Back to overview

Download research

* required

By downloading you indicate that you have taken note of our privacy Statement.

Creating, Detecting and Preventing Malicious Ansible Packages

Infrastructure as Code (IaC) uses DevOps methodology and versioning with a descriptive model to define and deploy infrastructure, such as networks, virtual machines, load balancers, and connection topologies. It gained widespread adoption due to its ability to standardize and automate infrastructure provisioning and management, foster collaboration and reproducibility, enhance infrastructure governance and auditing, facilitate rapid infrastructure modifications and deployments, and enable cost optimization and resource management.

The implementation of this paradigm was made possible through various vendors, such as Ansible, Chef, and Puppet. There were repositories for each vendor (respectively Ansible Galaxy, Chef Supermarket, and Puppet Forge) that allowed developers to easily find, download, share, and use pre-made sets of instructions tailored to specific tasks. For instance, deploying an Nginx web server could be achieved through the use of a Nginx role.

Security Concerns in IaC Adoption

The widespread adoption of external resources for IaC raised concerns about the potential security risks associated with relying on these pre-packaged components without thorough scrutiny. The lack of due diligence in examining their source code left systems vulnerable to actors who could inject malicious payloads capable of granting them unauthorized access to an entire infrastructure.

This research sought to establish whether payloads within IaC packages were fundamentally possible. The possible security mechanisms available for detecting payloads (such as third-party SAST scanners and antivirus scanners) were evaluated. Based on these outcomes, further research was conducted to determine whether payloads could be observed within a range of existing community packages in Ansible Galaxy. Ways to prevent such malicious packages are also discussed.

Stay up to date
By signing up for our newsletter you indicate that you have taken note of our privacy statement.
Table of contents
Stefan Behlen

Let's talk!

info@sue.nl +31 345 656 666

* required

By sending this form you indicate that you have taken note of our privacy Statement.

Related resources

An assessment of Zero-Shot Open Book Question Answering using Large Language Models

*Collaboration with Utrecht University* | Comparison of the performance of State-Of-The-Art Language Models in a Zero-Shot Open Domain Question Answering setting for technical topics, specifically regarding cloud technology and containerization

Published

03.07.2023

Panoptes: Remediating Rogue Resources in an Infrastructure as Code Multi-Cloud Environment

*Collaboration with the University of Amsterdam* | Administrating system architectures has historically been a time-consuming and error-prone process. DevOps, a set of practices designed to improve system deployment speed and quality, addresses these challenges by promoting automation and consistency.

Published

17.04.2024

Generative AI for Infrastructure-as-Code Configurations in Response to Drift Detection

*Collaboration with Fontys University of Applied Sciences* | To integrate a minor manual change in a given IaC code can be a labor-intensive and error-prone task. The paper presents an overview of LLMs and techniques to solve drift.

Published

27.01.2024

Privacy Overview
This website uses cookies. We use cookies to ensure the proper functioning of our website and services, to analyze how visitors interact with us, and to improve our products and marketing strategies. For more information, please consult our privacy- en cookiebeleid.