{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T15:54:52Z","timestamp":1780502092678,"version":"3.54.1"},"reference-count":68,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2025,6,5]],"date-time":"2025-06-05T00:00:00Z","timestamp":1749081600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,6,5]],"date-time":"2025-06-05T00:00:00Z","timestamp":1749081600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2025,9]]},"DOI":"10.1007\/s10664-025-10672-8","type":"journal-article","created":{"date-parts":[[2025,6,5]],"date-time":"2025-06-05T04:41:13Z","timestamp":1749098473000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Vulnerabilities in infrastructure as code: what, how many, and who?"],"prefix":"10.1007","volume":"30","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-1854-0615","authenticated-orcid":false,"given":"Aicha","family":"War","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-7845-1695","authenticated-orcid":false,"given":"Alioune","family":"Diallo","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5857-1864","authenticated-orcid":false,"given":"Andrew","family":"Habib","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4052-475X","authenticated-orcid":false,"given":"Jacques","family":"Klein","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7270-9869","authenticated-orcid":false,"given":"Tegawend\u00e9 F.","family":"Bissyand\u00e9","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,6,5]]},"reference":[{"key":"10672_CR1","doi-asserted-by":"crossref","unstructured":"Afaneh S, Al-Mousa MR, Al-hamid HS, Bara\u2019h\u00a0Suliman A-A, Alia M, Almimi H, Alkhatib AA (2023) Security challenges review in agile and devops practices. In: 2023 International conference on information technology (ICIT). IEEE, pp 102\u2013107","DOI":"10.1109\/ICIT58056.2023.10226018"},{"key":"10672_CR2","doi-asserted-by":"crossref","unstructured":"Ahmed Z, Francis SC (2019) Integrating security with devsecops: techniques and challenges. In: 2019 International Conference on digitization (ICD). IEEE, pp 178\u2013182","DOI":"10.1109\/ICD47981.2019.9105789"},{"key":"10672_CR3","doi-asserted-by":"publisher","first-page":"106894","DOI":"10.1016\/j.infsof.2022.106894","volume":"147","author":"MA Akbar","year":"2022","unstructured":"Akbar MA, Smolander K, Mahmood S, Alsanad A (2022) Toward successful devsecops in software development organizations: A decision-making framework. Inf Softw Technol 147:106894","journal-title":"Inf Softw Technol"},{"issue":"10","key":"10672_CR4","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1016\/S1361-3723(20)30109-3","volume":"2020","author":"S Almuairfi","year":"2020","unstructured":"Almuairfi S, Alenezi M (2020) Security controls in infrastructure as code. Comput Fraud Secur 2020(10):13\u201319","journal-title":"Comput Fraud Secur"},{"key":"10672_CR5","doi-asserted-by":"crossref","unstructured":"Armenise V (2015) Continuous delivery with jenkins: Jenkins solutions to implement continuous delivery. In: 2015 IEEE\/ACM 3rd International Workshop on Release Engineering. IEEE, pp 24\u201327","DOI":"10.1109\/RELENG.2015.19"},{"issue":"6","key":"10672_CR6","doi-asserted-by":"publisher","first-page":"1333","DOI":"10.3390\/electronics12061333","volume":"12","author":"\u00d6 Aslan","year":"2023","unstructured":"Aslan \u00d6, Aktu\u011f SS, Ozkan-Okay M, Yilmaz AA, Akin E (2023) A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions. Electronics 12(6):1333","journal-title":"Electronics"},{"key":"10672_CR7","doi-asserted-by":"crossref","unstructured":"Bila N, Dettori P, Kanso A, Watanabe Y, Youssef A (2017) Leveraging the serverless architecture for securing linux containers. In: 2017 IEEE 37th international conference on distributed computing systems workshops (ICDCSW). IEEE, pp 401\u2013404","DOI":"10.1109\/ICDCSW.2017.66"},{"key":"10672_CR8","doi-asserted-by":"publisher","unstructured":"Bird C, Nagappan N, Murphy B, Gall H, Devanbu P (2011) Don\u2019t touch my code! examining the effects of ownership on software quality. In: Proceedings of the 19th ACM SIGSOFT symposium and the 13th european conference on foundations of software engineering. ESEC\/FSE \u201911. Association for Computing Machinery, New York, NY, USA, pp 4\u201314. https:\/\/doi.org\/10.1145\/2025113.2025119","DOI":"10.1145\/2025113.2025119"},{"key":"10672_CR9","doi-asserted-by":"crossref","unstructured":"Cadar C, Donaldson AF (2016) Analysing the program analyser. In: Proceedings of the 38th international conference on software engineering companion, pp 765\u2013768","DOI":"10.1145\/2889160.2889206"},{"issue":"1","key":"10672_CR10","first-page":"106","volume":"3","author":"NG Camacho","year":"2024","unstructured":"Camacho NG (2024) Unlocking the potential of ai\/ml in devsecops: effective strategies and optimal practices. J Artif Intell Gen Sci (JAIGS) 3(1):106\u2013115","journal-title":"J Artif Intell Gen Sci (JAIGS)"},{"key":"10672_CR11","doi-asserted-by":"crossref","unstructured":"Cankar M, Petrovic N, Pita\u00a0Costa J, Cernivec A, Antic J, Martincic T, Stepec D (2023) Security in devsecops: applying tools and machine learning to verification and monitoring steps. In: Companion of the 2023 ACM\/SPEC international conference on performance engineering, pp 201\u2013205","DOI":"10.1145\/3578245.3584943"},{"key":"10672_CR12","doi-asserted-by":"publisher","unstructured":"Cankar M, Petrovic N, Pita\u00a0Costa J, Cernivec A, Antic J, Martincic T, Stepec D (2023) Security in devsecops: applying tools and machine learning to verification and monitoring steps. In: Companion of the 2023 ACM\/SPEC international conference on performance engineering. ICPE \u201923 Companion, pp. 201\u2013205. Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/3578245.3584943","DOI":"10.1145\/3578245.3584943"},{"key":"10672_CR13","unstructured":"Castro\u00a0S\u00e1nchez JE (2020) Devsecops: implementaci\u00f3n de seguridad en devops a trav\u00e9s de herramientas open source"},{"key":"10672_CR14","doi-asserted-by":"crossref","unstructured":"Cepuc A, Botez R, Craciun O, Ivanciu I-A, Dobrota V (2020) Implementation of a continuous integration and deployment pipeline for containerized applications in amazon web services using jenkins, ansible and kubernetes. In: 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet). IEEE, pp 1\u20136","DOI":"10.1109\/RoEduNet51892.2020.9324857"},{"key":"10672_CR15","doi-asserted-by":"crossref","unstructured":"Chang Y-Y, Zavarsky P, Ruhl R, Lindskog D (2011) Trend analysis of the cve for software vulnerability management. In: 2011 IEEE Third international conference on privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing. IEEE, pp 1290\u20131293","DOI":"10.1109\/PASSAT\/SocialCom.2011.184"},{"issue":"9","key":"10672_CR16","first-page":"1943","volume":"47","author":"Z Chen","year":"2019","unstructured":"Chen Z, Kommrusch S, Tufano M, Pouchet L-N, Poshyvanyk D, Monperrus M (2019) Sequencer: sequence-to-sequence learning for end-to-end program repair. IEEE Trans Softw Eng 47(9):1943\u20131959","journal-title":"IEEE Trans Softw Eng"},{"key":"10672_CR17","doi-asserted-by":"crossref","unstructured":"Cottrell N, Cottrell N (2020) Deployment and monitoring. MongoDB Topology Design: Scalability, Security, and Compliance on a Global Scale, 151\u2013171","DOI":"10.1007\/978-1-4842-5817-0_7"},{"key":"10672_CR18","doi-asserted-by":"publisher","first-page":"100234","DOI":"10.1109\/ACCESS.2023.3315595","volume":"11","author":"DB Cruz","year":"2023","unstructured":"Cruz DB, Almeida JR, Oliveira JL (2023) Open source solutions for vulnerability assessment: a comparative analysis. IEEE Access 11:100234\u2013100255","journal-title":"IEEE Access"},{"key":"10672_CR19","unstructured":"Di\u00a0Stasio V (2022) Evaluation of static security analysis tools on open source distributed applications. PhD thesis, Politecnico di Torino"},{"key":"10672_CR20","unstructured":"Druta