Comparison
http://m.infoworld.com/d/data-center/review-puppet-vs-chef-vs-ansible-vs-salt-231308
Usage Stats
http://redmonk.com/sogrady/2013/12/06/configuration-management-2013/
Ansible beats salt on security
https://missingm.co/2013/06/ansible-and-salt-a-detailed-comparison/
Ansible vs Puppet, Chef
http://probably.co.uk/puppet-vs-chef-vs-ansible.html
A search of the Mitre cve database shows some pretty substantial vulnerabilities in salt, most in Puppet (but is most widely used and been out longer), least for Ansible:
http://cve.mitre.org/cve/
Ok after all that I lean towards Ansible but need to try it. I like the idea of using a language popular with says admins vs. a customized language. The model of agent-less appeals more from a security and administration standpoint. Agents can't be hacked if not there. Push vs. pull can get changes out more quickly. This - having not yet used the tool. But I also know the AWS kids at Amazon use it and love it.
Here are some interesting ideas to try:
Fixing HeartBleed with Ansible
http://www.ansible.com/blog/fixing-heartbleed-with-ansible
Secure MySQL with Ansible
https://coderwall.com/p/yez9yw
Ansible SSH security considerations
http://stackoverflow.com/questions/23704437/security-considerations-when-using-ansible
As noted in previous posts I am interested in storage of keys separate from data as number one problem with encryption in companies today. Earlier this year Ansible added a vault feature. Will be interesting to see how this works and if facilitates this separation.
http://www.ansible.com/blog/2014/02/19/ansible-vault
