Bad coding practices in playbooks

Hello everyone!

Recently, I’ve found an academic research about bad coding practices in
infrastructure as code scripts which can lead to security issues. I found it
interesting, but I notice that the practices the researchers pointed out aren’t
specific to infrastructure as code applications, but general to any kind of
programming language or application. So I wonder if is there any specific
material available, specially to the newcomers, talking about bad practices,
specially the ones that can lead to security weaknesses.

The research was this one: https://akondrahman.github.io/papers/icse19_slic.pdf

See the links which address the weaknesses listed in the paper

* admin by default
  "Understanding privilege escalation"
   https://docs.ansible.com/ansible/latest/user_guide/become.html#understanding-privilege-escalation-become

* empty password; hard-coded secret
  "Ansible Vault"
  https://docs.ansible.com/ansible/latest/user_guide/vault.html#ansible-vault

* invalid IP address binding
  "ipaddr filter"
  https://docs.ansible.com/ansible/devel/user_guide/playbooks_filters_ipaddr.html#ipaddr-filter

* suspicious comment
  "Ansible Lint"
  https://docs.ansible.com/ansible-lint/#ansible-lint-documentation

* use of HTTP without TLS
  "Connection Plugins"
  https://docs.ansible.com/ansible/latest/plugins/connection.html#connection-plugins

* and use of weak cryptography algorithms
  "OpenSSH"
  https://www.openssh.com/

Then might want to proceed to "SCAP"
https://www.open-scap.org/security-policies/scap-security-guide/

Thank you for the links! It’s not exactly what I was looking for, but it’s very useful anyway. My question is if is there others bad practices that are more related to infrastructure as code scripts or to Ansible’s Playbook. Is there any kind of special care we should take when working with this kind of code or is it just the same as general web applications?