Computer Security: is your code sane?

How many of us write code? Software? Programs? Scripts? How many of us are properly trained in this and how well do we do it? Do we write functional, clean and correct code, without flaws, bugs and vulnerabilities*? In other words: are our codes sane?

 

Figuring out weaknesses is not that easy (see our quiz in an earlier Bulletin article). Therefore, in order to improve the sanity of your code, prevent common pit-falls, and avoid the bugs and vulnerabilities that can crash your code, or – worse – that can be misused and exploited by attackers, the CERN Computer Security team has reviewed its recommendations for checking the security compliance of your code.

“Static Code Analysers” are stand-alone programs that can be run on top of your software stack, regardless of whether it uses Java, C/C++, Perl, PHP, Python, etc. These analysers identify weaknesses and inconsistencies including: employing undeclared variables; expressions resulting in buffer overflows; the usage of deprecated functions (like the insecure “strcpy” in C); and the lack of input checking, filtering and sanitisation. Of course, these tools cannot beat a “four-eyes” line-by-line code review but should still be standard for software architects, developers and programmers to improve their products. So, if you are serious and professional about your job, just run them prior to compilation or – even better – within your software integration framework (e.g. Atlassian’s “Bamboo” or “Jenkins”). 

Of course, we will continue to help you. Once the CERN “Jenkins” service is in production, we will also provide a procedure to run our tools from there. In parallel, we are also aiming to scan automagically all public code in Gitlab repositories for certain obvious weaknesses. Any potential hits will be automatically flagged to the owner of the corresponding repository. You can also engage one of our CERN WhiteHats and allow him/her to carry out penetration tests of your applications. And finally, just contact us if you need a fully-fledged security audit of your code stack and a review of your software architecture! 

*Yes! Admittedly, there is no such thing as “bug-free code”. Even <--?php print "Hello World!"; ?--> might be flawed. Still, we should aim to minimise bugs and eradicate them wherever we can!


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team