Preliminary Investigation into a Security Approach for Infrastructure as Code

Ammar Zeini; Ruth G. Lennon; Patrick Lennon

doi:10.1007/978-981-99-3091-3_63

Preliminary Investigation into a Security Approach for Infrastructure as Code

Ammar Zeini
, Ruth G. Lennon
, Patrick Lennon

Atlantic Technological University
University of Limerick

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Citations (Scopus)

Abstract

IaC is relatively a novel technology, with the result that many security frameworks don’t have a clear strategy for risk management or threat modelling for infrastructure when implementing IaC techniques. In DevOps, infrastructure is initialized, prepared, managed, and configured with a left-shift on quality. The DevOps methodology increases the integrity and stability of the deployment. IaC works best with DevOps practices for code quality, scalability, security, and reliability. Infrastructure as Code (IaC) promotes managing knowledge and experience through reusable scripts of infrastructure code, instead of the traditional method of manual labour technique, which is typically slow and time-consuming. This research determines some security risks that should considered during the IaC development process. It further defines the main security practices that should be added into Infrastructure as Code life cycle to fill the gap in the SDLC for IaC. An initial proposal to secure pipelines for IaC is presented.

Original language	English
Title of host publication	Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023
Editors	Xin-She Yang, R. Simon Sherratt, Nilanjan Dey, Amit Joshi
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	763-783
Number of pages	21
ISBN (Print)	9789819930906
DOIs	https://doi.org/10.1007/978-981-99-3091-3_63
Publication status	Published - 2023
Event	8th International Congress on Information and Communication Technology, ICICT 2023 - London, United Kingdom Duration: 20 Feb 2023 → 23 Feb 2023

Publication series

Name	Lecture Notes in Networks and Systems
Volume	694 LNNS
ISSN (Print)	2367-3370
ISSN (Electronic)	2367-3389

Conference

Conference	8th International Congress on Information and Communication Technology, ICICT 2023
Country/Territory	United Kingdom
City	London
Period	20/02/23 → 23/02/23

Keywords

DevOps
Infrastructure as code
Security as code
Security development life cycle frameworks

Access to Document

10.1007/978-981-99-3091-3_63

Cite this

Zeini, A., Lennon, R. G., & Lennon, P. (2023). Preliminary Investigation into a Security Approach for Infrastructure as Code. In X.-S. Yang, R. S. Sherratt, N. Dey, & A. Joshi (Eds.), Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023 (pp. 763-783). (Lecture Notes in Networks and Systems; Vol. 694 LNNS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-99-3091-3_63

Zeini, Ammar ; Lennon, Ruth G. ; Lennon, Patrick. / Preliminary Investigation into a Security Approach for Infrastructure as Code. Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023. editor / Xin-She Yang ; R. Simon Sherratt ; Nilanjan Dey ; Amit Joshi. Springer Science and Business Media Deutschland GmbH, 2023. pp. 763-783 (Lecture Notes in Networks and Systems).

@inproceedings{540f599b00854250b2e54082cdfa8a59,

title = "Preliminary Investigation into a Security Approach for Infrastructure as Code",

abstract = "IaC is relatively a novel technology, with the result that many security frameworks don{\textquoteright}t have a clear strategy for risk management or threat modelling for infrastructure when implementing IaC techniques. In DevOps, infrastructure is initialized, prepared, managed, and configured with a left-shift on quality. The DevOps methodology increases the integrity and stability of the deployment. IaC works best with DevOps practices for code quality, scalability, security, and reliability. Infrastructure as Code (IaC) promotes managing knowledge and experience through reusable scripts of infrastructure code, instead of the traditional method of manual labour technique, which is typically slow and time-consuming. This research determines some security risks that should considered during the IaC development process. It further defines the main security practices that should be added into Infrastructure as Code life cycle to fill the gap in the SDLC for IaC. An initial proposal to secure pipelines for IaC is presented.",

keywords = "DevOps, Infrastructure as code, Security as code, Security development life cycle frameworks",

author = "Ammar Zeini and Lennon, \{Ruth G.\} and Patrick Lennon",

note = "Publisher Copyright: {\textcopyright} 2023, The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.; 8th International Congress on Information and Communication Technology, ICICT 2023 ; Conference date: 20-02-2023 Through 23-02-2023",

