Vulnerabilities in Infrastructure as Code: What, How Many, and Who?
Infrastructure as Code (IaC) is a pivotal approach for deploying and managing IT systems and services using scripts, offering flexibility and numerous benefits. However, the presence of security flaws in IaC scripts can have severe consequences, as exemplified by the recurring exploits of Cloud Web Services. Recent studies in the literature have investigated IaC security issues, but they often focus on individual components (IaC tools or scripts), providing only preliminary insights. Our research extends the current knowledge by conducting a comprehensive investigation into various aspects of IaC security, encompassing its components. We explore vulnerabilities in terms of types, their predominant locations, contributor responsibilities for introducing vulnerabilities, and more. Our methodology relies on widely adopted static security testing tools, which analyze over 1600 repositories to identify IaC vulnerabilities. Our empirical study yields valuable observations, highlighting severe and recurrent vulnerabilities within IaC, while also categorizing their severity and types. We delve deeper into vulnerability patterns, examining source code, dependencies, and manifest files across IaC components, including tools, scripts, and add-ons (libraries or plugin tools). The study uncovers that IaC components are plagued by exploitable vulnerabilities that span all ten categories of security bugs outlined in the OWASP Top 10 2021. Furthermore, our investigation reveals that even when maintainers employ security tools to address vulnerabilities, they do not integrate them systematically into their automation routines. Consequently, we propose that IT teams need to foster stronger collaboration across DevOps profiles (developers and IT operators) and break down the boundaries with security operators to enhance Infrastructure as Code’s security posture through the adoption of DevSecOps practices.
Thu 11 SepDisplayed time zone: Auckland, Wellington change
15:30 - 17:00 | Session 12 - Security 1NIER Track / Research Papers Track / Tool Demonstration Track / Journal First Track at Case Room 2 260-057 Chair(s): Dhanushka Jayasuriya University of Auckland | ||
15:30 15m | Retrieve, Refine, or Both? Using Task-Specific Guidelines for Secure Python Code Generation Research Papers Track Catherine Tony Hamburg University of Technology, Emanuele Iannone Hamburg University of Technology, Riccardo Scandariato Hamburg University of Technology Pre-print | ||
15:45 15m | SAEL: Leveraging Large Language Models with Adaptive Mixture-of-Experts for Smart Contract Vulnerability Detection Research Papers Track Lei Yu Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Shiqi Cheng Institute of Software, Chinese Academy of Sciences, China, Zhirong Huang Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Jingyuan Zhang Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Chenjie Shen Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Junyi Lu Institute of Software, Chinese Academy of Sciences, University of Chinese Academy of Sciences, China, Li Yang Institute of Software, Chinese Academy of Sciences, Fengjun Zhang Institute of Software, Chinese Academy of Sciences, China, Jiajia Ma Institute of Software, Chinese Academy of Sciences, China Pre-print | ||
16:00 15m | Evaluating the maintainability of Forward-Porting vulnerabilities in fuzzer benchmarks Research Papers Track Timothée Riom Umeå Universitet, Sabine Houy Umeå Universitet, Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University | ||
16:15 10m | VulGuard: An Unified Tool for Evaluating Just-In-Time Vulnerability Prediction Models Tool Demonstration Track Duong Nguyen Hanoi University of Science and Technology, Manh Tran-Duc Hanoi University of Science and Technology, Le-Cong Thanh The University of Melbourne, Triet Le The University of Adelaide, Muhammad Ali Babar School of Computer Science, The University of Adelaide, Quyet Thang Huynh Hanoi University of Science and Technology | ||
16:25 10m | Explicit Vulnerability Generation with LLMs: An Investigation Beyond Adversarial Attacks NIER Track Emir Bosnak Bilkent University, Sahand Moslemi Yengejeh Bilkent University, Mayasah Lami Bilkent University, Anil Koyuncu Bilkent University Pre-print | ||
16:35 15m | Vulnerabilities in Infrastructure as Code: What, How Many, and Who? Journal First Track Aïcha War University of Luxembourg, Alioune Diallo University of Luxembourg, Andrew Habib ABB Corporate Research, Germany, Jacques Klein University of Luxembourg, Tegawendé F. Bissyandé University of Luxembourg |