The Seven Sins: Security Smells in Infrastructure as Code Scripts
Title | The Seven Sins: Security Smells in Infrastructure as Code Scripts |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Rahman, Akond, Parnin, Chris, Williams, Laurie |
Conference Name | 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE) |
Date Published | May 2019 |
Publisher | IEEE |
ISBN Number | 978-1-7281-0869-8 |
Keywords | composability, DevOps, devsecops, empirical study, encoding, hard-coded passwords, hard-coded secret, Human Behavior, IaC scripts, infrastructure as code, password, program debugging, program diagnostics, pubcrawl, puppet, resilience, Resiliency, security, security breaches, security linter for infrastructure as code scripts, security linter tool, security of data, security smells, Security weakness, Servers, smell, Software, static analysis, static code analysis, Tools |
Abstract | Practitioners use infrastructure as code (IaC) scripts to provision servers and development environments. While developing IaC scripts, practitioners may inadvertently introduce security smells. Security smells are recurring coding patterns that are indicative of security weakness and can potentially lead to security breaches. The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts. We apply qualitative analysis on 1,726 IaC scripts to identify seven security smells. Next, we implement and validate a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to identify the occurrence of each smell in 15,232 IaC scripts collected from 293 open source repositories. We identify 21,201 occurrences of security smells that include 1,326 occurrences of hard-coded passwords. We submitted bug reports for 1,000 randomly-selected security smell occurrences. We obtain 212 responses to these bug reports, of which 148 occurrences were accepted by the development teams to be fixed. We observe security smells can have a long lifetime, e.g., a hard-coded secret can persist for as long as 98 months, with a median lifetime of 20 months. |
URL | https://ieeexplore.ieee.org/document/8812041 |
DOI | 10.1109/ICSE.2019.00033 |
Citation Key | rahman_seven_2019 |
- resilience
- tools
- static code analysis
- static analysis
- Software
- smell
- Servers
- Security weakness
- security smells
- security of data
- security linter tool
- security linter for infrastructure as code scripts
- security breaches
- security
- Resiliency
- composability
- puppet
- pubcrawl
- program diagnostics
- program debugging
- password
- infrastructure as code
- IaC scripts
- Human behavior
- hard-coded secret
- hard-coded passwords
- encoding
- empirical study
- devsecops
- DevOps