Ciência-IUL
Publications
Publication Detailed Description
Raising security awareness of cloud deployments using infrastructure as code through cybersecurity challenges
ARES 2021: The 16th International Conference on Availability, Reliability and Security
Year (definitive publication)
2021
Language
English
Country
United States of America
More Information
Web of Science®
Scopus
Google Scholar
Abstract
Improper deployment of software can have serious consequences, ranging from simple downtime to permanent data loss and data breaches. Infrastructure as Code tools serve to streamline delivery by promising consistency and speed, by abstracting away from the underlying actions. However, this simplicity may distract from architectural or configuration faults, potentially compromising the secure development lifecycle. One way to address this issue involves awareness training. Sifu is a platform that provides education on security through serious games, developed in the industry, for the industry. The presented work extends the Sifu platform with challenges addressing Terraform-aided cloud deployment on Amazon Web Services. This paper proposes an evaluation pipeline behind the challenges, and provides details of the vulnerability detection and feedback mechanisms, as well as a novel technique for detecting undesired differences between a given architecture and a target result. Furthermore, this paper quantifies the challenges' perceived usefulness and impact, by evaluating the challenges among a total of twelve participants. Our preliminary results show that the challenges are suitable for education and the industry, with potential usage in internal training. A key finding is that, although the participants understand the importance of secure coding, their answers indicate that universities leave them unprepared in this area. Finally, our results are compared with related industry works, to extract and provide good practices and advice for practitioners.
Acknowledgements
We would like to thank the survey participants for their participation
and engagement in meaningful discussion around their
experience with the provisioning challenges. This work is partially
financed by national funds through FCT - Fundação para a Ciênci
Keywords
Secure coding,DevSecOps,Awareness,Training,Serious games,Cybersecurity challenges,Infrastructure as code
Funding Records
Funding Reference | Funding Entity |
---|---|
UIDB/04466/2020 | Fundação para a Ciência e a Tecnologia |
UIDP/04466/2020 | Fundação para a Ciência e a Tecnologia |
Related Projects
This publication is an output of the following project(s):