R, Botosan-Bora N, Iovan M, Cruzes DS An analysis of infrastructure as code security in an industrial setting. SSRN 4461951"},{"issue":"1","key":"10672_CR21","first-page":"79","volume":"12","author":"A Elrowayati","year":"2024","unstructured":"Elrowayati A, Fadeel A (2024) Sast tools and manual testing to improve the methodology of vulnerability detection in web applications. Int J Eng Inf Technol (IJEIT) 12(1):79\u201383","journal-title":"Int J Eng Inf Technol (IJEIT)"},{"key":"10672_CR22","volume-title":"Devsecops-agility with security","author":"M Goldschmidt","year":"2016","unstructured":"Goldschmidt M, McKinnon M (2016) Devsecops-agility with security. Technical report, Technical report, Sense of Security"},{"key":"10672_CR23","doi-asserted-by":"publisher","unstructured":"Habib A, Pradel M (2018) How many of all bugs do we find? a study of static bug detectors. In: 2018 33rd IEEE\/ACM international conference on automated software engineering (ASE), pp 317\u2013328. https:\/\/doi.org\/10.1145\/3238147.3238213","DOI":"10.1145\/3238147.3238213"},{"key":"10672_CR24","doi-asserted-by":"publisher","unstructured":"Hasan M, Bhuiyan FA, Rahman A (2020) Testing practices for infrastructure as code, pp 7\u201312. https:\/\/doi.org\/10.1145\/3416504.3424334","DOI":"10.1145\/3416504.3424334"},{"key":"10672_CR25","unstructured":"Hornbeek M (2015) Devops makes security assurance affordable. https:\/\/devops.com\/devops-makes-security-assurance-affordable"},{"key":"10672_CR26","unstructured":"Hortlund A (2021) Security smells in open-source infrastructure as code scripts: a replication study"},{"key":"10672_CR27","unstructured":"Houde L, Jacob D, Rabemanantsoa T, Rey J-F (2021) Gestion automatique d\u2019environnement virtuel (gaev). PhD thesis, INRAE"},{"key":"10672_CR28","doi-asserted-by":"crossref","unstructured":"Ibrahim A, Yousef AH, Medhat W (2022) Devsecops: a security model for infrastructure as code over the cloud. In: 2022 2nd International mobile, intelligent, and ubiquitous computing conference (MIUCC). IEEE, pp 284\u2013288","DOI":"10.1109\/MIUCC55081.2022.9781709"},{"key":"10672_CR29","doi-asserted-by":"crossref","unstructured":"Jin M, Shahriar S, Tufano M, Shi X, Lu S, Sundaresan N, Svyatkovskiy A (2023) Inferfix: end-to-end program repair with llms. In: Proceedings of the 31st ACM joint european software engineering conference and symposium on the foundations of software engineering, pp 1646\u20131656","DOI":"10.1145\/3611643.3613892"},{"key":"10672_CR30","doi-asserted-by":"crossref","unstructured":"Leotta M, Clerissi D, Ricca F, Tonella P (2016) Approaches and tools for automated end-to-end web testing. In: Advances in computers. Elsevier, vol 101, pp 193\u2013237","DOI":"10.1016\/bs.adcom.2015.11.007"},{"issue":"2","key":"10672_CR31","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1145\/3375408.3375410","volume":"38","author":"B Martin","year":"2019","unstructured":"Martin B (2019) Common vulnerabilities enumeration (cve), common weakness enumeration (cwe), and common quality enumeration (cqe) attempting to systematically catalog the safety and security challenges for modern, networked, software-intensive systems. ACM SIGAda Ada Lett 38(2):9\u201342","journal-title":"ACM SIGAda Ada Lett"},{"key":"10672_CR32","doi-asserted-by":"publisher","unstructured":"Mohan V, Othmane LB (2016) Secdevops: is it a marketing buzzword? - mapping research on security in devops. In: 2016 11th International conference on availability, reliability and security (ARES), pp 542\u2013547. https:\/\/doi.org\/10.1109\/ARES.2016.92","DOI":"10.1109\/ARES.2016.92"},{"key":"10672_CR33","doi-asserted-by":"crossref","unstructured":"Mohan V, Othmane LB (2016) Secdevops: is it a marketing buzzword?