Are you a hacker? Programmer? Software developer? Coder? Many of us are. And, as intelligent humans, we tend to concentrate on the new and not try to reinvent the wheel, instead benefitting from what has been already created elsewhere. So we have more time to produce something new, something adapted to our needs, and leave the basics to software packages already produced somewhere else. Standing on the shoulders of other hackers, programmers, developers and coders worldwide, Gitlab at CERN, Github around the world and Stack Overflow, to name just three, provide a vast variety of libraries and code snippets for already existing functionalities. All you need to do is download or copy-paste them. But what if those hackers, programmers, developers and coders turn rogue?
So automatic integration of external software libraries e.g. from PyPi or through NCM comes with a risk! Like with surfing the web, STOP – THINK – DON’T CLICK (or rather, don’t import). Only install software libraries from trusted sources. And even then, inspect the code either manually (cumbersome as it is) or run at least a static code analysis tool on top of that. The CERN Computer Security Team provides a variety of static code checkers for that purpose. Also consider using a centralised software repository manager like Sonatype Nexus or Apache Maven. The former is provided by CERN IT department and used for accelerator control system development and in the ATLAS and CMS experiments.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.