DevOps; DevSecOps; Infrastructure as code; SecDevOps; Security smells; Security testing; Software vulnerability; Code components; Code security; Devsecop; IT services; IT system; Secdevops; Security smell; Software vulnerabilities; Software
Résumé :
[en] Infrastructure as Code (IaC) is a pivotal approach for deploying and managing IT systems and services using scripts, offering flexibility and numerous benefits. However, the presence of security flaws in IaC scripts can have severe consequences, as exemplified by the recurring exploits of Cloud Web Services. Recent studies in the literature have investigated IaC security issues, but they often focus on individual components (IaC tools or scripts), providing only preliminary insights. Our research extends the current knowledge by conducting a comprehensive investigation into various aspects of IaC security, encompassing its components. We explore vulnerabilities in terms of types, their predominant locations, contributor responsibilities for introducing vulnerabilities, and more. Our methodology relies on widely adopted static security testing tools, which analyze over 1600 repositories to identify IaC vulnerabilities. Our empirical study yields valuable observations, highlighting severe and recurrent vulnerabilities within IaC, while also categorizing their severity and types. We delve deeper into vulnerability patterns, examining source code, dependencies, and manifest files across IaC components, including tools, scripts, and add-ons (libraries or plugin tools). The study uncovers that IaC components are plagued by exploitable vulnerabilities that span all ten categories of security bugs outlined in the OWASP Top 10 2021. Furthermore, our investigation reveals that even when maintainers employ security tools to address vulnerabilities, they do not integrate them systematically into their automation routines. Consequently, we propose that IT teams need to foster stronger collaboration across DevOps profiles (developers and IT operators) and break down the boundaries with security operators to enhance Infrastructure as Code’s security posture through the adoption of DevSecOps practices.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > TruX - Trustworthy Software Engineering
Disciplines :
Sciences informatiques
Auteur, co-auteur :
WAR, Aicha ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
DIALLO, Alioune ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
HABIB, Andrew ; ABB Corporate Research Center of Germany, Baden, Switzerland
KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
This work is funded by the Ministére des Affaires Etrangéres et Européennes (MAEE) of Luxembourg through their Digital4Development (D4D) portfolio under the project LuxWAyS (Luxembourg/West-Africa Lab for Higher Education Capacity Building in CyberSecurity and Emerging Topics in ICT4Dev).
Afaneh S, Al-Mousa MR, Al-hamid HS, Bara’h Suliman A-A, Alia M, Almimi H, Alkhatib AA (2023) Security challenges review in agile and devops practices. In: 2023 International conference on information technology (ICIT). IEEE, pp 102–107
Ahmed Z, Francis SC (2019) Integrating security with devsecops: techniques and challenges. In: 2019 International Conference on digitization (ICD). IEEE, pp 178–182
M.A. Akbar K. Smolander S. Mahmood A. Alsanad Toward successful devsecops in software development organizations: A decision-making framework Inf Softw Technol 147 106894 10.1016/j.infsof.2022.106894
S. Almuairfi M. Alenezi Security controls in infrastructure as code Comput Fraud Secur 2020 10 13 19 10.1016/S1361-3723(20)30109-3
Armenise V (2015) Continuous delivery with jenkins: Jenkins solutions to implement continuous delivery. In: 2015 IEEE/ACM 3rd International Workshop on Release Engineering. IEEE, pp 24–27
Ö. Aslan S.S. Aktuğ M. Ozkan-Okay A.A. Yilmaz E. Akin A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions Electronics 12 6 1333 10.3390/electronics12061333