-mapping research on security in devops. In: 2016 11th International conference on availability, reliability and security (ARES). IEEE, pp 542\u2013547","DOI":"10.1109\/ARES.2016.92"},{"key":"10672_CR34","unstructured":"Morris K (2020) Infrastructure as Code. O\u2019Reilly Media. https:\/\/books.google.lu\/books?id=R24NEAAAQBAJ"},{"key":"10672_CR35","doi-asserted-by":"crossref","unstructured":"Myrbakken H, Colomo-Palacios R (2017) Devsecops: a multivocal literature review. In: Software Process Improvement and Capability Determination: 17th International Conference, SPICE 2017, Palma de Mallorca, Spain, October 4\u20135, 2017, Proceedings. Springer, pp 17\u201329","DOI":"10.1007\/978-3-319-67383-7_2"},{"issue":"2","key":"10672_CR36","doi-asserted-by":"publisher","first-page":"1309","DOI":"10.30574\/ijsra.2024.13.2.2306","volume":"13","author":"O Omoike","year":"2024","unstructured":"Omoike O et al (2024) Devsecops in aws: embedding security into the heart of devops practices. Int J Sci Res Arch 13(2):1309\u20131313","journal-title":"Int J Sci Res Arch"},{"key":"10672_CR37","doi-asserted-by":"publisher","unstructured":"Opdebeeck R, Zerouali A, De\u00a0Roover C (2023) Control and data flow in security smell detection for infrastructure as code: Is it worth the effort? In: 2023 IEEE\/ACM 20th international conference on mining software repositories (MSR), pp 534\u2013545. https:\/\/doi.org\/10.1109\/MSR59073.2023.00079","DOI":"10.1109\/MSR59073.2023.00079"},{"issue":"2","key":"10672_CR38","doi-asserted-by":"publisher","first-page":"176","DOI":"10.60087\/jklst.vol2.n2.p188","volume":"2","author":"N Pakalapati","year":"2023","unstructured":"Pakalapati N, Konidena BK, Mohamed IA (2023) Unlocking the power of ai\/ml in devsecops: strategies and best practices. J Knowl Learn Sci Technol 2(2):176\u2013188","journal-title":"J Knowl Learn Sci Technol"},{"key":"10672_CR39","doi-asserted-by":"publisher","unstructured":"Palix N, Thomas G, Saha S, Calv\u00e8s C, Lawall JL, Muller G (2011) Faults in linux: ten years later. In: ASPLOS 2011 - 16th international conference on architectural support for programming languages and operating systems. ACM, Newport Beach, California, United States, pp 305\u2013318. https:\/\/doi.org\/10.1145\/1950365.1950401https:\/\/hal.archives-ouvertes.fr\/hal-00940355","DOI":"10.1145\/1950365.1950401"},{"key":"10672_CR40","unstructured":"Paloviita O, et a (2022) Infrastructure as code for managed service providers: a case study"},{"key":"10672_CR41","doi-asserted-by":"crossref","unstructured":"Petrovi\u0107 N (2023) Chat gpt-based design-time devsecops. In: 2023 58th International scientific conference on information, communication and energy systems and technologies (ICEST). IEEE, pp 143\u2013146","DOI":"10.1109\/ICEST58410.2023.10187247"},{"key":"10672_CR42","doi-asserted-by":"crossref","unstructured":"Petrovi\u0107 N (2023) Chatgpt-based design-time devsecops","DOI":"10.1109\/ICEST58410.2023.10187247"},{"key":"10672_CR43","doi-asserted-by":"publisher","unstructured":"Rahman A (2018) Anti-patterns in infrastructure as code. In: 2018 IEEE 11th international conference on software testing, verification and validation (ICST), pp 434\u2013435. https:\/\/doi.org\/10.1109\/ICST.2018.00057","DOI":"10.1109\/ICST.2018.00057"},{"key":"10672_CR44","doi-asserted-by":"crossref","unstructured":"Rahman A (2018) Characteristics of defective infrastructure as code scripts in devops. In: 2018 IEEE\/ACM 40th international conference on software engineering: companion (ICSE-Companion), pp 476\u2013479","DOI":"10.1145\/3183440.3183452"},{"key":"10672_CR45","unstructured":"Rahman AAU, Williams LA (2016) Security practices in devops. Proceedings of the symposium and bootcamp on the science of security"},{"issue":"3","key":"10672_CR46","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1109\/MSEC.2021.3065190","volume":"19","author":"A Rahman","year":"2021","unstructured":"Rahman A, Williams L (2021) Different kind of smells: security smells in infrastructure as code scripts. IEEE Secur Priv 19(3):33\u201341. https:\/\/doi.org\/10.1109\/MSEC.2021.3065190","journal-title":"IEEE