M7-SECURITY WEAKNESS IN INFRASTRUCTURE AS CODE (IAC) SCRIPTS

Description

Identifying security weaknesses, such as hard-coded passwords, hard coded secrets, weak crypto, full permission in of files etc in chef, puppet, ansible, terraform, SaltStack scripts, which are used to automatically set up and manage the infrastructure of technology systems is called infrastructure as code (IaC).

Courses Where This Module Is Integrated

Activities 

Pre-lab Content Dissemination

A security weakness is an error, a flaw such as an insecure coding pattern that can lead to vulnerability. A security weakness, such as a hard-coded secret, can be propagated to other parts of the program. A flow analysis is a process to identify how security weaknesses, such as insecure coding patterns in a program, can propagate security weaknesses within a software system.


In-class Hands-on Experience(using Mac)

brew install poetry

poetry install

---

- name: create an app with full permission

  file:

    path: /app

    owner: foo

    group: foo

    mode: "0777"

poetry run glitch --tech ansible --csv test.yaml

Post Lab Experience

The use of specific keywords such as hack, fixme, todo, bug, later, and bug in comments can reveal missing security functionality and the presence of bugs (CWE-546). In the following figure, we demonstrated steps for automatically identifying suspicious comments in Ansible scripts.