Computer Security: the security marathon, part 2
Do you recall our latest article on the “Security Marathon” (see here) and why it’s wrong to believe that computer security is a sprint, that a quick hack is invulnerable, that quick bug-fixing is sufficient, that plugging security measures on top of existing structures is a good idea, that once you are secure, your life is cosy?
In fact, security is a marathon for us too. Again and again, we have felt comfortable with the security situation at CERN, with dedicated protections deployed on individual hosts, with the security measures deployed by individual service managers, with the attentiveness and vigilance of our users, and with the responsiveness of the Management. Again and again, however, we subsequently detect or receive reports that this is wrong, that protections are incomplete, that security measures are incomplete, that security awareness has dropped. Thus, unfortunately, we often have to go back to square one and address similar issues over and over again with the same people.
So, security is a marathon. Sometimes it is even like a marathon combined with hurdles on a balance beam: you have to dodge obstacles and are doomed if you get the balance wrong. Like every other marathon, security requires lots of external assistance and support. On the other hand, it also demands a high frustration threshold, some stubbornness and a lot of perseverance. And as an excuse to all those whom we have pushed too hard - the balance beam is sometimes very thin, so please have mercy! Let us continue together protecting CERN’s computing facilities and keeping them secure. Please do not repeat the same mistakes made in the past; there will be plenty of opportunities to make new ones. If you run a computing service or develop software (who doesn’t nowadays?), please:
- Do not reinvent the wheel. Make your life easier and use the central services provided by the IT Department;
- Get the adequate training for your favourite programming language;
- Program properly and deploy a thorough software development life-cycle;
- Use static code analysers to detect basic flaws in your software;
- Follow our Security Baselines in order to get your service properly set up.
Protect CERN from computer security incidents! Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.