Security Controls in Infrastructure As Code
Total Page:16
File Type:pdf, Size:1020Kb
FEATURE intend to shift some employees to ees-to-remote-work-permanently2. 4. ‘Mitigate risks with PKI’. DigiCert. remote work permanently’. Gartner, 3. Bissette, Hayleigh. ‘The threat Accessed Sep 2020. www.digicert. 3 Apr 2020. Accessed Sep 2020. of Covid-19 phishing attacks’. com/pki/. www.gartner.com/en/newsroom/ TheBusinessDesk, 7 Jul 2020. Accessed 5. ‘Behind the scenes of SSL cryptogra- press-releases/2020-04-03-gartner- Sep 2020. www.thebusinessdesk.com/ phy’. DigiCert. Accessed Sep 2020. cfo-surey-reveals-74-percent-of- yorkshire/news/2058462-the-threat-of- www.digicert.com/ssl-cryptography. organisations-to-shift-some-employ- covid-19-phishing-attacks. htm. Security controls in infrastructure as code Sadiq Almuairfi and Mamdouh Alenezi, Prince Sultan University Sadiq Almuairfi Mamdouh Alenezi The development, deployment and management of software applications have shifted dramatically in the past 10 years. This fundamental shift is what we now know as development operations (DevOps). Infrastructure as Code (IaC) is one for practitioners to study security smells of the main tenets of DevOps. Previously, manual configuration via cloud pro- in IaC scripts so that insecure coding viders’ UI consoles and physical hardware used to take place. But now, with the practices can be avoided. If we study the concept of IaC, the IT infrastructure can be automated by using blueprints that responses of the Common Weakness are easily readable by machines. Enumerator (CWE), it can be found that CWE considers hard-coded pass- To accomplish IaC, various programming Fowler introduced the concept of code words as a security weakness. According languages and tools must be used in order smell and according to them, code to CWE: “If hard-coded passwords are to define the infrastructure (network, serv- smells are flaws in code that may cause used, it is almost certain that malicious ers, storage). The ability to use practices problems.2 There might be no run-time users will gain access to the account in like code review, version control and unit errors while code smell is present but question.” Thus, even if a security smell testing impacts infrastructure automation the presence of code smell should be might not lead to a security breach at positively. Two of the biggest benefits that taken as an indication for improvement. the time of its discovery, proper atten- IaC implementation provides are com- Duplicate block (DB) smell is one such tion should be given to it and it should paratively rapid iterations and increased example of code smell that occurs when- be inspected whenever needed.4 speed of infrastructure deployment. The ever identical statements are repeated. usage of IaC scripts is really helpful for The results of various researches prove “Code smells are flaws practitioners in order to configure and that noting code smells is an appropriate in code that may cause provision their development environments. method of assessing the quality of pup- problems. There might be The scripts employed in IaC are also pet code. Puppet is a popular provision- no run-time errors while known as ‘Configuration as code scripts’ ing tool that helps write puppet codes code smell is present but or ‘configuration scripts.’ How beneficial and uses IaC in order to specify the the presence of code smell these IaC scripts are can be identified with desired state of the environment.3 should be taken as an the example of Fortune 500 company Since we know that IaC scripts are indication for improvement” Intercontinental Exchange (ICE). ICE uses used by practitioners to develop environ- IaC scripts to maintain 75% of its 20,000 ments and provision servers, there is a Writing the IaC code is quite a servers, which ultimately results in a time chance that they may introduce security complex task as it is basically done reduction of environment provisioning smells inadvertently. Security smells are by blending various infrastructure from one or two days to 21 minutes.1 simply recurring coding patterns or, in programming languages. Thus, some Although IaC has gained popularity in simpler terms, are basically measures that sort of approach is needed in order to recent years, when it comes to the qual- indicate security weakness. There is also create complex IaC designs that save ity of code, the research is very sparse. a possibility that the presence of secu- time not only when being designed This limited research has introduced the rity smells may lead to frequent security but also at the time of deployment and term ‘code smell’. Kent Beck and Martin breaches. Thus, it becomes necessary redeployment. Model-driven engineer- 13 October 2020 Computer Fraud & Security FEATURE ing (MDE) provides us with one such certain recurring coding patterns may ing these IaC scripts is also increased. approach – data-intensive continuous lead to weaknesses in security, indicating In order to exploit model-driven engi- engineering and