Title: 37th IEEE/ACM International Conference on Automated Software Engineering, ASE 2022, Rochester, MI, USA, October 10-14, 2022 Search for Conference Proceedings Publications

7th International Workshop on Sensor-Based Activity Recognition and Artificial Intelligence, iWOAR 2022

19 September 2022 through 20 September 2022

ISI Web of Knowledge - 0 Citations

Scopus

Authenticus ID: P-00X-VQ6

DOI: 10.1145/3551349.3560419

Abstract (EN): Infrastructure-as-Code (IaC) is a technology that enables the management and distribution of infrastructure through code instead of manual processes. In 2020, Palo Alto Network's Unit 42 announced the discovery of over 199K vulnerable IaC templates through their Cloud Threat Report. This report highlights the importance of tools to prevent vulnerabilities from reaching production. Unfortunately, we observed through a comprehensive study that a security linter for IaC scripts is not reliable yet-high false positive rates. Our approach to tackling this problem was to leverage community expertise to improve the precision of this tool. More precisely, we interviewed professional developers to collect their feedback on the root causes of imprecision of the state-of-the-art security linter for Puppet. From that feedback, we developed a linter adjusting 7 rules of an existing linter ruleset and adding 3 new rules. We conducted a new study with 131 practitioners, which helped us improve the tool's precision significantly and achieve a final precision of 83%. An important takeaway from this paper is that obtaining professional feedback is fundamental to improving the rules' precision and extending the rulesets, which is critical for the usefulness and adoption of lightweight tools, such as IaC security linters.

Language: English

Type (Professor's evaluation): Scientific

No. of pages: 12