Bila N, Dettori P, Kanso A, Watanabe Y, Youssef A (2017) Leveraging the serverless architecture for securing linux containers. In: 2017 IEEE 37th international conference on distributed computing systems workshops (ICDCSW). IEEE, pp 401–404
Bird C, Nagappan N, Murphy B, Gall H, Devanbu P (2011) Don’t touch my code! examining the effects of ownership on software quality. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th european conference on foundations of software engineering. ESEC/FSE ’11. Association for Computing Machinery, New York, NY, USA, pp 4–14. https://doi.org/10.1145/2025113.2025119
Cadar C, Donaldson AF (2016) Analysing the program analyser. In: Proceedings of the 38th international conference on software engineering companion, pp 765–768
N.G. Camacho Unlocking the potential of ai/ml in devsecops: effective strategies and optimal practices J Artif Intell Gen Sci (JAIGS) 3 1 106 115
Cankar M, Petrovic N, Pita Costa J, Cernivec A, Antic J, Martincic T, Stepec D (2023) Security in devsecops: applying tools and machine learning to verification and monitoring steps. In: Companion of the 2023 ACM/SPEC international conference on performance engineering, pp 201–205
Cankar M, Petrovic N, Pita Costa J, Cernivec A, Antic J, Martincic T, Stepec D (2023) Security in devsecops: applying tools and machine learning to verification and monitoring steps. In: Companion of the 2023 ACM/SPEC international conference on performance engineering. ICPE ’23 Companion, pp. 201–205. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3578245.3584943
Castro Sánchez JE (2020) Devsecops: implementación de seguridad en devops a través de herramientas open source
Cepuc A, Botez R, Craciun O, Ivanciu I-A, Dobrota V (2020) Implementation of a continuous integration and deployment pipeline for containerized applications in amazon web services using jenkins, ansible and kubernetes. In: 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet). IEEE, pp 1–6
Chang Y-Y, Zavarsky P, Ruhl R, Lindskog D (2011) Trend analysis of the cve for software vulnerability management. In: 2011 IEEE Third international conference on privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing. IEEE, pp 1290–1293
Z. Chen S. Kommrusch M. Tufano L.-N. Pouchet D. Poshyvanyk M. Monperrus Sequencer: sequence-to-sequence learning for end-to-end program repair IEEE Trans Softw Eng 47 9 1943 1959
Cottrell N, Cottrell N (2020) Deployment and monitoring. MongoDB Topology Design: Scalability, Security, and Compliance on a Global Scale, 151–171
D.B. Cruz J.R. Almeida J.L. Oliveira Open source solutions for vulnerability assessment: a comparative analysis IEEE Access 11 100234 100255 10.1109/ACCESS.2023.3315595
Di Stasio V (2022) Evaluation of static security analysis tools on open source distributed applications. PhD thesis, Politecnico di Torino
Druta R, Botosan-Bora N, Iovan M, Cruzes DS An analysis of infrastructure as code security in an industrial setting. SSRN 4461951
A. Elrowayati A. Fadeel Sast tools and manual testing to improve the methodology of vulnerability detection in web applications Int J Eng Inf Technol (IJEIT) 12 1 79 83
M. Goldschmidt M. McKinnon Devsecops-agility with security Technical report, Sense of Security Technical report
Habib A, Pradel M (2018) How many of all bugs do we find? a study of static bug detectors. In: 2018 33rd IEEE/ACM international conference on automated software engineering (ASE), pp 317–328. https://doi.org/10.1145/3238147.3238213
Hasan M, Bhuiyan FA, Rahman A (2020) Testing practices for infrastructure as code, pp 7–12. https://doi.org/10.1145/3416504.3424334
Hornbeek M (2015) Devops makes security assurance affordable. https://devops.com/devops-makes-security-assurance-affordable
Hortlund A (2021) Security smells in open-source infrastructure as code scripts: a replication study
Houde L, Jacob D, Rabemanantsoa T, Rey J-F (2021) Gestion automatique d’environnement virtuel (gaev). PhD thesis, INRAE