rollout (Dicer) – that an increased chance of security breaches. neering (MDE), Artac et al attempted can be used to create language-agnostic In order to make sure that practitioners to create language-agnostic models that models that can be transformed into make no mistakes when developing IaC possess the capability to transform them- IaC. Dicer is a model-driven approach scripts, researchers conducted a study of selves into IaC scripts automatically. In and acts as a supporting tool for users security smells in IaC scripts. They made addition, the authors have shown that who wish to develop IaC for big data use of 1,726 IaC scripts through the a significant amount of time can be frameworks. Although Dicer doesn’t approach of qualitative analysis in order saved even while creating complex IaC support all of the well-known big data to find seven security smells. Among the by following the Dicer approach. Also, frameworks, it provides the benefit of 15,232 IaC scripts, the authors imple- the authors described the Ops activi- the addition of new frameworks.5 mented the SLIC (security linter for ties (server provisioning, monitoring, Similar to software source code, IaC infrastructure as code) tool to identify the self-adaptation, etc) required to deploy scripts can face many issues, making occurrence of each smell. Through their and operate cloud applications continu- these scripts susceptible to security research, Rahman et al in ‘The Seven ously. Speaking of Dicer, the key feature defects. Defects in IaC scripts can have Sins’ have tried to answer questions about it offers is that models that are written serious consequences, as these scripts are the type of security smells, their frequen- using the Dicer profile can be automati- associated with setting up and managing cy, lifetime and the opinion of practition- cally translated into IaC scripts. cloud-system infrastructure and ensur- ers about them. Apart from finding the The quality of code is important in ing the availability of software devices. answers to these questions, the authors any software project. Schwarz et al have For example, in early 2017, execution made sure that the results of the SLIC focused research on the quality of code of a defective IaC script removed the tool were properly evaluated and created while the concept of IaC is gaining home directories of around 270 cus- Oracle datasets in order to do that. popularity day by day, looking for flaws tomers in cloud instances maintained IaC uses blueprints that are easily read- in the quality of code – that is, code by Wikimedia.6 This evidence, plus able by machines. Schwarz et al have smells. In their research, the authors research studies, motivated us to care- discussed all the necessary elements and tried to apply code smells to different fully study the security of IaC, which is abstractions that are used in the writing technologies in order to investigate if the focus of this article. and maintenance of the blueprint of IaC. similar results could be achieved. To The authors seem to outline the benefits proceed with their research, the authors Related work of DevOps but at the same time keeping formulated two questions and by the IaC as the accelerating tactic for DevOps. application of code smells, tried to find Software teams are able to implement The standard that the authors have used the answers to those questions. The continuous deployment and make rapid for the expression is known as ‘topology questions were particularly concerned changes by the use of configuration as and orchestration specification for cloud with the applicability of puppet smells code (CaC) tools.7 The popularity of applications’ (Tosca). Tosca is defined as to other configuration management these tools is increasing day by day but an industrial practice language that is used tools and the existence of other pro- investigating the challenges faced by the for automated industrial deployment and gramming smells relevant to IaC. Also, programmers while using these tools and multi-cloud compliant applications. One the authors have proposed three types finding solutions to those challenges can other major benefit that Tosca offers is of code smells in the paper: technology be really helpful in identifying potential that it provides reusable nodes and edges. agnostic smells, technology-depend- technical challenges related to CaC. Also, the authors have discussed Dicer, ent smells and technology-specific We conducted research on what ques- which is a model-driven tool to quickly smells. The results obtained through tions are asked by the programmers about put together the infrastructure design for the research indicate the presence of CaC. In order to extract puppet-related a big data cloud application as a part of IaC smells in other technologies and questions asked by programmers on Stack continuous-data intensive architecting. tools. In order to be sure of the results Overflow from 2010 to 2016, qualita- obtained, the authors further evaluated tive analysis was applied.