Shazibul Islam Shamim

2025

Dynamic Application Security Testing for Kubernetes Deployment: An Experience Report from Industry

Published in ACM International Conference on the Foundations of Software Engineering (FSE) 2025, 2025

Practitioners use Kubernetes to automate their software deployments. While Kubernetes enables practitioners to rapidly deploy their software and perform container orchestration efficiently, security of the Kubernetes-based deployment infrastructure is a concern for industry practitioners. A systematic understanding of how dynamic analysis can be used for securing Kubernetes deployments can aid practitioners in securing their Kubernetes deployments. We present an experience report, where we describe empirical findings from three dynamic application security testing (DAST) tools on a Kubernetes deployment used by ‘Company-Z’. From our empirical study, we find (i) 3,442 recommended security configurations are violated in ‘Company-Z’s’ Kubernetes deployment; and (ii) of the three studied DAST tools, Kubescape and Kubebench provide the highest support with respect to detecting 14 types of recommended security configurations. Based on our findings, we recommend practitioners to apply DAST tools for their Kubernetes deployments, and security researchers to investigate how to detect configuration violations dynamically in the Kubernetes deployment.

Download Paper

On Prescription or Off Prescription?: An Empirical Study of Community-prescribed Security Configurations for Kubernetes

Published in IEEE/ACM International Conference on Software Engineering (ICSE) 2025, 2025

Despite being beneficial for rapid delivery of software, Kubernetes deployments can be susceptible to security attacks, which can cause serious consequences. A systematic characterization of how community-prescribed security configurations, i.e., security configurations that are recommended by security experts, can aid practitioners to secure their Kubernetes deployments. To that end, we conduct an empirical study with 53 security configurations recommended by the Center for Internet Security (CIS), 20 survey respondents, and 544 configuration files obtained from the open source software (OSS) and proprietary domains. From our empirical study, we observe: (i) practitioners can be unaware of prescribed security configurations as 5% ~ 40% of the survey respondents are unfamiliar with 16 prescribed configurations; and (ii) for Company-A and OSS respectively, 18.0% and 17.9% of the configuration files include at least one violation of prescribed configurations. From our evaluation with 5 static application security testing (SAST) tools we find (i) only Kubescape to support all of the prescribed security configuration categories; (ii) the highest observed precision to be 0.41 and 0.43 respectively, for the Company-A and OSS datasets; and (iii) the highest observed recall to be respectively, 0.53 and 0.65 for the Company-A and OSS datasets. Our findings show a disconnect between what CIS experts recommend for Kubernetes-related configurations and what happens in practice. We conclude the paper by providing recommendations for practitioners and researchers. Dataset used for the paper is publicly available online.

Download Paper

Authentic Learning Exercise for Kubernetes Misconfigurations: An Experience Report of Student Perceptions

Published in IEEE Conference on Software Engineering Education and Training (CSEE&T) 2025, 2025

Kubernetes has become a popular tool for automated container orchestration. Despite reported benefits, practitioners report that the secure configuration of Kubernetes is one of the primary challenges among practitioners. Moreover, there is a significant skill shortage of Kubernetes security experts. Understanding misconfigurations in Kubernetes can help practitioners prevent security incidents. We systematically investigate whether authentic learning can help students learn about misconfigurations in Kubernetes. We conduct an authentic learning exercise and collected responses from 295 students. Based on responses from the students, we find (i) students who have little to no experience in cybersecurity, software quality assurance, or static analysis perceived the authentic learning exercise as useful to learn misconfigurations in Kubernetes, and (ii) students perceptions of authentic learning exercise activities vary based on and educational background. We conclude our paper with recommendations for instructors and researchers.

Download Paper

2023

Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study

Published in Journal of ACM Transactions on Software Engineering and Methodology (TOSEM), 2023

Context:Kubernetes has emerged as the de-facto tool for automated container orchestration. Business and government organizations are increasingly adopting kubernetes for automated software deployments. Kubernetes is being used to provision applications in a wide range of domains, such as time series forecasting, edge computing, and high performance computing. Due to such a pervasive presence, Kubernetes-related security misconfigurations can cause large-scale security breaches. Thus, a systematic analysis of security misconfigurations in Kubernetes manifests, i.e., configuration files used for Kubernetes, can help practitioners secure their Kubernetes clusters. Objective: The goal of this paper is to help practitioners secure their Kubernetes clusters by identifying security misconfigurations that occur in Kubernetes manifests. Methodology: We conduct an empirical study with 2,039 Kubernetes manifests mined from 92 open-source software repositories to systematically characterize security misconfigurations in Kubernetes manifests. We also construct a static analysis tool called Security Linter for Kubernetes Manifests (SLI-KUBE) to quantify the frequency of the identified security misconfigurations. Results: In all, we identify 11 categories of security misconfigurations, such as absent resource limit, absent securityContext, and activation of hostIPC. Specifically, we identify 1,051 security misconfigurations in 2,039 manifests. We also observe the identified security misconfigurations affect entities that perform mesh-related load balancing, as well as provision pods and stateful applications. Furthermore, practitioners agreed to fix 60% of 10 misconfigurations reported by us. Conclusion: Our empirical study shows Kubernetes manifests to include security misconfigurations, which necessitates security-focused code reviews and application of static analysis when Kubernetes manifests are developed.

