Exploring Security Practices in Infrastructure as Code: An Empirical
Study
- URL: http://arxiv.org/abs/2308.03952v1
- Date: Mon, 7 Aug 2023 23:43:32 GMT
- Title: Exploring Security Practices in Infrastructure as Code: An Empirical
Study
- Authors: Alexandre Verdet, Mohammad Hamdaqa, Leuson Da Silva, Foutse Khomh
- Abstract summary: Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools.
scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks.
Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
- Score: 54.669404064111795
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Cloud computing has become popular thanks to the widespread use of
Infrastructure as Code (IaC) tools, allowing the community to conveniently
manage and configure cloud infrastructure using scripts. However, the scripting
process itself does not automatically prevent practitioners from introducing
misconfigurations, vulnerabilities, or privacy risks. As a result, ensuring
security relies on practitioners understanding and the adoption of explicit
policies, guidelines, or best practices. In order to understand how
practitioners deal with this problem, in this work, we perform an empirical
study analyzing the adoption of IaC scripted security best practices. First, we
select and categorize widely recognized Terraform security practices
promulgated in the industry for popular cloud providers such as AWS, Azure, and
Google Cloud. Next, we assess the adoption of these practices by each cloud
provider, analyzing a sample of 812 open-source projects hosted on GitHub. For
that, we scan each project configuration files, looking for policy
implementation through static analysis (checkov). Additionally, we investigate
GitHub measures that might be correlated with adopting these best practices.
The category Access policy emerges as the most widely adopted in all providers,
while Encryption in rest are the most neglected policies. Regarding GitHub
measures correlated with best practice adoption, we observe a positive, strong
correlation between a repository number of stars and adopting practices in its
cloud infrastructure. Based on our findings, we provide guidelines for cloud
practitioners to limit infrastructure vulnerability and discuss further aspects
associated with policies that have yet to be extensively embraced within the
industry.
Related papers
- Authentication and identity management based on zero trust security model in micro-cloud environment [0.0]
The Zero Trust framework can better track and block external attackers while limiting security breaches resulting from insider attacks in the cloud paradigm.
This paper focuses on authentication mechanisms, calculation of trust score, and generation of policies in order to establish required access control to resources.
arXiv Detail & Related papers (2024-10-29T09:06:13Z) - Knowledge Adaptation from Large Language Model to Recommendation for Practical Industrial Application [54.984348122105516]
Large Language Models (LLMs) pretrained on massive text corpus presents a promising avenue for enhancing recommender systems.
We propose an Llm-driven knowlEdge Adaptive RecommeNdation (LEARN) framework that synergizes open-world knowledge with collaborative knowledge.
arXiv Detail & Related papers (2024-05-07T04:00:30Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - Leveraging AI Planning For Detecting Cloud Security Vulnerabilities [15.503757553097387]
Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration.
Access control misconfigurations are often the primary driver for cloud attacks.
We develop a PDDL model for detecting security vulnerabilities which can for example lead to widespread attacks such as ransomware.
arXiv Detail & Related papers (2024-02-16T03:28:02Z) - Stratosphere: Finding Vulnerable Cloud Storage Buckets [3.591117014415182]
Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records.
These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations.
We introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets.
arXiv Detail & Related papers (2023-09-23T23:27:19Z) - SpawnNet: Learning Generalizable Visuomotor Skills from Pre-trained
Networks [52.766795949716986]
We present a study of the generalization capabilities of the pre-trained visual representations at the categorical level.
We propose SpawnNet, a novel two-stream architecture that learns to fuse pre-trained multi-layer representations into a separate network to learn a robust policy.
arXiv Detail & Related papers (2023-07-07T13:01:29Z) - Towards Confidential Computing: A Secure Cloud Architecture for Big Data
Analytics and AI [0.0]
Cloud computing has become a viable solution for big data analytics and artificial intelligence.
Data security in certain fields such as biomedical research remains a major concern when moving to cloud.
arXiv Detail & Related papers (2023-05-28T16:08:44Z) - Language Model Decoding as Likelihood-Utility Alignment [54.70547032876017]
We introduce a taxonomy that groups decoding strategies based on their implicit assumptions about how well the model's likelihood is aligned with the task-specific notion of utility.
Specifically, by analyzing the correlation between the likelihood and the utility of predictions across a diverse set of tasks, we provide the first empirical evidence supporting the proposed taxonomy.
arXiv Detail & Related papers (2022-10-13T17:55:51Z) - Using Constraint Programming and Graph Representation Learning for
Generating Interpretable Cloud Security Policies [12.43505973436359]
Cloud security relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update.
We develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP)
We show that our optimized IAM policies significantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances.
arXiv Detail & Related papers (2022-05-02T22:15:07Z) - A Privacy-Preserving Distributed Architecture for
Deep-Learning-as-a-Service [68.84245063902908]
This paper introduces a novel distributed architecture for deep-learning-as-a-service.
It is able to preserve the user sensitive data while providing Cloud-based machine and deep learning services.
arXiv Detail & Related papers (2020-03-30T15:12:03Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.