Ibrahim A, Yousef AH, Medhat W (2022) Devsecops: a security model for infrastructure as code over the cloud. In: 2022 2nd International mobile, intelligent, and ubiquitous computing conference (MIUCC). IEEE, pp 284–288
Jin M, Shahriar S, Tufano M, Shi X, Lu S, Sundaresan N, Svyatkovskiy A (2023) Inferfix: end-to-end program repair with llms. In: Proceedings of the 31st ACM joint european software engineering conference and symposium on the foundations of software engineering, pp 1646–1656
Leotta M, Clerissi D, Ricca F, Tonella P (2016) Approaches and tools for automated end-to-end web testing. In: Advances in computers. Elsevier, vol 101, pp 193–237
B. Martin Common vulnerabilities enumeration (cve), common weakness enumeration (cwe), and common quality enumeration (cqe) attempting to systematically catalog the safety and security challenges for modern, networked, software-intensive systems ACM SIGAda Ada Lett 38 2 9 42 10.1145/3375408.3375410
Mohan V, Othmane LB (2016) Secdevops: is it a marketing buzzword? - mapping research on security in devops. In: 2016 11th International conference on availability, reliability and security (ARES), pp 542–547. https://doi.org/10.1109/ARES.2016.92
Mohan V, Othmane LB (2016) Secdevops: is it a marketing buzzword?-mapping research on security in devops. In: 2016 11th International conference on availability, reliability and security (ARES). IEEE, pp 542–547
Morris K (2020) Infrastructure as Code. O’Reilly Media. https://books.google.lu/books?id=R24NEAAAQBAJ
Myrbakken H, Colomo-Palacios R (2017) Devsecops: a multivocal literature review. In: Software Process Improvement and Capability Determination: 17th International Conference, SPICE 2017, Palma de Mallorca, Spain, October 4–5, 2017, Proceedings. Springer, pp 17–29
O. Omoike et al. Devsecops in aws: embedding security into the heart of devops practices Int J Sci Res Arch 13 2 1309 1313 10.30574/ijsra.2024.13.2.2306
Opdebeeck R, Zerouali A, De Roover C (2023) Control and data flow in security smell detection for infrastructure as code: Is it worth the effort? In: 2023 IEEE/ACM 20th international conference on mining software repositories (MSR), pp 534–545. https://doi.org/10.1109/MSR59073.2023.00079
N. Pakalapati B.K. Konidena I.A. Mohamed Unlocking the power of ai/ml in devsecops: strategies and best practices J Knowl Learn Sci Technol 2 2 176 188 10.60087/jklst.vol2.n2.p188
Palix N, Thomas G, Saha S, Calvès C, Lawall JL, Muller G (2011) Faults in linux: ten years later. In: ASPLOS 2011 - 16th international conference on architectural support for programming languages and operating systems. ACM, Newport Beach, California, United States, pp 305–318. https://doi.org/10.1145/1950365.1950401https://hal.archives-ouvertes.fr/hal-00940355
Paloviita O, (2022) Infrastructure as code for managed service providers: a case study
Petrović N (2023) Chat gpt-based design-time devsecops. In: 2023 58th International scientific conference on information, communication and energy systems and technologies (ICEST). IEEE, pp 143–146
Petrović N (2023) Chatgpt-based design-time devsecops
Rahman A (2018) Anti-patterns in infrastructure as code. In: 2018 IEEE 11th international conference on software testing, verification and validation (ICST), pp 434–435. https://doi.org/10.1109/ICST.2018.00057
Rahman A (2018) Characteristics of defective infrastructure as code scripts in devops. In: 2018 IEEE/ACM 40th international conference on software engineering: companion (ICSE-Companion), pp 476–479
Rahman AAU, Williams LA (2016) Security practices in devops. Proceedings of the symposium and bootcamp on the science of security
A. Rahman L. Williams Different kind of smells: security smells in infrastructure as code scripts IEEE Secur Priv 19 3 33 41 10.1109/MSEC.2021.3065190
A. Rahman L. Williams Different kind of smells: security smells in infrastructure as code scripts IEEE Secur Priv 19 3 33 41 10.1109/MSEC.2021.3065190
