provide programming syntax and libraries so that programmers can specify configuration and dependency information as scripts.

Select All
1.
J. Humble and D. Farley, Continuous Delivery: Reliable Software Releases Through Build Test and Deployment Automation, Addison-Wesley Professional, 2010.
Google Scholar
2.
T. Sharma, M. Fragkoulis and D. Spinellis, "Does your configuration code smell?", Proceedings of the 13th International Conference on Mining Software Repositories ser. MSR16, pp. 189-200, 2016.
CrossRef Google Scholar
3.
A. Rahman, A. Partho, P. Morrison and L. Williams, "What questions do programmers ask about configuration as code?", Proceedings of the 4th International Workshop on Rapid Continuous Software Engineering ser. RCoSE18, pp. 16-22, 2018.
CrossRef Google Scholar
4.
P. Labs, Puppet Documentation, 2018, [online] Available: https://docs.puppet.com/.
Google Scholar
5.
"Nyse and ice: Compliance devops and efficient growth with puppet enterprise", Puppet Tech. Rep., April 2018, [online] Available: https://puppet.com/resources/case-study/nyse-and-ice.
Google Scholar
6.
CWE-Common Weakness Enumeration, 2018, [online] Available: https://cwe.mitre.org/index.html.
Google Scholar
7.
C. Wohlin, P. Runeson, M. Hst, M. C. Ohlsson, B. Regnell and A. Wessln, Experimentation in Software Engineering, Springer Publishing Company, 2012.
CrossRef Google Scholar
8.
Y. Jiang and B. Adams, "Co-evolution of infrastructure and source code: An empirical study", Proceedings of the 12th Working Conference on Mining Software Repositories ser. MSR15, pp. 45-55, 2015.
View Article
Google Scholar
9.
R. Shambaugh, A. Weiss and A. Guha, "Rehearsal: A configuration verification tool for puppet", SIGPLAN Not., vol. 51, no. 6, pp. 416-430, Jun. 2016.
CrossRef Google Scholar
10.
P. Labs, "Borsa istanbul: Improving efficiency and reducing costs to manage a growing infrastructure", Puppet Tech. Rep., July 2018, [online] Available: https://puppet.com/resources/case-studyiborsa-istanbul.
Google Scholar
11.
"Ambit energys competitive advantage? its really a devops software company", Puppet Tech. Rep., April 2018, [online] Available: https://puppet.com/resources/case-study/ambit-energy.
Google Scholar
12.
J. Schwarz, Code Smell Detection in Infrastructure as Code, 2017, [online] Available: https://www.swc.rwth-aachen.de/thesis/code-smell-detection-infrastructure-code/.
Google Scholar
13.
E. van der Bent, J. Hage, J. Visser and G. Gousios, "How good is your puppet? an empirically defined and validated quality model for puppet", 2018 IEEE 25th International Conference on Software Analysis Evolution and Reengineering (SANER), pp. 164-174, March 2018.
View Article
Google Scholar
14.
A. Rahman and L. Williams, "Characterizing defective configuration scripts used for continuous deployment", 2018 IEEE 11th International Conference on Software Testing Verification and Validation (ICST), pp. 34-45, April 2018.
View Article
Google Scholar
15.
A. Rahman, A. Partho, D. Meder and L. Williams, "Which factors influence practitioners usage of build automation tools?", Proceedings of the 3rd International Workshop on Rapid Continuous Software Engineering ser. RCoSE17, pp. 20-26, 2017.
View Article
Google Scholar
16.
A. Rahman, R. Mahdavi-Hezaveh and L. Williams, "A systematic mapping study of infrastructure as code research", Information and Software Technology, 2018, [online] Available: http://www.sciencedirect.com/science/article/pii/S0950584918302507.
Google Scholar
17.
M. Fowler and K. Beck, Refactoring: improving the design of existing code, Addison-Wesley Professional, 1999.
Google Scholar
18.
Csrc-glossary-vulnerability, 2018, [online] Available: https://csrc.nist.gov/Glossary/?term=2436.
Google Scholar
19.
J. T. McCune and Jeffrey, Pro Puppet, Apress, 2011, [online] Available: https://www.springer.com/gpibook/9781430230571.
Google Scholar
20.
J. Saldana, The coding manual for qualitative researchers, Sage, 2015.
Google Scholar
21.
Security and privacy controls for federal information systems and organizations, 2014, [online] Available: https://www.nist.gov/publications/security-and-privacy-controls-federal-information-systems-and-organizations-including-0.
Google Scholar
22.
T. Ylonen and C. Lonvick, The secure shell (ssh) protocol architecture, 2006.
CrossRef Google Scholar
23.
P. Mutaf, "Defending against a denial-of-service attack on tcp", Recent Advances in Intrusion Detection, 1999.
Google Scholar
24.
M.-A. Storey, J. Ryall, R. I. Bull, D. Myers and J. Singer, "Todo or to bug: Exploring how task annotations play a role in the work practices of software developers", Proceedings of the 30th International Conference on Software Engineering ser. ICSE08, pp. 251-260, 2008.
View Article
Google Scholar
25.
E. Rescorla, Http over tls, 2000.
CrossRef Google Scholar
26.
"skywiper (a.k.a. flame a.k.a. flamer): A complex malware for targeted attacks", Laboratory of Cryptography and System Security Budapest Hungary Tech. Rep., May 2012, [online] Available: http://www.crysys.hu/skywiper/skywiper.pdf.
Google Scholar
27.
B. den Boer and A. Bosselaers, "Collisions for the compression function of md5", Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology ser. EUROCRYPT93, pp. 293-304, 1994.
CrossRef Google Scholar
28.
X. Wang and H. Yu, "How to break md5 and other hash functions", Proceedings of the 24th Annual International Conference on Theory and Applications of Cryptographic Techniques ser. EUROCRYPT05, pp. 19-35, 2005.
CrossRef Google Scholar
29.
M. Ghafari, P. Gadient and O. Nierstrasz, "Security smells in android", 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 121-130, Sept 2017.
View Article
Google Scholar
30.
M. Egele, D. Brumley, Y. Fratantonio and C. Kruegel, "An empirical study of cryptographic misuse in android applications", Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security ser. CCS13, pp. 73-84, 2013.
CrossRef Google Scholar
Contact IEEE to Subscribe
More Like This
Understanding How to Use Static Analysis Tools for Detecting Cryptography Misuse in Software

IEEE Transactions on Reliability

Published: 2019

Software Quality through the Eyes of the End-User and Static Analysis Tools: A Study on Android OSS Applications

2018 IEEE/ACM 1st International Workshop on Software Qualities and their Dependencies (SQUADE)

Published: 2018

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.