Security Smells in Ansible and Chef Scripts: A Replication Study AKOND RAHMAN, Tennessee Technological University, USA MD RAYHANUR RAHMAN, NC State University, USA CHRIS PARNIN, NC State University, USA LAURIE WILLIAMS, NC State University, USA Context: Security smells are recurring coding patterns that are indicative of security weakness, and require further inspection. As infrastructure as code (IaC) scripts, such as Ansible and Chef scripts, are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users to exploit vulnerabilities in the provisioned systems. Goal: The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code scripts through an empirical study of security smells in Ansible and Chef scripts. Methodology: We conduct a replication study where we apply qualitative analysis with 1,956 IaC scripts to identify security smells for IaC scripts written in two languages: Ansible and Chef. We construct a static analysis tool called Security Linter for Ansible and Chef scripts (SLAC) to automatically identify security smells in 50,323 scripts collected from 813 open source software repositories. We also submit bug reports for 1,000 randomly-selected smell occurrences. Results: We identify two security smells not reported in prior work: missing default in case statement and no integrity check. By applying SLAC we identify 46,600 occurrences of security smells that include 7,849 hard-coded passwords. We observe agreement for 65 of the responded 94 bug reports, which suggests the relevance of security smells for Ansible and Chef scripts amongst practitioners. Conclusion: We observe security smells to be prevalent in Ansible and Chef scripts, similar to that of the Puppet scripts. We recommend practitioners to rigorously inspect the presence of the identifed security smells in Ansible and Chef scripts using (i) code review, and (ii) static analysis tools. The paper is accepted at the journal of ACM Transactions on Software Engineering and Methodology (TOSEM) on June 20, 2020. CCS Concepts: · Security and privacy → Software security engineering. Additional Key Words and Phrases: ansible, chef, confguration as code, confguration scripts, devops, devsecops, empirical study, infrastructure as code, insecure coding, security, smell, static analysis ACM Reference Format: Akond Rahman, Md Rayhanur Rahman, Chris Parnin, and Laurie Williams. 2018. Security Smells in Ansible and Chef Scripts: A Replication Study. 1, 1 (February 2018), 31 pages. https://doi.org/10.1145/nnnnnnn.nnnnnnn 1 INTRODUCTION Infrastructure as code (IaC) is the practice of using automated scripting to provision and confgure their development environment and servers at scale [16]. Similar to software source code, recommended software engineering practices, Authors’ addresses: Akond Rahman, Tennessee Technological University, 1 William Jones Drive, Cookeville, Tennessee, USA, arahman@tntech.edu; Md Rayhanur Rahman, NC State University, 890 Oval Drive, Raleigh, North Carolina, USA, mrahman@ncsu.edu; Chris Parnin, NC State University, 890 Oval Drive, Raleigh, North Carolina, USA, cjparnin@ncsu.edu; Laurie Williams, NC State University, 890 Oval Drive, Raleigh, North Carolina, USA, lawilli3@ncsu.edu. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. © 2018 Association for Computing Machinery. Manuscript submitted to ACM Manuscript submitted to ACM 1 arXiv:1907.07159v2 [cs.CR] 20 Jun 2020