A. Rahman M.R. Rahman C. Parnin L. Williams Security smells in ansible and chef scripts: a replication study ACM Trans Softw Eng Methodol (TOSEM) 30 1 1 31 10.1145/3408897
Rahman A, Farhana E, Parnin C, Williams L (2020) Gang of eight: a defect taxonomy for infrastructure as code scripts. In: 2020 IEEE/ACM 42nd international conference on software engineering (ICSE), pp 752–764. https://doi.org/10.1145/3377811.3380409
Rahman A, Parnin C, Williams L (2019) The seven sins: Security smells in infrastructure as code scripts. In: 2019 IEEE/ACM 41st international conference on software engineering (ICSE). IEEE, pp 164–175
Rahman A, Rahman MR, Parnin C, Williams L (2021) Security smells in ansible and chef scripts: a replication study. ACM Trans Softw Eng Methodol 30(1). https://doi.org/10.1145/3408897
Rajapakse RN, Zahedi M, Babar M. (2021) An empirical analysis of practitioners’ perspectives on security tool integration into devops. In: Proceedings of the 15th ACM/IEEE international symposium on empirical software engineering and measurement (ESEM), pp 1–12
R.N. Rajapakse M. Zahedi M.A. Babar H. Shen Challenges and solutions when adopting devsecops: a systematic review Inf Softw Technol 141 106700 10.1016/j.infsof.2021.106700
Reddy Konala PR, Kumar V, Bainbridge D (2023) Sok: static configuration analysis in infrastructure as code scripts. In: 2023 IEEE international conference on cyber security and resilience (CSR), pp 281–288. https://doi.org/10.1109/CSR57506.2023.10224925
A.K. Reddy V.R.R. Alluri S. Thota C.S. Ravi V.S.M. Bonam Devsecops: integrating security into the devops pipeline for cloud-native applications J Artif Intell Res Appl 1 2 89 114
Reis S, Abreu R, d’Amorim M, Fortunato D (2023) Leveraging practitioners’ feedback to improve a security linter. In: Proceedings of the 37th IEEE/ACM international conference on automated software engineering. ASE ’22. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3551349.3560419
Rodríguez Couto A (2022) Ferramenta para automatización de traballos por lotes con apache spark
Saavedra N, Ferreira JF (2022) Glitch: automated polyglot security smell detection in infrastructure as code. In: Proceedings of the 37th IEEE/ACM international conference on automated software engineering, pp 1–12
Sánchez-Gordón M, Colomo-Palacios R (2020) Security as culture: a systematic literature review of devsecops. In: Proceedings of the IEEE/ACM 42nd international conference on software engineering workshops, pp 266–269
Shackleford D (2017) The devsecops approach to securing your code and your cloud. SANS institute infosec reading room a devsecops playbook
Sokolowski D, Spielmann D, Salvaneschi G (2024) Automated infrastructure as code program testing. IEEE Trans Softw Eng
S. Sultan I. Ahmad T. Dimitriou Container security: issues, challenges, and the road ahead IEEE Access 7 52976 52996 10.1109/ACCESS.2019.2911732
Tahaei M, Vaniea K (2019) A survey on developer-centred security. In: 2019 IEEE european symposium on security and privacy workshops (EuroS &PW). IEEE, pp 129–138
Thomas TW, Tabassum M, Chu B, Lipford H (2018) Security during application development: an application security expert perspective. In: Proceedings of the 2018 CHI conference on human factors in computing systems, pp 1–12
Valkeinen M (2022) Cloud infrastructure tools for cloud applications: infrastructure management of multiple cloud platforms. Master’s thesis
Verdet A, Hamdaqa M, Da Silva L, Khomh F (2023) Exploring security practices in infrastructure as code: an empirical study. arXiv:2308.03952
War A, Habib A, Diallo A, Klein J, Bissyandé TF (n.d.) Security Vulnerabilities in Infrastructure as Code: What, How Many, and Who? https://github.com/Sherlock0001/empirical-study-iac.git
Yadav B, Choudhary G, Shandilya SK, Dragoni N (2021) Ai empowered devsecops security for next generation development. In: Frontiers in Software Engineering: First International Conference, ICFSE 2021, Innopolis, Russia, June 17–18, 2021, Revised Selected Papers 1. Springer, pp 32–46