Secur Priv"},{"issue":"3","key":"10672_CR47","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1109\/MSEC.2021.3065190","volume":"19","author":"A Rahman","year":"2021","unstructured":"Rahman A, Williams L (2021) Different kind of smells: security smells in infrastructure as code scripts. IEEE Secur Priv 19(3):33\u201341","journal-title":"IEEE Secur Priv"},{"issue":"1","key":"10672_CR48","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3408897","volume":"30","author":"A Rahman","year":"2021","unstructured":"Rahman A, Rahman MR, Parnin C, Williams L (2021) Security smells in ansible and chef scripts: a replication study. ACM Trans Softw Eng Methodol (TOSEM) 30(1):1\u201331","journal-title":"ACM Trans Softw Eng Methodol (TOSEM)"},{"key":"10672_CR49","doi-asserted-by":"publisher","unstructured":"Rahman A, Farhana E, Parnin C, Williams L (2020) Gang of eight: a defect taxonomy for infrastructure as code scripts. In: 2020 IEEE\/ACM 42nd international conference on software engineering (ICSE), pp 752\u2013764. https:\/\/doi.org\/10.1145\/3377811.3380409","DOI":"10.1145\/3377811.3380409"},{"key":"10672_CR50","doi-asserted-by":"crossref","unstructured":"Rahman A, Parnin C, Williams L (2019) The seven sins: Security smells in infrastructure as code scripts. In: 2019 IEEE\/ACM 41st international conference on software engineering (ICSE). IEEE, pp 164\u2013175","DOI":"10.1109\/ICSE.2019.00033"},{"key":"10672_CR51","doi-asserted-by":"publisher","unstructured":"Rahman A, Rahman MR, Parnin C, Williams L (2021) Security smells in ansible and chef scripts: a replication study. ACM Trans Softw Eng Methodol 30(1). https:\/\/doi.org\/10.1145\/3408897","DOI":"10.1145\/3408897"},{"key":"10672_CR52","doi-asserted-by":"crossref","unstructured":"Rajapakse RN, Zahedi M, Babar M. (2021) An empirical analysis of practitioners\u2019 perspectives on security tool integration into devops. In: Proceedings of the 15th ACM\/IEEE international symposium on empirical software engineering and measurement (ESEM), pp 1\u201312","DOI":"10.1145\/3475716.3475776"},{"key":"10672_CR53","doi-asserted-by":"publisher","first-page":"106700","DOI":"10.1016\/j.infsof.2021.106700","volume":"141","author":"RN Rajapakse","year":"2022","unstructured":"Rajapakse RN, Zahedi M, Babar MA, Shen H (2022) Challenges and solutions when adopting devsecops: a systematic review. Inf Softw Technol 141:106700","journal-title":"Inf Softw Technol"},{"key":"10672_CR54","doi-asserted-by":"publisher","unstructured":"Reddy\u00a0Konala PR, Kumar V, Bainbridge D (2023) Sok: static configuration analysis in infrastructure as code scripts. In: 2023 IEEE international conference on cyber security and resilience (CSR), pp 281\u2013288. https:\/\/doi.org\/10.1109\/CSR57506.2023.10224925","DOI":"10.1109\/CSR57506.2023.10224925"},{"issue":"2","key":"10672_CR55","first-page":"89","volume":"1","author":"AK Reddy","year":"2021","unstructured":"Reddy AK, Alluri VRR, Thota S, Ravi CS, Bonam VSM (2021) Devsecops: integrating security into the devops pipeline for cloud-native applications. J Artif Intell Res Appl 1(2):89\u2013114","journal-title":"J Artif Intell Res Appl"},{"key":"10672_CR56","doi-asserted-by":"publisher","unstructured":"Reis S, Abreu R, d\u2019Amorim M, Fortunato D (2023) Leveraging practitioners\u2019 feedback to improve a security linter. In: Proceedings of the 37th IEEE\/ACM international conference on automated software engineering. ASE \u201922. Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/3551349.3560419","DOI":"10.1145\/3551349.3560419"},{"key":"10672_CR57","unstructured":"Rodr\u00edguez\u00a0Couto A (2022) Ferramenta para automatizaci\u00f3n de traballos por lotes con apache spark"},{"key":"10672_CR58","doi-asserted-by":"crossref","unstructured":"Saavedra N, Ferreira JF (2022) Glitch: automated polyglot security smell detection in infrastructure as code. In: Proceedings of the 37th IEEE\/ACM international conference on automated software engineering, pp 1\u201312","DOI":"10.1145\/3551349.3556945"},{"key":"10672_CR59","doi-asserted-by":"crossref","unstructured":"S\u00e1nchez-Gord\u00f3n M, Colomo-Palacios R (2020) Security as culture: a systematic literature review of devsecops. In: Proceedings of the IEEE\/ACM 42nd international conference on software engineering workshops, pp 266\u2013269","DOI":"10.1145\/3387940.3392233"},{"key":"10672_CR60","unstructured":"Shackleford D (2017) The devsecops approach to securing your code and your cloud. SANS institute infosec reading room a devsecops playbook"},{"key":"10672_CR61","doi-asserted-by":"crossref","unstructured":"Sokolowski D, Spielmann D, Salvaneschi G (2024) Automated infrastructure as code program testing. IEEE Trans Softw Eng","DOI":"10.1109\/TSE.2024.3393070"},{"key":"10672_CR62","doi-asserted-by":"publisher","first-page":"52976","DOI":"10.1109\/ACCESS.2019.2911732","volume":"7","author":"S Sultan","year":"2019","unstructured":"Sultan S, Ahmad I, Dimitriou T (2019) Container security: issues, challenges, and the road ahead. IEEE Access 7:52976\u201352996","journal-title":"IEEE Access"},{"key":"10672_CR63","doi-asserted-by":"crossref","unstructured":"Tahaei M, Vaniea K (2019) A survey on developer-centred security. In: 2019 IEEE european symposium on security and privacy workshops (EuroS &PW). IEEE, pp 129\u2013138","DOI":"10.1109\/EuroSPW.2019.00021"},{"key":"10672_CR64","doi-asserted-by":"crossref","unstructured":"Thomas TW, Tabassum M, Chu B, Lipford H (2018) Security during application development: an application security expert perspective. In: Proceedings of the 2018 CHI conference on human factors in computing systems, pp 1\u201312","DOI":"10.1145\/3173574.3173836"},{"key":"10672_CR65","unstructured":"Valkeinen M (2022) Cloud infrastructure tools for cloud applications: infrastructure management of multiple cloud platforms. Master\u2019s thesis"},{"key":"10672_CR66","unstructured":"Verdet A, Hamdaqa M, Da\u00a0Silva L, Khomh F (2023) Exploring security practices in infrastructure as code: an empirical study. arXiv:2308.03952"},{"key":"10672_CR67","unstructured":"War A, Habib A, Diallo A, Klein J, Bissyand\u00e9 TF (n.d.) Security Vulnerabilities in Infrastructure as Code: What, How Many, and Who? https:\/\/github.com\/Sherlock0001\/empirical-study-iac.git"},{"key":"10672_CR68","doi-asserted-by":"crossref","unstructured":"Yadav B, Choudhary G, Shandilya SK, Dragoni N (2021) Ai empowered devsecops security for next generation development. In: Frontiers in Software Engineering: First International Conference, ICFSE 2021, Innopolis, Russia, June 17\u201318, 2021, Revised Selected Papers 1. Springer, pp 32\u201346","DOI":"10.1007\/978-3-030-93135-3_3"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10672-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-025-10672-8\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10672-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,13]],"date-time":"2025-09-13T08:53:01Z","timestamp":1757753581000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-025-10672-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,5]]},"references-count":68,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2025,9]]}},"alternative-id":["10672"],"URL":"https:\/\/doi.org\/10.1007\/s10664-025-10672-8","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,5]]},"assertion":[{"value":"5 May 2025","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 June 2025","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}},{"value":"This study does not involve human participants, animals, or other entities requiring ethical oversight. Consequently, no ethical approval was required.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"No human participants were involved in this study, and informed consent was therefore not applicable.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Informed consent"}}],"article-number":"120"}}