{"id":"https://openalex.org/W4402456068","doi":"https://doi.org/10.1145/3691630","title":"On the Understandability of Design-Level Security Practices in Infrastructure-as-Code Scripts and Deployment Architectures","display_name":"On the Understandability of Design-Level Security Practices in Infrastructure-as-Code Scripts and Deployment Architectures","publication_year":2024,"publication_date":"2024-09-11","ids":{"openalex":"https://openalex.org/W4402456068","doi":"https://doi.org/10.1145/3691630"},"language":"en","primary_location":{"id":"doi:10.1145/3691630","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3691630","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1145/3691630","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5021651819","display_name":"Evangelos Ntentos","orcid":null},"institutions":[{"id":"https://openalex.org/I129774422","display_name":"University of Vienna","ror":"https://ror.org/03prydq77","country_code":"AT","type":"education","lineage":["https://openalex.org/I129774422"]}],"countries":["AT"],"is_corresponding":true,"raw_author_name":"Evangelos Ntentos","raw_affiliation_strings":["University of Vienna, Vienna, Austria","Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Austria"],"affiliations":[{"raw_affiliation_string":"University of Vienna, Vienna, Austria","institution_ids":["https://openalex.org/I129774422"]},{"raw_affiliation_string":"Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Austria","institution_ids":["https://openalex.org/I129774422"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5107133147","display_name":"Nicole Elisabeth Lueger","orcid":null},"institutions":[{"id":"https://openalex.org/I129774422","display_name":"University of Vienna","ror":"https://ror.org/03prydq77","country_code":"AT","type":"education","lineage":["https://openalex.org/I129774422"]}],"countries":["AT"],"is_corresponding":false,"raw_author_name":"Nicole Elisabeth Lueger","raw_affiliation_strings":["University of Vienna, Vienna, Austria","University of Vienna, Faculty of Computer Science, Software Architecture Group, Doctoral School Computer Science, Austria"],"affiliations":[{"raw_affiliation_string":"University of Vienna, Vienna, Austria","institution_ids":["https://openalex.org/I129774422"]},{"raw_affiliation_string":"University of Vienna, Faculty of Computer Science, Software Architecture Group, Doctoral School Computer Science, Austria","institution_ids":["https://openalex.org/I129774422"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048945741","display_name":"Georg Simhandl","orcid":"https://orcid.org/0000-0003-0516-3274"},"institutions":[{"id":"https://openalex.org/I129774422","display_name":"University of Vienna","ror":"https://ror.org/03prydq77","country_code":"AT","type":"education","lineage":["https://openalex.org/I129774422"]}],"countries":["AT"],"is_corresponding":false,"raw_author_name":"Georg Simhandl","raw_affiliation_strings":["University of Vienna, Vienna, Austria","Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Austria"],"affiliations":[{"raw_affiliation_string":"University of Vienna, Vienna, Austria","institution_ids":["https://openalex.org/I129774422"]},{"raw_affiliation_string":"Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Austria","institution_ids":["https://openalex.org/I129774422"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077943544","display_name":"Uwe Zdun","orcid":"https://orcid.org/0000-0002-6233-2591"},"institutions":[{"id":"https://openalex.org/I129774422","display_name":"University of Vienna","ror":"https://ror.org/03prydq77","country_code":"AT","type":"education","lineage":["https://openalex.org/I129774422"]}],"countries":["AT"],"is_corresponding":false,"raw_author_name":"Uwe Zdun","raw_affiliation_strings":["University of Vienna, Vienna, Austria","Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Austria"],"affiliations":[{"raw_affiliation_string":"University of Vienna, Vienna, Austria","institution_ids":["https://openalex.org/I129774422"]},{"raw_affiliation_string":"Research Group Software Architecture, Faculty of Computer Science, University of Vienna, Austria","institution_ids":["https://openalex.org/I129774422"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5060552801","display_name":"Simon Schneider","orcid":"https://orcid.org/0000-0001-8605-615X"},"institutions":[{"id":"https://openalex.org/I159176309","display_name":"Universit\u00e4t Hamburg","ror":"https://ror.org/00g30e956","country_code":"DE","type":"education","lineage":["https://openalex.org/I159176309"]},{"id":"https://openalex.org/I884043246","display_name":"Hamburg University of Technology","ror":"https://ror.org/04bs1pb34","country_code":"DE","type":"education","lineage":["https://openalex.org/I884043246"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Simon Schneider","raw_affiliation_strings":["Institute