The CERN Computer Security Team and our colleagues, as well as external students participating in the CERN WhiteHat Challenge and friendly peers around the world, repeatedly detect weaknesses and vulnerabilities in websites and software applications developed or run at CERN. It is a never-ending race between the good side and the evil-doers who would love to misuse those weaknesses and vulnerabilities to break into CERN and misuse our computing resources for their malicious deeds.
So why is software buggy? Of course, complexity is one argument why there will always be software flaws. But we shouldn’t hide behind that argument. The flaws are introduced by humans. Time pressure, suboptimal programming skills and lack of good practices mean that secure coding is overlooked. And there is no incentive to change that. Besides software, there are barely any other products worldwide where the customer has to bear all the consequences of a bad product: maybe drugs? In other fields that introduce risk for the user, such as engineering and medicine, the professionals creating products are required to be accredited and perform audits and safety checks. Perhaps we need to introduce a government-sponsored liability programme for any software being sold or distributed widely? Legally require software companies and programmers to have a bounty programme and make them pay for any vulnerability found in their software. The sum paid to the first finder might follow a nationwide (or even international?) catalogue. Cross-site scripting: 1000 CHF, SQL injection: 5000 CHF, remote code execution: 10,000 CHF. This payment might even be proportional to the user base of the vulnerable software. For Microsoft software, the payment is higher, for my software which barely anyone uses, the sum is lower. But they would only need to pay if their software is closed source. The bounty costs for open-source code would be covered by the government...
What would be the benefits? First of all, software companies and programmers would be required to pay attention to secure coding. Of course, they can decide that it is more effective for them to pay the bounty instead and get their software improved through external means. Or, even more beneficial to the world, make their software open source and have the government pay. Secondly, there would be an alternative to the black underground market for vulnerabilities and exploits. At least those GreyHats who make their living by selling vulnerabilities could be brought back into legality. For any other IT folks, e.g. computer science students, even you and I, who for ethical reasons never went Grey or BlackHat, can train themselves and earn additional revenue. And third, this programme would direct many more eyes on each software package. And the more eyes, the more vulnerabilities found and the more secure our software foundations. But we are far away from that. And there might be plenty of other details which would need to be considered, too.
For the moment, we have to count on YOU(!) to make any software that you deploy or develop more secure. At CERN, there are several options for programmers and software developers:
- Follow these general guidelines or the dedicated ones for web applications or password handling
- Read a book
- Use our recommended static code analysers which help you to improve the security of your code. We have even provided a dedicated set of static analysis programmes for integration in the Gitlab Continuous Integration process
- Request a security scan for the websites you manage or invoke the APEX scanning tool if you run an Oracle APEX website
- Join our WhiteHat Challenge and learn to penetration test your software
- Or contact us at Computer.Security@cern.ch to help you!
For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.