On the Understandability of Design-Level Security Practices in Infrastructure-as-Code Scripts and Deployment Architectures
Saved in:
| Title: | On the Understandability of Design-Level Security Practices in Infrastructure-as-Code Scripts and Deployment Architectures |
|---|---|
| Authors: | Ntentos, Evangelos, Lueger, Nicole Elisabeth, Simhandl, Georg, Zdun, Uwe, Schneider, Simon, Scandariato, Riccardo, Díaz Ferreyra, Nicolás E. |
| Source: | ACM Transactions on Software Engineering and Methodology. 34:1-37 |
| Publisher Information: | Association for Computing Machinery (ACM), 2024. |
| Publication Year: | 2024 |
| Subject Terms: | Software architectures, 102022 Softwareentwicklung, empirical software engineering, controlled experiment, Infrastructure as code, best practices, modeling, Distributed systems organizing principles, 102022 Software development, Software security engineering |
| Description: | Infrastructure as Code (IaC) automates IT infrastructure deployment, which is particularly beneficial for continuous releases, for instance, in the context of microservices and cloud systems. Despite its flexibility in application architecture, neglecting security can lead to vulnerabilities. The lack of comprehensive architectural security guidelines for IaC poses challenges in adhering to best practices. We studied how developers interpret IaC scripts (source code) in two IaC technologies, Ansible and Terraform, compared to semi-formal IaC deployment architecture models and metrics regarding design-level security understanding. In a controlled experiment involving ninety-four participants, we assessed the understandability of IaC-based deployment architectures through source code inspection compared to semi-formal representations in models and metrics. We hypothesized that providing semi-formal IaC deployment architecture models and metrics as supplementary material would significantly improve the comprehension of IaC security-related practices, as measured by task correctness . Our findings suggest that semi-formal IaC deployment architecture models and metrics as supplementary material enhance the understandability of IaC security-related practices without significantly increasing duration . We also observed a significant correlation between task correctness and duration when models and metrics were provided. |
| Document Type: | Article |
| File Description: | application/pdf |
| Language: | English |
| ISSN: | 1557-7392 1049-331X |
| DOI: | 10.1145/3691630 |
| DOI: | 10.15480/882.14169 |
| Rights: | CC BY |
| Accession Number: | edsair.doi.dedup.....77cc43f769d08fedc5dc6392b9c1c1fb |
| Database: | OpenAIRE |
Full Text Finder 
Nájsť tento článok vo Web of Science | Abstract: | Infrastructure as Code (IaC) automates IT infrastructure deployment, which is particularly beneficial for continuous releases, for instance, in the context of microservices and cloud systems. Despite its flexibility in application architecture, neglecting security can lead to vulnerabilities. The lack of comprehensive architectural security guidelines for IaC poses challenges in adhering to best practices. We studied how developers interpret IaC scripts (source code) in two IaC technologies, Ansible and Terraform, compared to semi-formal IaC deployment architecture models and metrics regarding design-level security understanding. In a controlled experiment involving ninety-four participants, we assessed the understandability of IaC-based deployment architectures through source code inspection compared to semi-formal representations in models and metrics. We hypothesized that providing semi-formal IaC deployment architecture models and metrics as supplementary material would significantly improve the comprehension of IaC security-related practices, as measured by task correctness . Our findings suggest that semi-formal IaC deployment architecture models and metrics as supplementary material enhance the understandability of IaC security-related practices without significantly increasing duration . We also observed a significant correlation between task correctness and duration when models and metrics were provided. |
|---|---|
| ISSN: | 15577392 1049331X |
| DOI: | 10.1145/3691630 |