Write a Blog >>

Infrastructure-as-Code (IaC) is a technology that enables the managing, provisioning, and distributing of infrastructure through code instead of manual processes. As with any piece of code, IaC scripts are not immune to defects. A recent Cloud Threat Report from Palo Alto Network’s Unit 42 announced the discovery of over 199K vulnerable IaC templates. This highlights the importance of tools to prevent vulnerabilities from reaching production and shift security left in the development pipeline. Unfortunately, we observed through a comprehensive study that security linters for IaC scripts can be very imprecise. Our approach to address this problem was to leverage community expertize to improve the precision of these tools. More precisely, we interviewed professional developers of Puppet scripts to collect their feedback on the root causes of imprecision of the state-of-the-art security linter for Puppet. From that feedback, we developed a new linter adjusting 7 rules of the original linter ruleset and adding 3 new rules. We conducted a new study with 131 professional developers, showing an increase in precision from 8% to 83%. The main message of this paper is that obtaining professional feedback is feasible and highly effective and that feedback is key to the creation of high precision rulesets, which is critical for the usefulness and adoption of IaC security linters.

Wed 12 Oct

Displayed time zone: Eastern Time (US & Canada) change

13:30 - 15:30
Technical Session 16 - Software VulnerabilitiesResearch Papers / Journal-first Papers at Gold A
Chair(s): Mohamed Wiem Mkaouer Rochester Institute of Technology
13:30
20m
Research paper
Data Leakage in Notebooks: Static Detection and Better Processes
Research Papers
Chenyang Yang , Rachel A Brower-Sinning Carnegie Mellon Software Engineering Institute, Grace Lewis Carnegie Mellon Software Engineering Institute, Christian Kästner Carnegie Mellon University
13:50
20m
Research paper
GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as CodeVirtual
Research Papers
Nuno Saavedra INESC-ID and IST, University of Lisbon, João F. Ferreira INESC-ID and IST, University of Lisbon
Pre-print
14:10
20m
Paper
SafeDrop: Detecting Memory Deallocation Bugs of Rust Programs via Static Data-Flow AnalysisVirtual
Journal-first Papers
Mohan Cui Fudan University, Chengjun Chen Fudan University, Hui Xu Fudan University, Yangfan Zhou Fudan University
14:30
20m
Research paper
Precise (Un)Affected Version Analysis for Web VulnerabilitiesVirtual
Research Papers
ShiYoukun Fudan University, Yuan Zhang Fudan University, Tianhan Luo Fudan University, Xiangyu Mao Fudan University, Min Yang Fudan University
14:50
20m
Research paper
Leveraging Practitioners' Feedback to Improve a Security LinterVirtual
Research Papers
Sofia Reis Instituto Superior Técnico, U. Lisboa & INESC-ID, Rui Abreu Faculty of Engineering, University of Porto, Portugal, Marcelo d'Amorim Federal University of Pernambuco, Daniel Fortunato INESC-ID, University of Porto
15:10
20m
Research paper
Insight: Exploring Cross-Ecosystem Vulnerability ImpactsVirtual
Research Papers
Meiqiu Xu Northeastern University, China, Ying Wang Northeastern University, China, Shing-Chi Cheung Hong Kong University of Science and Technology, Hai Yu Northeastern University, China, Zhiliang Zhu Northeastern University, China