of Software Security, Hamburg University of Technology, Hamburg, Germany","Institute of Software Security, Hamburg University of Technology, Germany"],"affiliations":[{"raw_affiliation_string":"Institute of Software Security, Hamburg University of Technology, Hamburg, Germany","institution_ids":["https://openalex.org/I159176309","https://openalex.org/I884043246"]},{"raw_affiliation_string":"Institute of Software Security, Hamburg University of Technology, Germany","institution_ids":["https://openalex.org/I159176309","https://openalex.org/I884043246"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012313708","display_name":"Riccardo Scandariato","orcid":"https://orcid.org/0000-0003-3591-7671"},"institutions":[{"id":"https://openalex.org/I159176309","display_name":"Universit\u00e4t Hamburg","ror":"https://ror.org/00g30e956","country_code":"DE","type":"education","lineage":["https://openalex.org/I159176309"]},{"id":"https://openalex.org/I884043246","display_name":"Hamburg University of Technology","ror":"https://ror.org/04bs1pb34","country_code":"DE","type":"education","lineage":["https://openalex.org/I884043246"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Riccardo Scandariato","raw_affiliation_strings":["Institute of Software Security, Hamburg University of Technology, Hamburg, Germany","Institute of Software Security, Hamburg University of Technology, Germany"],"affiliations":[{"raw_affiliation_string":"Institute of Software Security, Hamburg University of Technology, Hamburg, Germany","institution_ids":["https://openalex.org/I159176309","https://openalex.org/I884043246"]},{"raw_affiliation_string":"Institute of Software Security, Hamburg University of Technology, Germany","institution_ids":["https://openalex.org/I159176309","https://openalex.org/I884043246"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5107133148","display_name":"Nicol\u00e1s E. D\u00edaz Ferreyra","orcid":"https://orcid.org/0009-0009-9599-0580"},"institutions":[{"id":"https://openalex.org/I159176309","display_name":"Universit\u00e4t Hamburg","ror":"https://ror.org/00g30e956","country_code":"DE","type":"education","lineage":["https://openalex.org/I159176309"]},{"id":"https://openalex.org/I884043246","display_name":"Hamburg University of Technology","ror":"https://ror.org/04bs1pb34","country_code":"DE","type":"education","lineage":["https://openalex.org/I884043246"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Nicol\u00e1s E. D\u00edaz Ferreyra","raw_affiliation_strings":["Institute of Software Security, Hamburg University of Technology, Hamburg, Germany","Institute of Software Security, Hamburg University of Technology, Germany"],"affiliations":[{"raw_affiliation_string":"Institute of Software Security, Hamburg University of Technology, Hamburg, Germany","institution_ids":["https://openalex.org/I159176309","https://openalex.org/I884043246"]},{"raw_affiliation_string":"Institute of Software Security, Hamburg University of Technology, Germany","institution_ids":["https://openalex.org/I159176309","https://openalex.org/I884043246"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5021651819"],"corresponding_institution_ids":["https://openalex.org/I129774422"],"apc_list":null,"apc_paid":null,"fwci":2.4471,"has_fulltext":false,"cited_by_count":5,"citation_normalized_percentile":{"value":0.90395198,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":97,"max":98},"biblio":{"volume":"34","issue":"1","first_page":"1","last_page":"37"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.9962000250816345,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.9962000250816345,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9937999844551086,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9937000274658203,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8087834119796753},{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.627948522567749},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.5936748385429382},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.44719836115837097},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4364653527736664},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.27763116359710693}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8087834119796753},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.627948522567749},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.5936748385429382},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.44719836115837097},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4364653527736664},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.27763116359710693},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3691630","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3691630","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1145/3691630","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