year = "2023",

doi = "10.1007/978-981-99-3091-3\_63",

language = "English",

isbn = "9789819930906",

series = "Lecture Notes in Networks and Systems",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "763--783",

editor = "Xin-She Yang and Sherratt, \{R. Simon\} and Nilanjan Dey and Amit Joshi",

booktitle = "Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023",

}

Zeini, A, Lennon, RG & Lennon, P 2023, Preliminary Investigation into a Security Approach for Infrastructure as Code. in X-S Yang, RS Sherratt, N Dey & A Joshi (eds), Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023. Lecture Notes in Networks and Systems, vol. 694 LNNS, Springer Science and Business Media Deutschland GmbH, pp. 763-783, 8th International Congress on Information and Communication Technology, ICICT 2023, London, United Kingdom, 20/02/23. https://doi.org/10.1007/978-981-99-3091-3_63

Preliminary Investigation into a Security Approach for Infrastructure as Code. / Zeini, Ammar; Lennon, Ruth G.; Lennon, Patrick.
Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023. ed. / Xin-She Yang; R. Simon Sherratt; Nilanjan Dey; Amit Joshi. Springer Science and Business Media Deutschland GmbH, 2023. p. 763-783 (Lecture Notes in Networks and Systems; Vol. 694 LNNS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Preliminary Investigation into a Security Approach for Infrastructure as Code

AU - Zeini, Ammar

AU - Lennon, Ruth G.

AU - Lennon, Patrick

PY - 2023

Y1 - 2023

N2 - IaC is relatively a novel technology, with the result that many security frameworks don’t have a clear strategy for risk management or threat modelling for infrastructure when implementing IaC techniques. In DevOps, infrastructure is initialized, prepared, managed, and configured with a left-shift on quality. The DevOps methodology increases the integrity and stability of the deployment. IaC works best with DevOps practices for code quality, scalability, security, and reliability. Infrastructure as Code (IaC) promotes managing knowledge and experience through reusable scripts of infrastructure code, instead of the traditional method of manual labour technique, which is typically slow and time-consuming. This research determines some security risks that should considered during the IaC development process. It further defines the main security practices that should be added into Infrastructure as Code life cycle to fill the gap in the SDLC for IaC. An initial proposal to secure pipelines for IaC is presented.

AB - IaC is relatively a novel technology, with the result that many security frameworks don’t have a clear strategy for risk management or threat modelling for infrastructure when implementing IaC techniques. In DevOps, infrastructure is initialized, prepared, managed, and configured with a left-shift on quality. The DevOps methodology increases the integrity and stability of the deployment. IaC works best with DevOps practices for code quality, scalability, security, and reliability. Infrastructure as Code (IaC) promotes managing knowledge and experience through reusable scripts of infrastructure code, instead of the traditional method of manual labour technique, which is typically slow and time-consuming. This research determines some security risks that should considered during the IaC development process. It further defines the main security practices that should be added into Infrastructure as Code life cycle to fill the gap in the SDLC for IaC. An initial proposal to secure pipelines for IaC is presented.

KW - DevOps

KW - Infrastructure as code

KW - Security as code

KW - Security development life cycle frameworks

UR - https://www.scopus.com/pages/publications/85174700079

U2 - 10.1007/978-981-99-3091-3_63

DO - 10.1007/978-981-99-3091-3_63

M3 - Conference contribution

AN - SCOPUS:85174700079

SN - 9789819930906

T3 - Lecture Notes in Networks and Systems

SP - 763

EP - 783

BT - Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023

A2 - Yang, Xin-She

A2 - Sherratt, R. Simon

A2 - Dey, Nilanjan

A2 - Joshi, Amit

PB - Springer Science and Business Media Deutschland GmbH

T2 - 8th International Congress on Information and Communication Technology, ICICT 2023

Y2 - 20 February 2023 through 23 February 2023

ER -

Zeini A, Lennon RG, Lennon P. Preliminary Investigation into a Security Approach for Infrastructure as Code. In Yang XS, Sherratt RS, Dey N, Joshi A, editors, Proceedings of 8th International Congress on Information and Communication Technology - ICICT 2023. Springer Science and Business Media Deutschland GmbH. 2023. p. 763-783. (Lecture Notes in Networks and Systems). doi: 10.1007/978-981-99-3091-3_63

Preliminary Investigation into a Security Approach for Infrastructure as Code

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this