SoK: Static Configuration Analysis in Infrastructure as Code Scripts

• Published in: 2023 IEEE International Conference on Cyber Security and Resilience (CSR) pp. 281 - 288
• Main Authors: Reddy Konala, Pandu Ranga, Kumar, Vimal, Bainbridge, David
• Format: Conference Proceeding
• Language: English
• Published: IEEE 31.07.2023
• Subjects: Buildings; code; Codes; Configuration management; defects; devops; devsecops; empirical study; infrastructure as code; Security; smells; Software systems; sok; static configuration analysis; survey; Surveys; Task analysis
• DOI: 10.1109/CSR57506.2023.10224925

This SoK paper presents findings from a survey conducted on the current state of tools and techniques used in the static configuration analysis of Infrastructure as Code (IaC). Our findings highlight the increasing importance of ensuring the quality of IaC scripts through techniques such as detecting code and security smells. Our findings reveal that regular expressions are widely used, but this may not be a long-term or fully automated solution for detecting smells. Additionally, our study found that the majority of the tools and techniques are developed for infrastructure provisioning, rather than configuration management and image building. This raises concerns because configuring software is a high-risk task, with malicious actors constantly targeting software systems. Therefore, it is crucial for researchers to develop efficient and advanced techniques for detecting defects in configuration management and image building. The aim of this paper is to provide a detailed overview of the current state of research in this field, and to identify areas for future development.