Blogs (1) >>
ICSE 2019
Sat 25 - Fri 31 May 2019 Montreal, QC, Canada
Wed 29 May 2019 14:00 - 14:20 at Duluth - Security 2 Chair(s): Arie van Deursen

Practitioners use infrastructure as code (IaC) scripts to provision servers and development environments. While developing IaC scripts, practitioners may inadvertently introduce security smells. Security smells are recurring coding patterns that are indicative of security weakness and can potentially lead to security breaches. The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts. We apply qualitative analysis on 1,726 IaC scripts to identify seven security smells. Next, we implement and validate a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to identify the occurrence of each smell in 15,232 IaC scripts collected from 293 open source repositories. We identify 21,201 occurrences of security smells that include 1,326 occurrences of hard-coded passwords. We submitted bug reports for 1,000 randomly-selected security smell occurrences. We obtain 104 responses to these bug reports, of which 67 occurrences were accepted by the development teams to be fixed. We observe security smells can have a long lifetime, e.g., a hard-coded secret can persist for as long as 98 months, with a median lifetime of 20 months.

Wed 29 May

Displayed time zone: Eastern Time (US & Canada) change

14:00 - 15:30
14:00
20m
Talk
The Seven Sins: Security Smells in Infrastructure as Code ScriptsArtifacts AvailableACM SIGSOFT Distinguished Paper AwardTechnical TrackIndustry Program
Technical Track
Akond Rahman North Carolina State University, Chris Parnin NCSU, Laurie Williams North Carolina State University
Pre-print
14:20
20m
Talk
DifFuzz: Differential Fuzzing for Side-Channel AnalysisArtifacts AvailableArtifacts Evaluated ReusableTechnical Track
Technical Track
Shirin Nilizadeh University of Texas at Arlington, Yannic Noller Humboldt-Universität zu Berlin, Corina S. Pasareanu Carnegie Mellon University Silicon Valley, NASA Ames Research Center
Pre-print
14:40
10m
Talk
Detecting Suspicious Package UpdatesIndustry ProgramNIER
New Ideas and Emerging Results
Kalil Garrett Georgia State University, Gabriel Ferreira Carnegie Mellon University, Limin Jia Carnegie Mellon University, Joshua Sunshine Carnegie Mellon University, Christian Kästner Carnegie Mellon University
Pre-print
14:50
20m
Talk
EASYFLOW: Keep Ethereum Away From OverflowDemos
Demonstrations
Jianbo Gao Peking University, Han Liu Tsinghua University, Chao Liu , Qingshan Li Peking University, Zhi Guan Peking University, Zhong Chen
Pre-print Media Attached
15:10
10m
Talk
Automatic feature learning for predicting vulnerable software componentsIndustry ProgramJournal-First
Journal-First Papers
Hoa Khanh Dam University of Wollongong, Truyen Tran , Trang Pham Deakin University, Shien Wee Ng University of Wollongong, John Grundy Monash University, Aditya Ghose
Link to publication DOI Pre-print
15:20
10m
Talk
Discussion Period
Papers