Download Paper

2022

Benefits, challenges, and research topics: A multi-vocal literature review of Kubernetes

Published in ArXiv, 2022

Context:Kubernetes is an open source software that helps in automated deployment of software and orchestration of containers. With Kubernetes, IT organizations, such as IBM, Pinterest, and Spotify have experienced an increase in release frequency. Objective: The goal of this paper is to inform practitioners and researchers on benefits and challenges of Kubernetes usage by conducting a multi-vocal literature review of Kubernetes. Methodology: We conduct a multi-vocal literature review (MLR) where we use 321 Kubernetes-related Internet artifacts to identify benefits and challenges perceived by practitioners. In our MLR, we also analyze 105 peer-reviewed publications to identify the research topics addressed by the research community.Findings: We find 8 benefits that include service level objective (SLO)-based scalability and self-healing containers. Our identified 15 challenges related to Kubernetes include unavailability of diagnostics and security tools and attack surface reduction. We observe researchers to address 14 research topics related to Kubernetes, which includes efficient resource utilization. We also identify 9 challenges that are under-explored in research publications, which include cultural change, hardware compatibility, learning curve, maintenance, and testing.

Download Paper

Can We use Authentic Learning to Educate Students About Secure Infrastructure as Code Development?

Published in 27th ACM Conference on Innovation and Technology in Computer Science Education (ITiCSE) 2022, 2022

Despite yielding benefits for organizations, infrastructure as code (IaC) scripts are susceptible to security weaknesses, such as hard-coded passwords. Existence of such security weaknesses necessitate integration of education materials related to secure development of IaC scripts. In this preliminary work, we describe our experiences of how application of authentic learning helped students learn about secure development of IaC scripts. Our paper shows education materials based on authentic learning to help students learn about secure IaC development.

Download Paper

2021

On Prescription or Off Prescription?: An Empirical Study of Community-prescribed Security Configurations for Kubernetes

Published in Proceedings of the 29th ACM joint meeting on European software engineering conference and symposium on the foundations of software engineering, 2021

Kubernetes is an open-source software system that helps practitioners in automatically deploying, scaling, and managing containerized applications. Information technology (IT) organizations, such as IBM, Spotify, and Capital One, use Kubernetes to manage their containers and reported benefits in the deployment process. However, recent security breaches and survey results among practitioners suggest that Kubernetes deployment can be vulnerable to attacks due to misconfiguration and not following security best practices. This research explores how malicious users can perform potential security exploits from the violations of Kubernetes security best practices. We explore how attacks can be conducted such as denial of service attacks against one of the security best practices violations in Kubernetes manifests. In addition, we are exploring potential exploits in the Kubernetes cluster to propose mitigation strategies to secure the Kubernetes cluster.

Download Paper

‘Under-reported’ Security Defects in Kubernetes Manifests

Published in 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS), co-located with the 43rd International Conference on Software Engineering (ICSE), 2021

Kubernetes, a container orchestration tool, is reported to help industry practitioners in automated management of cloud infrastructure and rapid deployment of software services. Despite reported benefits, Kubernetes installations are susceptible to security defects, as it occurred for Tesla in 2018. Understanding how frequently security defects appear in Kubernetes installations can help cybersecurity researchers to investigate security-related vulnerabilities for Kubernetes and generate security best practices to avoid them. In this position paper, we first quantify how frequently security defects appear in Kubernetes manifests, i.e., configuration files that are use to install and manage Kubernetes. Next, we lay out a list of future research directions that researchers can pursue.

Download Paper

2020

A Curated Dataset of Security Defects in Scientific Software Projects

Published in 7th Annual Hot Topics in the Science of Security (HoTSoS) Symposium, 2020

The cybersecurity research community might benefit from a curated dataset where commits mined from scientific software projects are labeled as security defects. We constructed a curated security defect dataset by mining 7,024 commits from 20 scientific software projects. Our dataset can be beneficial for cybersecurity researchers in two ways: (i) use the dataset to conduct security defect categorization and prediction research; and (ii) find undiscovered security defects in scientific software projects.

Download Paper

XI Commandments of Kubernetes Security: A Systematization of Knowledge Related to Kubernetes Security Practices

Published in IEEE Secure Development Conference (SecDev), 2020

Kubernetes is open-source software for automating management of computerized services. Organizations, such as IBM, Capital One and Adidas use Kubernetes to deploy and manage their containers, and have reported benefits related to deployment frequency. Despite reported benefits, Kubernetes deployments are susceptible to security vulnerabilities, such as those that occurred at Tesla in 2018. A systematization of Kubernetes security practices can help practitioners mitigate vulnerabilities in their Kubernetes deployments. The goal of this paper is to help practitioners in securing their Kubernetes installations through a systematization of knowledge related to Kubernetes security practices. We systematize knowledge by applying qualitative analysis on 104 Internet artifacts. We identify 11 security practices that include (i) implementation of role-based access control (RBAC) authorization to provide least privilege, (ii) applying security patches to keep Kubernetes updated, and (iii) implementing pod and network specific security policies.

Download Paper