Gang of Eight: A Defect Taxonomy for Infrastructure as Code ScriptsTechnical
Defects in infrastructure as code (IaC) scripts can have serious consequences, for example, creating large-scale system outages. A taxonomy of IaC defects can be useful for understanding the nature of defects, and identifying activities needed to fix and prevent defects in IaC scripts. The goal of this paper is to help practitioners improve the quality of infrastructure as code (IaC) scripts by developing a defect taxonomy for IaC scripts through qualitative analysis. We develop a taxonomy of IaC defects by applying qualitative analysis on 1,448 defect-related commits collected from open source software (OSS) repositories of the Openstack organization. We conduct a survey with 66 practitioners to assess if they agree with the identified defect categories included in our taxonomy. We quantify the frequency of identified defect categories by analyzing 80,425 commits collected from 291 OSS repositories spanning across 2005 to 2019.
Our defect taxonomy for IaC consists of eight categories, including a category specific to IaC called idempotency (i.e., defects that lead to incorrect system provisioning when the same IaC script is executed multiple times). We observe the surveyed 66 practitioners to agree most with idempotency. The most frequent defect category is configuration data i.e., providing erroneous configuration data in IaC scripts. Our taxonomy and the quantified frequency of the defect categories can help practitioners to improve IaC script quality by prioritizing verification and validation efforts.
Sat 11 JulDisplayed time zone: (UTC) Coordinated Universal Time change
00:00 - 01:00 | |||
00:00 12mTalk | Typestate-Guided Fuzzer for Discovering Use-after-Free VulnerabilitiesTechnical Technical Papers Haijun Wang Ant Financial Services Group, China; CSSE, Shenzhen University, China, Xiaofei Xie Nanyang Technological University, Yi Li Nanyang Technological University, Cheng Wen Xidian University, Yuekang Li Nanyang Technological University, Yang Liu Nanyang Technological University, Singapore, Shengchao Qin University of Teesside, Hongxu Chen Research Associate, Yulei Sui University of Technology Sydney, Australia Link to publication DOI Pre-print | ||
00:12 12mTalk | sFuzz: An Efficient Adaptive Fuzzer for Solidity Smart ContractsTechnical Technical Papers Tai D. Nguyen Singapore Management University, Long H. Pham Singapore University of Technology and Design, Jun Sun Singapore Management University, Yun Lin National University of Singapore, Minh Quang Tran Ho Chi Minh City University of Technology | ||
00:24 12mTalk | Planning for Untangling: Predicting the Difficulty of Merge ConflictsTechnical Technical Papers Caius Brindescu Oregon State University, Iftekhar Ahmed University of California at Irvine, USA, Rafael Leano Oregon State University, Anita Sarma Oregon State University | ||
00:36 12mTalk | Gang of Eight: A Defect Taxonomy for Infrastructure as Code ScriptsTechnical Technical Papers Akond Rahman Tennessee Tech University, Effat Farhana North Carolina State University, Chris Parnin North Carolina State University, Laurie Williams North Carolina State University Pre-print | ||
00:48 12mTalk | JVM Fuzzing for JIT-Induced Side-Channel DetectionTechnical Technical Papers Tegan Brennan University of California, Santa Barbara, Seemanta Saha University of California Santa Barbara, Tevfik Bultan University of California, Santa Barbara | ||