On the Understandability of Design-Level Security Practices in Infrastructure-as-Code Scripts and Deployment Architectures-Reference-Cited by-同舟云学术

On the Understandability of Design-Level Security Practices in Infrastructure-as-Code Scripts and Deployment Architectures

Published:2024-09-11 Issue: Volume: Page:
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Ntentos Evangelos¹^ORCID,Lueger Nicole Elisabeth²^ORCID,Simhandl Georg¹^ORCID,Zdun Uwe¹^ORCID,Schneider Simon³^ORCID,Scandariato Riccardo³^ORCID,Ferreyra Nicolás E. Díaz³^ORCID

Affiliation:

1. Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Austria

2. University of Vienna, Faculty of Computer Science, Software Architecture Group, Doctoral School Computer Science, Austria

3. Institute of Software Security, Hamburg University of Technology, Germany

Abstract

Infrastructure as Code (IaC) automates IT infrastructure deployment, which is particularly beneficial for continuous releases, for instance, in the context of microservices and cloud systems. Despite its flexibility in application architecture, neglecting security can lead to vulnerabilities. The lack of comprehensive architectural security guidelines for IaC poses challenges in adhering to best practices. We studied how developers interpret IaC scripts (source code) in two IaC technologies, Ansible and Terraform, compared to semi-formal IaC deployment architecture models and metrics regarding design-level security understanding. In a controlled experiment involving ninety-four participants, we assessed the understandability of IaC-based deployment architectures through source code inspection compared to semi-formal representations in models and metrics. We hypothesized that providing semi-formal IaC deployment architecture models and metrics as supplementary material would significantly improve the comprehension of IaC security-related practices, as measured by task correctness . Our findings suggest that semi-formal IaC deployment architecture models and metrics as supplementary material enhance the understandability of IaC security-related practices without significantly increasing duration . We also observed a significant correlation between task correctness and duration when models and metrics were provided.

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/3691630

Reference76 articles.

1. K. Morris, Infrastructure as Code: Dynamic Systems for the Cloud. O’Reilly, 2020, vol. 2.

2. J. Humble and D. Farley, Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Addison-Wesley Professional, 2010.

3. M. Nygard Release It! Design and Deploy Production-Ready Software. Pragmatic Bookshelf 2007.

4. M. Artac, T. Borovssak, E. Di Nitto, M. Guerriero, and D. A. Tamburri, “Devops: Introducing infrastructure-as-code,” in 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), 2017, pp. 497–498.

5. Systematic analysis of infrastructure as code technologies;E. ÖZDOĞAN, O.;Gazi University Journal of Science Part A: Engineering and Innovation,2023