Thursday, January 17, 2019

Seven Sins: Security Smells in Infrastructure as Code Scripts

Back in 2016, I was looking into some Puppet scripts for my PhD work. I noticed some hard-coded passwords and private keys. This got me thinking: how frequently does this happen? are there other security weaknesses that happen in Puppet scripts?

This got me motivated to find out potential security weaknesses in Puppet scripts. I call them 'security smells' i.e. coding patterns that are indicative of security weaknesses. I looked into a set of 1,726 open source Puppet scripts to find out coding patterns that can be mapped to security weaknesses, as determined by CWE (

I found seven security smells:
  1. Admin by default: This smell is the recurring pattern of specifying default users as administrative users. 
  2. Empty password: This smell is the recurring pattern of using a string of length zero for a password. An empty password is indicative of a weak password.
  3. Hard-coded secret: This smell is the recurring pattern of revealing sensitive information such as user name and passwords as configurations in IaC scripts.
  4. Invalid IP address binding: This smell is the recurring pattern of assigning the address for a database server or a cloud service/instance. Binding to the address may cause security concerns as this address can allow connections from every possible network.
  5. Suspicious comment: This smell is the recurring pattern of putting information in comments about the presence of defects, missing functionality, or weakness of the system. 
  6. Use of HTTP Without TLS: This smell is the recurring pattern of using HTTP without the Transport Layer Security (TLS). Such use makes the communication between two entities less secure, as without TLS, use of HTTP is susceptible to man-in-the-middle attacks. 
  7. Use of Weak Crypto. Algorithms: This smell is the recurring pattern of using weak cryptography algorithms, such as MD4 and SHA-1 for encryption purposes. MD5 suffers from security problems, as demonstrated by the Flame malware in 2012. MD5 is susceptible to collision attacks and modular differential attacks. 
I constructed a tool called Security Linter for Infrastructure as Code (SLIC) to automatically identify these security smells. SLIC uses rules to detect these security smells. You can find SLIC's source code here: If you want to use the tool we also have a Docker image available with instructions:  

I also used to SLIC to find out security smells in Puppet scripts hosted on GitHub. I saw 21,201 occurrences of security smells in 15,232 Puppet scripts. Of these 21,201 smell occurrences there were 1,326 occurrences of hard-coded passwords. I also saw security smells to have a long lifetime, e.g., a hard-coded secret can persist for as long as 98 months.

You can find more in our recently accepted paper at the International Conference on Software Engineering (ICSE) 2019:

Currently we are working to extend the tool for two other languages: Chef and Ansible.