TUHH Open Research
Help
  • Log In
    New user? Click here to register.Have you forgotten your password?
  • English
  • Deutsch
  • Communities & Collections
  • Publications
  • Research Data
  • People
  • Institutions
  • Projects
  • Statistics
  1. Home
  2. TUHH
  3. Publications
  4. On the understandability of design-level security practices in infrastructure-as-code scripts and deployment architectures
 
Options

On the understandability of design-level security practices in infrastructure-as-code scripts and deployment architectures

Citation Link: https://doi.org/10.15480/882.14169
Publikationstyp
Journal Article
Date Issued
2024-12-26
Sprache
English
Author(s)
Ntentos, Evangelos  
Hörner, Nicole  
Simhandl, Georg  
Zdun, Uwe  
Schneider, Simon Malte  
Software Security E-22  
Scandariato, Riccardo  
Software Security E-22  
Díaz Ferreyra, Nicolás  orcid-logo
Software Security E-22  
TORE-DOI
10.15480/882.14169
TORE-URI
https://tore.tuhh.de/handle/11420/52812
Journal
ACM transactions on software engineering and methodology  
Volume
34
Issue
1
Article Number
6
Citation
ACM Transactions on Software Engineering and Methodology 34 (1): 6 (2024)
Publisher DOI
10.1145/3691630
Publisher
Association for Computing Machinery (ACM)
Peer Reviewed
true
Infrastructure as Code (IaC) automates IT infrastructure deployment, which is particularly beneficial for continuous releases, for instance, in the context of microservices and cloud systems. Despite its flexibility in application architecture, neglecting security can lead to vulnerabilities. The lack of comprehensive architectural security guidelines for IaC poses challenges in adhering to best practices. We studied how developers interpret IaC scripts (source code) in two IaC technologies, Ansible and Terraform, compared to semi-formal IaC deployment architecture models and metrics regarding design-level security understanding. In a controlled experiment involving ninety-four participants, we assessed the understandability of IaC-based deployment architectures through source code inspection compared to semi-formal representations in models and metrics.
We hypothesized that providing semi-formal IaC deployment architecture models and metrics as supplementary material would significantly improve the comprehension of IaC security-related practices, as measured by task correctness. Our findings suggest that semi-formal IaC deployment architecture models and metrics as supplementary material enhance the understandability of IaC security-related practices without significantly increasing duration. We also observed a significant correlation between task correctness and duration when models and metrics were provided.
Subjects
Infrastructure as code
modeling
best practices
controlled experiment
empirical software engineering
DDC Class
005: Computer Programming, Programs, Data and Security
Publication version
publishedVersion
Lizenz
https://creativecommons.org/licenses/by/4.0/
Loading...
Thumbnail Image
Name

3691630.pdf

Type

Main Article

Size

8.96 MB

Format

Adobe PDF

TUHH
Weiterführende Links
  • Contact
  • Send Feedback
  • Cookie settings
  • Privacy policy
  • Impress
DSpace Software

Built with DSpace-CRIS software - Extension maintained and optimized by 4Science
Design by effective webwork GmbH

  • Deutsche NationalbibliothekDeutsche Nationalbibliothek
  • ORCiD Member OrganizationORCiD Member Organization
  • DataCiteDataCite
  • Re3DataRe3Data
  • OpenDOAROpenDOAR
  • OpenAireOpenAire
  • BASE Bielefeld Academic Search EngineBASE Bielefeld Academic Search Engine
Feedback