Well-tested code is the cornerstone of a reliable and robust software stack: nothing is more annoying than a crashing, failing or misbehaving application, the loss of time and service(!) as a result of this, and the cumbersome debugging process to find the origin of the flaw. Not to mention the frustration of the user community. Although the production of bug-free code is impossible due to the complexities of software and the limited skills of most human programmers, reducing the number of bugs and flaws early in the development process significantly lowers debugging costs later. For the sake of software quality, the IT department provides you and your clients with a few simple tools to save precious time and cerebral pain.
Writing perfect code is far from easy and requires a deep knowledge of the programming language(s) being used, plus lots of experience. The introduction of flaws and bugs is inevitable, it happens and will continue to happen to even the most skilled coders among us. But these skilled coders – the Gandalfs of coding – know how to turn the odds in their favour. They follow common best practices on modularity, isolation, simplicity and readability; they validate every bit of input data and discard unreasonable input; they limit the execution scope and reduce the necessary privileges; they choose safe defaults; they know how to keep secrets secret; and they pay attention to compiler messages (e.g. gcc –wALL anyone?) as, very often, compiler warnings flag code that is in a suboptimal state. Ideally, code should compile without any complaints at all.
Want to become a software magician yourself? Easy, if you apply the best practices mentioned above. Even easier if you use CERN’s Gitlab instance as your primary software repository. Its Continuous Integration framework, Gitlab-CI, lets you introduce additional, automatic static code analyses, running on top of your code repository in a very simple way, to ensure that your code is clean of known security issues and bad practices. This is especially efficient when working in groups or teams, because it allows you to focus more on your task, rather than on which tools everyone should use and how. Since you will not need to prepare your testing environment for every change, you will save a lot of time.
All these static code analysis tools are also available for download. If you are interested in finding out how to better secure your website – in particular if it is directly exposed to the Internet – see our recommendations and our tools for Oracle/APEX. Remember that one of the basics is simple: consider using CERN IT’s central web service!
And of course there are many other opportunities to improve your software. The Computer Security team, in collaboration with CERN’s Technical Training team, has arranged several different “Secure Coding” courses on web development and good programming practices. For those who want to learn “hacking”, we provide regular hands-on capture-the-flag courses where you can learn to become a penetration tester. Join our WhiteHat Challenge in September 2017! And if you prefer a book, here is a list of further reading on the subject.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.