Security Smells em Infraestrutura como Código utilizando Docker
Abstract
Infrastructure as code (IaC) is an approach that allows you to create an infrastructure automatically. Docker is a popular tool to provide environments automatically, through source code. By developing configuration code, IT practitioners can introduce Security Smells, which can lead to a security hole. This work aims to propose Security Smells to the Docker ecosystem and assess its security impacts in order to avoid them. An analysis was made in 1500 GitHub repository Dockerfiles, where we verified that the Security Smells proposed to Puppet also apply to the context of the Docker, and we also propose two new Security Smells for IaC scripts.References
Chang, W. (2017). Ibm data science experience: Whole-cluster privilege escalation disclosure. Acessado: 06/06/2019.
Cito, J., Schermann, G., Wittern, J. E., Leitner, P., Zumberi, S., and Gall, H. C. (2017). An empirical analysis of the docker container ecosystem on github. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pages 323– 333, Buenos Aires, Argentina. IEEE.
Duarte, A. and Antunes, N. (2018). An empirical study of docker vulnerabilities and of static code analysis applicability. In 2018 8th Latin-American Symposium on Dependable Computing (LADC), pages 27–36, Foz do Iguaçu PR. LADC.
Fowler, M. (2016). Infrastructure as code. https://martinfowler.com/bliki/InfrastructureAsCode.html. Acessado: 25/05/2019.
Ghafari, M., Gadient, P., and Nierstrasz, O. (2017). Security smells in android. In 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), pages 121–130, Shanghai, China. IEEE.
Gomes, R. (2019). Docker para Desenvolvedores. Leanpub, Salvador, Bahia, 1st edition.
MITRE (2008). Cwe-common weakness enumeration. https://cwe.mitre.org/index.html. Online: acessado 10-06-2019.
Mutaf, P. (1999). Defending against a denial-of-service attack on tcp. In International Symposium on Recent Advances in Intrusion Detection (RAID).
Pahl, C., Brogi, A., Soldani, J., and Jamshidi, P. (2017). Cloud container technologies: a state-of-the-art review.
Ragan, S. (2016). Mongodb configuration error exposed 93 million mexican voter records. Acessado: 06/06/2019.
Rahman, A., Parnin, C., and Williams, L. (2019). The seven sins: Security smells in infrastructure as code scripts. In Proceedings of the 41st International Conference on Software Engineering, Montreal, QC, Canada. ACM.
Cito, J., Schermann, G., Wittern, J. E., Leitner, P., Zumberi, S., and Gall, H. C. (2017). An empirical analysis of the docker container ecosystem on github. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pages 323– 333, Buenos Aires, Argentina. IEEE.
Duarte, A. and Antunes, N. (2018). An empirical study of docker vulnerabilities and of static code analysis applicability. In 2018 8th Latin-American Symposium on Dependable Computing (LADC), pages 27–36, Foz do Iguaçu PR. LADC.
Fowler, M. (2016). Infrastructure as code. https://martinfowler.com/bliki/InfrastructureAsCode.html. Acessado: 25/05/2019.
Ghafari, M., Gadient, P., and Nierstrasz, O. (2017). Security smells in android. In 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), pages 121–130, Shanghai, China. IEEE.
Gomes, R. (2019). Docker para Desenvolvedores. Leanpub, Salvador, Bahia, 1st edition.
MITRE (2008). Cwe-common weakness enumeration. https://cwe.mitre.org/index.html. Online: acessado 10-06-2019.
Mutaf, P. (1999). Defending against a denial-of-service attack on tcp. In International Symposium on Recent Advances in Intrusion Detection (RAID).
Pahl, C., Brogi, A., Soldani, J., and Jamshidi, P. (2017). Cloud container technologies: a state-of-the-art review.
Ragan, S. (2016). Mongodb configuration error exposed 93 million mexican voter records. Acessado: 06/06/2019.
Rahman, A., Parnin, C., and Williams, L. (2019). The seven sins: Security smells in infrastructure as code scripts. In Proceedings of the 41st International Conference on Software Engineering, Montreal, QC, Canada. ACM.
Published
2020-10-13
How to Cite
FERNANDES, Daniel David; AYRES, Lucas Dantas Gama; SANT’ANNA, Cláudio Nogueira.
Security Smells em Infraestrutura como Código utilizando Docker. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 20. , 2020, Petrópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 496-501.
DOI: https://doi.org/10.5753/sbseg.2020.19261.
