Detecting and Characterizing Propagation of Security Weaknesses in Puppet-based infrastructure Management

Despite being beneficial for managing computing infrastructure automatically, Puppet manifests are susceptible to security weaknesses, e.g., hard-coded secrets and use of weak cryptography algorithms. Adequate mitigation weaknesses in is thus necessary secure that managed with manifests. A characterization how propagate affect Puppet-based management, can inform practitioners on the relevance detected as well help them take actions mitigation. We conduct an empirical study 17,629 Taint Tracker xmlns:xlink="http://www.w3.org/1999/xlink">Pup pet Manifests ( xmlns:xlink="http://www.w3.org/1999/xlink">TaintPup ). observe 2.4 times more precision, 1.8 F-measure TaintPup, compared a state-of-the-art static analysis tool. From our study, we into 4,457 resources, i.e, Puppet-specific code elements used manage infrastructure. single instance weakness many 35 distinct resources. 7 categories which include resources continuous integration servers network controllers. According survey 24 practitioners, propagation data storage-related rated have most severe impact management.