Security Smells em Infraestrutura como Código utilizando Docker
Resumo
Infraestrutura como código (IaC) é uma abordagem que permite criar uma infraestrutura automaticamente. Docker é uma ferramenta popular para prover ambientes de forma automática, por meio de código-fonte. Ao desenvolver esse código de configuração, profissionais de TI podem introduzir Security Smells, que podem levar a uma falha de segurança. Este trabalho tem como objetivo propor Security Smells ao ecossistema do Docker e avaliar seus impactos de segurança, com o intuito de evitá-los. Foi feita uma análise em 1500 Dockerfiles de repositórios do GitHub, onde verificamos que os Security Smells propostos ao Puppet também se aplicam ao contexto do Docker, além disso propomos dois novos Security Smells para scripts de IaC.Referências
Chang, W. (2017). Ibm data science experience: Whole-cluster privilege escalation disclosure. Acessado: 06/06/2019.
Cito, J., Schermann, G., Wittern, J. E., Leitner, P., Zumberi, S., and Gall, H. C. (2017). An empirical analysis of the docker container ecosystem on github. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pages 323– 333, Buenos Aires, Argentina. IEEE.
Duarte, A. and Antunes, N. (2018). An empirical study of docker vulnerabilities and of static code analysis applicability. In 2018 8th Latin-American Symposium on Dependable Computing (LADC), pages 27–36, Foz do Iguaçu PR. LADC.
Fowler, M. (2016). Infrastructure as code. https://martinfowler.com/bliki/InfrastructureAsCode.html. Acessado: 25/05/2019.
Ghafari, M., Gadient, P., and Nierstrasz, O. (2017). Security smells in android. In 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), pages 121–130, Shanghai, China. IEEE.
Gomes, R. (2019). Docker para Desenvolvedores. Leanpub, Salvador, Bahia, 1st edition.
MITRE (2008). Cwe-common weakness enumeration. https://cwe.mitre.org/index.html. Online: acessado 10-06-2019.
Mutaf, P. (1999). Defending against a denial-of-service attack on tcp. In International Symposium on Recent Advances in Intrusion Detection (RAID).
Pahl, C., Brogi, A., Soldani, J., and Jamshidi, P. (2017). Cloud container technologies: a state-of-the-art review.
Ragan, S. (2016). Mongodb configuration error exposed 93 million mexican voter records. Acessado: 06/06/2019.
Rahman, A., Parnin, C., and Williams, L. (2019). The seven sins: Security smells in infrastructure as code scripts. In Proceedings of the 41st International Conference on Software Engineering, Montreal, QC, Canada. ACM.
Cito, J., Schermann, G., Wittern, J. E., Leitner, P., Zumberi, S., and Gall, H. C. (2017). An empirical analysis of the docker container ecosystem on github. In 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pages 323– 333, Buenos Aires, Argentina. IEEE.
Duarte, A. and Antunes, N. (2018). An empirical study of docker vulnerabilities and of static code analysis applicability. In 2018 8th Latin-American Symposium on Dependable Computing (LADC), pages 27–36, Foz do Iguaçu PR. LADC.
Fowler, M. (2016). Infrastructure as code. https://martinfowler.com/bliki/InfrastructureAsCode.html. Acessado: 25/05/2019.
Ghafari, M., Gadient, P., and Nierstrasz, O. (2017). Security smells in android. In 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), pages 121–130, Shanghai, China. IEEE.
Gomes, R. (2019). Docker para Desenvolvedores. Leanpub, Salvador, Bahia, 1st edition.
MITRE (2008). Cwe-common weakness enumeration. https://cwe.mitre.org/index.html. Online: acessado 10-06-2019.
Mutaf, P. (1999). Defending against a denial-of-service attack on tcp. In International Symposium on Recent Advances in Intrusion Detection (RAID).
Pahl, C., Brogi, A., Soldani, J., and Jamshidi, P. (2017). Cloud container technologies: a state-of-the-art review.
Ragan, S. (2016). Mongodb configuration error exposed 93 million mexican voter records. Acessado: 06/06/2019.
Rahman, A., Parnin, C., and Williams, L. (2019). The seven sins: Security smells in infrastructure as code scripts. In Proceedings of the 41st International Conference on Software Engineering, Montreal, QC, Canada. ACM.
Publicado
13/10/2020
Como Citar
FERNANDES, Daniel David; AYRES, Lucas Dantas Gama; SANT’ANNA, Cláudio Nogueira.
Security Smells em Infraestrutura como Código utilizando Docker. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 20. , 2020, Petrópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 496-501.
DOI: https://doi.org/10.5753/sbseg.2020.19261.
