Computer Security: How to succeed in software deployment

The summer student period has ended and we would like to congratulate all those who successfully accomplished their project! In particular, well done to those who managed to develop and deploy sophisticated web applications in the short summer season. Unfortunately, not all web applications made the final cut, moved into production and became visible on the Internet. We had to reject some... let me explain why.

 

Making a web application visible on the Internet requires an opening in the CERN outer perimeter firewall. Such a request is usually made through the CERN WebReq web interface. As standard procedure, the CERN Computer Security team reviews every request and performs a security assessment. This is where you, your supervisee and the Computer Security team all start to get frustrated. Many summer students delivered awesome web applications with great new functions and a good “look and feel” following precise use cases, using modern web technologies, dashboards, integrated feeds, dynamic actions in response to clicking or mouse pointing, etc. But in many cases, a deeper look raised some security concerns:

  • Web applications providing access to local accounts through a login button: given that the application was intended for CERN people, why wasn’t it integrated with CERN’s Single Sign-On?
  • Login pages using “HTTP”: an encrypted protocol (“HTTPS”) should have been used in order to protect passwords.
  • Web pages susceptible to the usual web vulnerabilities, allowing protected information to be extracted or commands to be injected: no input validation or sanitisation.
  • Web servers running outdated operating system versions or web applications: who will keep them up to date in the future? How?
  • Server hardware hidden under office desks or on personal laptops: who will own and maintain them in the future?
  • Use of technologies similar to those provided by the IT Department: there is no need to reinvent the wheel...

 

It is a pity that such projects sometimes (seem to) start without properly consulting with IT experts. The CERN Computer Security team is ready to provide you with such consultation, perform penetration testing, assess the security footprint of new systems and audit existing deployments. We can help you choose the appropriate technologies and assist you in system design (of course, you will still do most of the work). As we said in an earlier Bulletin article (“Stop fighting alone, let synergy rule!”), the IT Department provides a long list of centrally supported applications and services. Instead of managing and patching your server hardware yourself, you can obtain a centrally managed server or virtual machine that is kept up-to-date by the IT Department. They also provide centrally managed Web servers, content management systems, databases, file storage systems, and engineering applications that are properly managed, adequately secured and maintained long term. That allows you and your supervisees to delegate your responsibility for security to the IT Department and to avoid the burden of managing it yourselves (and possibly failing). Instead, your supervisees can focus on their core work and deliver a great project that will make it into production to the benefit of users inside and outside CERN!

Finally, dedicated training also helps (“Improve software, avoid blunder”) and the CERN training catalogue offerss a variety of dedicated training courses for software developers. All you need to do is to sign up your supervisees!


Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.

If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.


Access the entire collection of Computer Security articles here.

by Computer Security Team