3691630","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":62,"referenced_works":["https://openalex.org/W1511267087","https://openalex.org/W1746353556","https://openalex.org/W1783768447","https://openalex.org/W1978813754","https://openalex.org/W1989287546","https://openalex.org/W1991000629","https://openalex.org/W2013500172","https://openalex.org/W2046895806","https://openalex.org/W2050419550","https://openalex.org/W2052388428","https://openalex.org/W2052768327","https://openalex.org/W2053327450","https://openalex.org/W2061554433","https://openalex.org/W2110065044","https://openalex.org/W2110467271","https://openalex.org/W2144969491","https://openalex.org/W2163851162","https://openalex.org/W2168745915","https://openalex.org/W2402800985","https://openalex.org/W2424693453","https://openalex.org/W2564147261","https://openalex.org/W2619205510","https://openalex.org/W2621143560","https://openalex.org/W2622958941","https://openalex.org/W2765281396","https://openalex.org/W2766231014","https://openalex.org/W2796047065","https://openalex.org/W2803691889","https://openalex.org/W2884095124","https://openalex.org/W2891198015","https://openalex.org/W2893337773","https://openalex.org/W2900823441","https://openalex.org/W2907854211","https://openalex.org/W2955656327","https://openalex.org/W2993710525","https://openalex.org/W2997300846","https://openalex.org/W3000845437","https://openalex.org/W3040521121","https://openalex.org/W3041762618","https://openalex.org/W3047398590","https://openalex.org/W3082104242","https://openalex.org/W3088191102","https://openalex.org/W3109430751","https://openalex.org/W3123074563","https://openalex.org/W3157440142","https://openalex.org/W3158802137","https://openalex.org/W3183522126","https://openalex.org/W4225941512","https://openalex.org/W4237993802","https://openalex.org/W4238438965","https://openalex.org/W4239953570","https://openalex.org/W4240794126","https://openalex.org/W4245447613","https://openalex.org/W4248361652","https://openalex.org/W4248491408","https://openalex.org/W4251428492","https://openalex.org/W4291213652","https://openalex.org/W4292973166","https://openalex.org/W4312850591","https://openalex.org/W4365801718","https://openalex.org/W4385714587","https://openalex.org/W4389629013"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2748952813","https://openalex.org/W2770234245","https://openalex.org/W96612179","https://openalex.org/W4229499248","https://openalex.org/W2566006169","https://openalex.org/W1567818861","https://openalex.org/W2987774938","https://openalex.org/W4256492088","https://openalex.org/W632915154"],"abstract_inverted_index":{"Infrastructure":[0],"as":[1,120,132,149],"Code":[2],"(IaC)":[3],"automates":[4],"IT":[5],"infrastructure":[6],"deployment,":[7],"which":[8],"is":[9],"particularly":[10],"beneficial":[11],"for":[12,15,44],"continuous":[13],"releases,":[14],"instance,":[16],"in":[17,28,48,62,105],"the":[18,91,126,153],"context":[19],"of":[20,39,93,128,155],"microservices":[21],"and":[22,67,76,107,118,147,173,177],"cloud":[23],"systems.":[24],"Despite":[25],"its":[26],"flexibility":[27],"application":[29],"architecture,":[30],"neglecting":[31],"security":[32,42,80],"can":[33],"lead":[34],"to":[35,50,70,102],"vulnerabilities.":[36],"The":[37],"lack":[38],"comprehensive":[40],"architectural":[41],"guidelines":[43],"IaC":[45,58,64,72,114,129,143,156],"poses":[46],"challenges":[47],"adhering":[49],"best":[51],"practices.":[52],"We":[53,109,164],"studied":[54],"how":[55],"developers":[56],"interpret":[57],"scripts":[59],"(source":[60],"code)":[61],"two":[63],"technologies,":[65],"Ansible":[66],"Terraform,":[68],"compared":[69,101],"semi-formal":[71,103,113,142],"deployment":[73,95,115,144],"architecture":[74,116,145],"models":[75,106,117,146,176],"metrics":[77,119,148,178],"regarding":[78],"design-level":[79],"understanding.":[81],"In":[82],"a":[83,167],"controlled":[84],"experiment":[85],"involving":[86],"ninety-four":[87],"participants,":[88],"we":[89],"assessed":[90],"understandability":[92,154],"IaC-based":[94],"architectures":[96],"through":[97],"source":[98],"code":[99],"inspection":[100],"representations":[104],"metrics.":[108],"hypothesized":[110],"that":[111,141],"providing":[112],"supplementary":[121,150],"material":[122,151],"would":[123],"significantly":[124,160],"improve":[125],"comprehension":[127],"security-related":[130,157],"practices,":[131],"measured":[133],"by":[134],"task":[135,171],"correctness":[136,172],".":[137,163],"Our":[138],"findings":[139],"suggest":[140],"enhance":[152],"practices":[158],"without":[159],"increasing":[161],"duration":[162,174],"also":[165],"observed":[166],"significant":[168],"correlation":[169],"between":[170],"when":[175],"were":[179],"provided.":[180]},"counts_by_year":[{"year":2025,"cited_by_count":5}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}