17 research outputs found
Herramientas de infraestructura como código: Ansible, Terrafom, Chef, Puppet
Infrastructure tools such as code (IaC) allow the tasks performed by IT departments to be automated quickly and dynamically through the use of scripting languages, which allow managing, creating, manipulating and distributing multiple large-scale computing resources within of Cloud Computing infrastructure. Infrastructure tools such as Ansible code, Terrafom, Chef, Puppet, generate a virtual representation of all the physical and scalable infrastructure of a Cloud Computing and Data Center platform, making it easy to program and dynamic.Las herramientas de Infraestructura como código (IaC) permiten automatizar las tareas realizadas por los departamentos de IT de forma rápida y dinámica mediante el uso de lenguajes de programación de scripts, que permiten administrar, crear, manipular y distribuir múltiples recursos informáticos a gran escala dentro de una infraestructura de Cloud Computing. Las herramientas de Infraestructura como código Ansible, Terrafom, Chef, Puppet generan una representación virtual de toda la infraestructura física y escalable de una plataforma Cloud Computing y de Centro de Datos, facilitando que esta sea programable y dinámica. 
Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based Infrastructure Management
Despite being beneficial for managing computing infrastructure automatically,
Puppet manifests are susceptible to security weaknesses, e.g., hard-coded
secrets and use of weak cryptography algorithms. Adequate mitigation of
security weaknesses in Puppet manifests is thus necessary to secure computing
infrastructure that are managed with Puppet manifests. A characterization of
how security weaknesses propagate and affect Puppet-based infrastructure
management, can inform practitioners on the relevance of the detected security
weaknesses, as well as help them take necessary actions for mitigation. To that
end, we conduct an empirical study with 17,629 Puppet manifests mined from 336
open source repositories. We construct Taint Tracker for Puppet Manifests
(TaintPup), for which we observe 2.4 times more precision compared to that of a
state-of-the-art security static analysis tool. TaintPup leverages
Puppet-specific information flow analysis using which we characterize
propagation of security weaknesses. From our empirical study, we observe
security weaknesses to propagate into 4,457 resources, i.e, Puppet-specific
code elements used to manage infrastructure. A single instance of a security
weakness can propagate into as many as 35 distinct resources. We observe
security weaknesses to propagate into 7 categories of resources, which include
resources used to manage continuous integration servers and network
controllers. According to our survey with 24 practitioners, propagation of
security weaknesses into data storage-related resources is rated to have the
most severe impact for Puppet-based infrastructure management.Comment: 14 pages, currently under revie
Exploring Security Practices in Infrastructure as Code: An Empirical Study
Cloud computing has become popular thanks to the widespread use of
Infrastructure as Code (IaC) tools, allowing the community to conveniently
manage and configure cloud infrastructure using scripts. However, the scripting
process itself does not automatically prevent practitioners from introducing
misconfigurations, vulnerabilities, or privacy risks. As a result, ensuring
security relies on practitioners understanding and the adoption of explicit
policies, guidelines, or best practices. In order to understand how
practitioners deal with this problem, in this work, we perform an empirical
study analyzing the adoption of IaC scripted security best practices. First, we
select and categorize widely recognized Terraform security practices
promulgated in the industry for popular cloud providers such as AWS, Azure, and
Google Cloud. Next, we assess the adoption of these practices by each cloud
provider, analyzing a sample of 812 open-source projects hosted on GitHub. For
that, we scan each project configuration files, looking for policy
implementation through static analysis (checkov). Additionally, we investigate
GitHub measures that might be correlated with adopting these best practices.
The category Access policy emerges as the most widely adopted in all providers,
while Encryption in rest are the most neglected policies. Regarding GitHub
measures correlated with best practice adoption, we observe a positive, strong
correlation between a repository number of stars and adopting practices in its
cloud infrastructure. Based on our findings, we provide guidelines for cloud
practitioners to limit infrastructure vulnerability and discuss further aspects
associated with policies that have yet to be extensively embraced within the
industry.Comment: 50 pages, 13 figures, 10 table
On the Effectiveness of Tools to Support Infrastructure as Code: Model-Driven Versus Code-Centric
[EN] Infrastructure as Code (IaC) is an approach for infrastructure automation that is based on software development practices. The IaC approach supports code-centric tools that use scripts to specify the creation, updating and execution of cloud infrastructure resources. Since each cloud provider offers a different type of infrastructure, the definition of an infrastructure resource (e.g., a virtual machine) implies writing several lines of code that greatly depend on the target cloud provider. Model-driven tools, meanwhile, abstract the complexity of using IaC scripts through the high-level modeling of the cloud infrastructure. In a previous work, we presented an infrastructure modeling approach and tool (Argon) for cloud provisioning that leverages model-driven engineering and supports the IaC approach. The objective of the present work is to compare a model-driven tool (Argon) with a well-known code-centric tool (Ansible) in order to provide empirical evidence of their effectiveness when defining the cloud infrastructure, and the participants & x2019; perceptions when using these tools. We, therefore, conducted a family of three experiments involving 67 Computer Science students in order to compare Argon with Ansible as regards their effectiveness, efficiency, perceived ease of use, perceived usefulness, and intention to use. We used the AB/BA crossover design to configure the individual experiments and the linear mixed model to statistically analyze the data collected and subsequently obtain empirical findings. The results of the individual experiments and meta-analysis indicate that Argon is more effective as regards supporting the IaC approach in terms of defining the cloud infrastructure. The participants also perceived that Argon is easier to use and more useful for specifying the infrastructure resources. Our findings suggest that Argon accelerates the provisioning process by modeling the cloud infrastructure and automating the generation of scripts for different DevOps tools when compared to Ansible, which is a code-centric tool that is greatly used in practice.This work was supported by the Ministry of Science, Innovation, and Universities (Adapt@Cloud project), Spain, under Grant TIN2017-84550-R. The work of Julio Sandobalin was supported by the Escuela Politecnica Nacional, Ecuador.Sandobalín, J.; Insfran, E.; Abrahao Gonzales, SM. (2020). On the Effectiveness of Tools to Support Infrastructure as Code: Model-Driven Versus Code-Centric. IEEE Access. 8:17734-17761. https://doi.org/10.1109/ACCESS.2020.2966597S1773417761