Leveraging Practitioners' Feedback to Improve a Security LinterVirtual
Infrastructure-as-Code (IaC) is a technology that enables the managing, provisioning, and distributing of infrastructure through code instead of manual processes. As with any piece of code, IaC scripts are not immune to defects. A recent Cloud Threat Report from Palo Alto Network’s Unit 42 announced the discovery of over 199K vulnerable IaC templates. This highlights the importance of tools to prevent vulnerabilities from reaching production and shift security left in the development pipeline. Unfortunately, we observed through a comprehensive study that security linters for IaC scripts can be very imprecise. Our approach to address this problem was to leverage community expertize to improve the precision of these tools. More precisely, we interviewed professional developers of Puppet scripts to collect their feedback on the root causes of imprecision of the state-of-the-art security linter for Puppet. From that feedback, we developed a new linter adjusting 7 rules of the original linter ruleset and adding 3 new rules. We conducted a new study with 131 professional developers, showing an increase in precision from 8% to 83%. The main message of this paper is that obtaining professional feedback is feasible and highly effective and that feedback is key to the creation of high precision rulesets, which is critical for the usefulness and adoption of IaC security linters.
Wed 12 OctDisplayed time zone: Eastern Time (US & Canada) change
13:30 - 15:30 | Technical Session 16 - Software VulnerabilitiesResearch Papers / Journal-first Papers at Gold A Chair(s): Mohamed Wiem Mkaouer Rochester Institute of Technology | ||
13:30 20mResearch paper | Data Leakage in Notebooks: Static Detection and Better Processes Research Papers Chenyang Yang , Rachel A Brower-Sinning Carnegie Mellon Software Engineering Institute, Grace Lewis Carnegie Mellon Software Engineering Institute, Christian Kästner Carnegie Mellon University | ||
13:50 20mResearch paper | GLITCH: Automated Polyglot Security Smell Detection in Infrastructure as CodeVirtual Research Papers Nuno Saavedra INESC-ID and IST, University of Lisbon, João F. Ferreira INESC-ID and IST, University of Lisbon Pre-print | ||
14:10 20mPaper | SafeDrop: Detecting Memory Deallocation Bugs of Rust Programs via Static Data-Flow AnalysisVirtual Journal-first Papers Mohan Cui Fudan University, Chengjun Chen Fudan University, Hui Xu Fudan University, Yangfan Zhou Fudan University | ||
14:30 20mResearch paper | Precise (Un)Affected Version Analysis for Web VulnerabilitiesVirtual Research Papers ShiYoukun Fudan University, Yuan Zhang Fudan University, Tianhan Luo Fudan University, Xiangyu Mao Fudan University, Min Yang Fudan University | ||
14:50 20mResearch paper | Leveraging Practitioners' Feedback to Improve a Security LinterVirtual Research Papers Sofia Reis Instituto Superior Técnico, U. Lisboa & INESC-ID, Rui Abreu Faculty of Engineering, University of Porto, Portugal, Marcelo d'Amorim Federal University of Pernambuco, Daniel Fortunato INESC-ID, University of Porto | ||
15:10 20mResearch paper | Insight: Exploring Cross-Ecosystem Vulnerability ImpactsVirtual Research Papers Meiqiu Xu Northeastern University, China, Ying Wang Northeastern University, China, Shing-Chi Cheung Hong Kong University of Science and Technology, Hai Yu Northeastern University, China, Zhiliang Zhu Northeastern University, China | ||