Do you write secure code?
At CERN, we are excellent at producing software, such as complex analysis jobs, sophisticated control programs, extensive monitoring tools, interactive web applications, etc. This software is usually highly functional, and fulfils the needs and requirements as defined by its author. However, due to time constraints or unintentional ignorance, security aspects are often neglected. Subsequently, it was even more embarrassing for the author to find out that his code flawed and was used to break into CERN computers, web pages or to steal data…
_image.jpg?subformat=icon)
Thus, if you have the pleasure or task of producing software applications, take some time before and familiarize yourself with good programming practices. They should not only prevent basic security flaws in your code, but also improve its readability, maintainability and efficiency. Basic rules for good programming, as well as essential books on proper software development, can be found in the section for software developers on our security web page. You can also easily test your software yourself. Check the warnings of your compiler thoroughly, and run one of our suggested static code analysers. In addition, the HR technical training provides an excellent course on secure programming in Java, C++, Python, Perl, and web languages. The next one-day, hands-on courses are on securing PHP, Java, and Web applications (September 27th, 28th, and 29th, respectively), as well as on secure programming in Python (October 28th). There are still places available! Finally, do not hesitate to contact Computer.Security@cern.ch if your prefer an external review of your software!
| So, how about your skills in writing secure software? If you want to win one of three marvellous books on software security, please check the short program below and send in the programming flaws you have identified by 12 September to Computer.Security@cern.ch: 1 /* Safely Exec program: drop privileges to user uid and group 2 * gid, and use chroot to restrict file system access to jail 3 * directory. Also, don’t allow program to run as a 4 * privileged user or group */ 5 void ExecUid(int uid, int gid, char *jailDir, char *prog, char *const argv[]) 6 { 7 if (uid == 0 || gid == 0) { 8 FailExit(“ExecUid: root uid or gid not allowed”); 9 } 10 11 chroot(jailDir); /* restrict access to this dir */ 12 13 setuid(uid); /* drop privs */ 14 setgid(gid); 15 16 fprintf(LOGFILE, “Execvp of %s as uid=%d gid=%d\n”, prog, uid, gid); 17 fflush(LOGFILE); 18 19 execvp(prog, argv); 20} (Courtesy of Barton Miller, University of Wisconsin, Madison, US) Of course, if you have questions, suggestions or comments, please contact Computer.Security@cern.ch or visit us at http://cern.ch/security. |
