Propagation of Insecure Coding in Configuration Scripts

Abstract

Infrastructure as code (IaC) is the practice of automatically managing configurations following the recommended software development practices. With the rise of cloud computing and automation, IaC tools, such as, Ansible are becoming increasingly popular amongst practitioners. Despite the popularity of IaC tools, insecure coding patterns (ICPs), such as hard-coded passwords, can be unintentionally introduced into IaC scripts, which eventually can propagate across other repositories with IaC scripts. In our research, we investigate if ICPs in IaC scripts are propagated from one repository to multiple repositories in the open source software (OSS) ecosystem. We use a tool called Security Linter for Infrastructure as Code (SLIC) to analyze and identify ICPs in repositories that are cloned from other repositories. We compare the resulting output from the SLIC tool to determine the propagation of ICPs for IaC scripts in OSS. We use graph theory to determine if ICPs have propagated from one repository to other repositories. Based on preliminary findings we recommend practitioners take the utmost security consideration for ICPs in IaC scripts as they can propagate from one repository to another, creating large-scale propagation of ICPs in the OSS IaC ecosystem.