Characterizing Co-located Insecure Coding Patterns in Infrastructure as Code ScriptsWorkshop
Context: Insecure coding patterns (ICPs), such as hard-coded passwords can be inadvertently introduced in infrastructure as code (IaC) scripts, providing malicious users the opportunity to attack provisioned computing infrastructure. As performing code reviews is resource-intensive, a characterization of co-located ICPs, i.e., ICPs that occur together in a script can help practitioners to prioritize their review efforts and mitigate ICPs in IaC scripts. Objective: The goal of this paper is to help practitioners in prioritizing code review efforts for infrastructure as code (IaC) scripts by conducting an empirical study of co-located insecure coding patterns in IaC scripts. Methodology: We conduct an empirical study with 1613, 2764 and 2845 Puppet scripts respectively collected from three organizations namely, Mozilla, Openstack, and Wikimedia. We apply association rule mining to identify co-located ICPs in IaC scripts. Results: We observe 17.9%, 32.9%, and 26.7% of the scripts to include co-located ICPs respectively, for Mozilla, Openstack, and Wikimedia. The most frequent co-located ICP category is hard-coded secret and suspicious comment. Conclusion: Practitioners can prioritize code review efforts for IaC scripts by reviewing scripts that include co-located ICPs.
Mon 21 Sep Times are displayed in time zone: (UTC) Coordinated Universal Time
02:50 - 03:02 Talk | A Risk Homeostasis Perspective on Zimbabwean Protective Point-of-Sale Transaction BehavioursWorkshop [Workshop] HCSE&CS | ||
03:02 - 03:14 Talk | Designing a Serious Game: Teaching Developers to Embed Privacy into Software SystemsWorkshop [Workshop] HCSE&CS Nalin Asanka Gamagedara ArachchilageLa Trobe University, Australia, Mumtaz AbdulhameedTechnovation Consulting & Training PVT | ||
03:14 - 03:26 Talk | Vulnerability Discovery Strategies Used in Software ProjectsWorkshop [Workshop] HCSE&CS Farzana Ahamed BhuiyanTennessee Tech University, Akond RahmanTennessee Tech University, Patrick MorrisonIBM | ||
03:26 - 03:38 Talk | An Informed Consent Model for Handling the Privacy Paradox in Smart BuildingsWorkshop [Workshop] HCSE&CS Chehara PathmabanduMonash University, Mohan Baruwal ChhetriData61 CSIRO Australia, John GrundyMonash University, Australia, A: Zubair BaigDeakin University | ||
03:38 - 03:50 Talk | Characterizing Co-located Insecure Coding Patterns in Infrastructure as Code ScriptsWorkshop [Workshop] HCSE&CS |