Publicação em atas de evento científico
Raising security awareness of cloud deployments using infrastructure as code through cybersecurity challenges
Tiago Espinha Gasiba (Gasiba, T. E.); Iosif Andrei-Cristian (Andrei-Cristian, I.); Ulrike Lechner (Lechner, U.); Maria Pinto-Albuquerque (Pinto-Albuquerque, M.);
ARES 2021: The 16th International Conference on Availability, Reliability and Security
Ano (publicação definitiva)
2021
Língua
Inglês
País
Estados Unidos da América
Mais Informação
Web of Science®

N.º de citações: 3

(Última verificação: 2024-11-20 23:28)

Ver o registo na Web of Science®

Scopus

N.º de citações: 7

(Última verificação: 2024-11-17 07:13)

Ver o registo na Scopus

Google Scholar

N.º de citações: 17

(Última verificação: 2024-11-17 15:54)

Ver o registo no Google Scholar

Abstract/Resumo
Improper deployment of software can have serious consequences, ranging from simple downtime to permanent data loss and data breaches. Infrastructure as Code tools serve to streamline delivery by promising consistency and speed, by abstracting away from the underlying actions. However, this simplicity may distract from architectural or configuration faults, potentially compromising the secure development lifecycle. One way to address this issue involves awareness training. Sifu is a platform that provides education on security through serious games, developed in the industry, for the industry. The presented work extends the Sifu platform with challenges addressing Terraform-aided cloud deployment on Amazon Web Services. This paper proposes an evaluation pipeline behind the challenges, and provides details of the vulnerability detection and feedback mechanisms, as well as a novel technique for detecting undesired differences between a given architecture and a target result. Furthermore, this paper quantifies the challenges' perceived usefulness and impact, by evaluating the challenges among a total of twelve participants. Our preliminary results show that the challenges are suitable for education and the industry, with potential usage in internal training. A key finding is that, although the participants understand the importance of secure coding, their answers indicate that universities leave them unprepared in this area. Finally, our results are compared with related industry works, to extract and provide good practices and advice for practitioners.
Agradecimentos/Acknowledgements
We would like to thank the survey participants for their participation and engagement in meaningful discussion around their experience with the provisioning challenges. This work is partially financed by national funds through FCT - Fundação para a Ciênci
Palavras-chave
Secure coding,DevSecOps,Awareness,Training,Serious games,Cybersecurity challenges,Infrastructure as code
Registos de financiamentos
Referência de financiamento Entidade Financiadora
UIDB/04466/2020 Fundação para a Ciência e a Tecnologia
UIDP/04466/2020 Fundação para a Ciência e a Tecnologia
Projetos Relacionados

Esta publicação é um output do(s) seguinte(s) projeto(s):