Security Smells in IaC Scripts
Security smells are recurring coding patterns that are indicative of security weaknesses that can potentially lead to security breaches and hence require further inspection.
Introduction
In this article we shall be addressing one of the research questions raised by Mishra & Otaiwi in their research, Will the inclusion of automation in DevOps contribute to software quality? The need for companies and organizations to reduce the time to market for their products led to a model that unified the development and operations teams.
Eventually, this led to the coinage of the word DevOps, which was first used by Patrick Debois at the Agile Conference in 2008. Several definitions for DevOps exist, but one point is paramount, it is a core enabler of throughput and high production speed with automation. This, therefore, has led to an increase in research towards DevOps benefits but its impact on software quality has been given little attention.
How is automation achieved within the DevOps model?
Infrastructure as Code (IaC) is a set of practices that uses configuration management scripts to build, deploy, provision, and destroy infrastructure on a specified orchestration platform.
These can be achieved either through a model-driven approach that abstracts the complexity involved in the writing automation scripts, Argon, and through a code-centric approach which is central to this article.
While Terraform and Ansible are versatile tools for deploying infrastructure on cloud services, Chef and Puppet are best used for provisioning resources on the deployed infrastructure. On the other hand, PowerShell Desired State Configuration (DSC) is suitable for Windows environments.
Background
Reducing deployment and provisioning time is one of the biggest advantages offered by IaC scripts. A good example is when NASA needed to move roughly 65 applications from a traditional hardware-based data center to AWS cloud for better agility and cost savings. Ansible Tower was used as the main IaC tool and had tremendous advantages.
Poor coding practices can, however, introduce potential risks. A code smell is a recurrent coding pattern that is indicative of potential maintenance problems. This brings us to the concept of security smells, which according to this article are recurring coding patterns that are indicative of security weaknesses that can potentially lead to security breaches and hence require further inspection.
Since IaC scripts are commonly used by organizations to provision on-premises and cloud-based infrastructure, it is imperative to investigate the availability of security smells. Research has been conducted to assess the presence of security smells in various configuration management scripts. In their study, Rahman, Parnin, and Laurie applied qualitative analysis on 1726 IaC scripts obtained from open source repositories and identified seven security smells in Puppet.
MITRE’s Common Weaknesses Enumeration (CWE)
The table above was derived from the article which gives a detailed discussion on the same.
A further replication study was carried out in identifying security smells in Ansible and Chef. The authors identified two new security smells which were missed in their previous work; missing default in the case statement and no integrity check.
These conclusive works led to the development of two static analysis tools; Security Linter for IaC scripts (SLIC) and Security Linter for Ansible and Chef Scripts (SLAC) to aid in the detection of security smells in IaC scripts.
Conclusions
The advantages provided by IaC scripts are quite evident. Before production, make sure to perform a thorough code review to avoid the presence of security smells.
Related Work
1. Security Smells in Smart Contracts by Demir M, Alalfi M, Turetken O and Ferworn, IEEExplore.
2. Security Smells in Android Inter-Component Communication (ICC) by Gadient P, Ghafari M, Frischknecht P and Nierstrasz O, ESE.
3. Share, but be Aware: Security Smells in Python Gist’s by Rahman M, Rahman A and Williams L, IEEExplore.
References
[1] A. Mishra and Z. Otaiwi, “DevOps and software quality: A systematic mapping,” Comput. Sci. Rev., vol. 38, p. 100308, 2020, doi: 10.1016/j.cosrev.2020.100308.
[2] J. Sandobalin, E. Insfran, and S. Abrahao, “On the effectiveness of tools to support infrastructure as code: Model-driven versus code-centric,” IEEE Access, vol. 8, pp. 17734–17761, 2020, doi: 10.1109/ACCESS.2020.2966597.
[3] A. Rahman, M. R. Rahman, C. Parnin, and L. Williams, “Security Smells in Ansible and Chef Scripts: A Replication Study,” ACM Trans. Softw. Eng. Methodol., vol. 30, no. 1, 2021, doi: 10.1145/3408897.
[4] A. Rahman, “The Seven Sins: Security Smells in Infrastructure as Code Scripts,” no. i, pp. 6–7, 2017.
This article is written by Abel Ombonyo, a Systems Security researcher at eKRAAL Innovation Hub with a keen eye for virtualization. Apart from research, he enjoys pen-testing vulnerable boxes.
