Behaviour-aware Security Smell Detection for Infrastructure as Code

Ruben Opdebeeck; Ahmed Zerouali; Coen De Roover

Samenvatting

Infrastructure as Code (IaC) is a vital part of modern DevOps workflows, and the security of deployed infrastructures is of the upmost importance. In this presentation, we will highlight the importance of taking into account IaC script behaviour when detecting security smells. Specifically, we present gasel, a security smell detector based on program dependence graphs, which takes into account the control and data flow of Ansible IaC scripts. gasel supports 7 distinct security weaknesses, such as hardcoded passwords and missing integrity checks. Using an oracle of 243 real-world weaknesses, we show that gasel outperforms the state-of-the-art detectors. Moreover, we perform an empirical study on more than 15.000 Ansible scripts to show that the inclusion of control and data flow information is vital to detect security smells in real-world code.

Originele taal-2	English
Aantal pagina's	2
Status	Unpublished - 27 nov 2023
Evenement	22nd Belgium-Netherlands Software Evolution Workshop - Nijmegen, Netherlands Duur: 27 nov 2023 → 28 nov 2023 Congresnummer: 22 https://benevol2023.github.io/

Workshop

Workshop	22nd Belgium-Netherlands Software Evolution Workshop
Verkorte titel	BENEVOL 2023
Land/Regio	Netherlands
Stad	Nijmegen
Periode	27/11/23 → 28/11/23
Internet adres	https://benevol2023.github.io/

Toegang tot document

mainAccepted author manuscript, 613 KBLicentie: CC BY

Behaviour-aware Security Smell Detection for Infrastructure as Code
Ruben Opdebeeck (Speaker)
27 nov 2023
Activiteit: Talk or presentation at a workshop/seminar

Bestand

Citeer dit

@conference{72be5e9df528400998b8b05166d4c8e7,

title = "Behaviour-aware Security Smell Detection for Infrastructure as Code",

abstract = "Infrastructure as Code (IaC) is a vital part of modern DevOps workflows, and the security of deployed infrastructures is of the upmost importance. In this presentation, we will highlight the importance of taking into account IaC script behaviour when detecting security smells. Specifically, we present gasel, a security smell detector based on program dependence graphs, which takes into account the control and data flow of Ansible IaC scripts. gasel supports 7 distinct security weaknesses, such as hardcoded passwords and missing integrity checks. Using an oracle of 243 real-world weaknesses, we show that gasel outperforms the state-of-the-art detectors. Moreover, we perform an empirical study on more than 15.000 Ansible scripts to show that the inclusion of control and data flow information is vital to detect security smells in real-world code.",

author = "Ruben Opdebeeck and Ahmed Zerouali and {De Roover}, Coen",

year = "2023",

month = nov,

day = "27",

language = "English",

note = "22nd Belgium-Netherlands Software Evolution Workshop, BENEVOL 2023 ; Conference date: 27-11-2023 Through 28-11-2023",

url = "https://benevol2023.github.io/",

}

TY - CONF

T1 - Behaviour-aware Security Smell Detection for Infrastructure as Code

AU - Opdebeeck, Ruben

AU - Zerouali, Ahmed

AU - De Roover, Coen

N1 - Conference code: 22

PY - 2023/11/27

Y1 - 2023/11/27

N2 - Infrastructure as Code (IaC) is a vital part of modern DevOps workflows, and the security of deployed infrastructures is of the upmost importance. In this presentation, we will highlight the importance of taking into account IaC script behaviour when detecting security smells. Specifically, we present gasel, a security smell detector based on program dependence graphs, which takes into account the control and data flow of Ansible IaC scripts. gasel supports 7 distinct security weaknesses, such as hardcoded passwords and missing integrity checks. Using an oracle of 243 real-world weaknesses, we show that gasel outperforms the state-of-the-art detectors. Moreover, we perform an empirical study on more than 15.000 Ansible scripts to show that the inclusion of control and data flow information is vital to detect security smells in real-world code.

AB - Infrastructure as Code (IaC) is a vital part of modern DevOps workflows, and the security of deployed infrastructures is of the upmost importance. In this presentation, we will highlight the importance of taking into account IaC script behaviour when detecting security smells. Specifically, we present gasel, a security smell detector based on program dependence graphs, which takes into account the control and data flow of Ansible IaC scripts. gasel supports 7 distinct security weaknesses, such as hardcoded passwords and missing integrity checks. Using an oracle of 243 real-world weaknesses, we show that gasel outperforms the state-of-the-art detectors. Moreover, we perform an empirical study on more than 15.000 Ansible scripts to show that the inclusion of control and data flow information is vital to detect security smells in real-world code.

M3 - Unpublished abstract

T2 - 22nd Belgium-Netherlands Software Evolution Workshop

Y2 - 27 November 2023 through 28 November 2023

ER -

Behaviour-aware Security Smell Detection for Infrastructure as Code

Samenvatting

Workshop

Toegang tot document

Vingerafdruk

Activiteiten

Behaviour-aware Security Smell Detection for Infrastructure as Code

Citeer dit