ICSME 2025
Sun 7 - Fri 12 September 2025 Auckland, New Zealand
Thu 11 Sep 2025 16:35 - 16:50 at Case Room 2 260-057 - Session 12 - Security 1 Chair(s): Dhanushka Jayasuriya

Infrastructure as Code (IaC) is a pivotal approach for deploying and managing IT systems and services using scripts, offering flexibility and numerous benefits. However, the presence of security flaws in IaC scripts can have severe consequences, as exemplified by the recurring exploits of Cloud Web Services. Recent studies in the literature have investigated IaC security issues, but they often focus on individual components (IaC tools or scripts), providing only preliminary insights. Our research extends the current knowledge by conducting a comprehensive investigation into various aspects of IaC security, encompassing its components. We explore vulnerabilities in terms of types, their predominant locations, contributor responsibilities for introducing vulnerabilities, and more. Our methodology relies on widely adopted static security testing tools, which analyze over 1600 repositories to identify IaC vulnerabilities. Our empirical study yields valuable observations, highlighting severe and recurrent vulnerabilities within IaC, while also categorizing their severity and types. We delve deeper into vulnerability patterns, examining source code, dependencies, and manifest files across IaC components, including tools, scripts, and add-ons (libraries or plugin tools). The study uncovers that IaC components are plagued by exploitable vulnerabilities that span all ten categories of security bugs outlined in the OWASP Top 10 2021. Furthermore, our investigation reveals that even when maintainers employ security tools to address vulnerabilities, they do not integrate them systematically into their automation routines. Consequently, we propose that IT teams need to foster stronger collaboration across DevOps profiles (developers and IT operators) and break down the boundaries with security operators to enhance Infrastructure as Code’s security posture through the adoption of DevSecOps practices.

Thu 11 Sep

Displayed time zone: Auckland, Wellington change

15:30 - 17:00
15:30
15m
Retrieve, Refine, or Both? Using Task-Specific Guidelines for Secure Python Code Generation
Research Papers Track
Catherine Tony Hamburg University of Technology, Emanuele Iannone Hamburg University of Technology, Riccardo Scandariato Hamburg University of Technology
Pre-print
15:45
15m
SAEL: Leveraging Large Language Models with Adaptive Mixture-of-Experts for Smart Contract Vulnerability Detection
Research Papers Track
Lei Yu Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Shiqi Cheng Institute of Software, Chinese Academy of Sciences, China, Zhirong Huang Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Jingyuan Zhang Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Chenjie Shen Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Junyi Lu Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Li Yang Institute of Software, Chinese Academy of Sciences, Fengjun Zhang Institute of Software, Chinese Academy of Sciences, China, Jiajia Ma Institute of Software, Chinese Academy of Sciences, China
Pre-print
16:00
15m
Evaluating the maintainability of Forward-Porting vulnerabilities in fuzzer benchmarks
Research Papers Track
Timothée Riom Umeå Universitet, Sabine Houy Umeå Universitet, Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University
16:15
10m
VulGuard: An Unified Tool for Evaluating Just-In-Time Vulnerability Prediction Models
Tool Demonstration Track
Duong Nguyen Hanoi University of Science and Technology, Manh Tran-Duc Hanoi University of Science and Technology, Le-Cong Thanh The University of Melbourne, Triet Le The University of Adelaide, Muhammad Ali Babar School of Computer Science, The University of Adelaide, Quyet Thang Huynh Hanoi University of Science and Technology
16:25
10m
Explicit Vulnerability Generation with LLMs: An Investigation Beyond Adversarial Attacks
NIER Track
Emir Bosnak Bilkent University, Sahand Moslemi Yengejeh Bilkent University, Mayasah Lami Bilkent University, Anil Koyuncu Bilkent University
Pre-print
16:35
15m
Vulnerabilities in Infrastructure as Code: What, How Many, and Who?
Journal First Track
Aïcha War University of Luxembourg, Alioune Diallo University of Luxembourg, Andrew Habib ABB Corporate Research, Germany, Jacques Klein University of Luxembourg, Tegawendé F. Bissyandé University of Luxembourg