For my last semester of studies in Fall 2009 / Winter 2010, I had the opportunity to spend a six month internship with CERNs Computer Security Team.
The aim of the project assigned to me was to provide CERN developers with a set of simple tools to review their source code and improve the quality of their software, with a particular focus on security. To achieve this goal, I reviewed and compared a few dozen tools, using about 200 million lines of code retrieved from source controlling systems as a basis for the comparison.
The main criteria used for comparing these tools where:
- Ease of use and configuration
- Low rate of false positives
At CERN, users are expected to take responsibility for security, hence the reason for these metrics. In the case of software developed at CERN, the project manager is responsible for the security of the deliverables as well as for respecting deadlines. Therefore, they need to be convinced to dedicate some time to security, since they cannot be required to. This means that the time requirements of the suggested tools to be as low as possible.
Furthermore, remembering the story of the boy who cried wolf, we decided that it was more important for developers to receive less false alarms (and ignoring them), than to find all of the bugs. Thus we prioritized a low rate of false positives over a low rate of false negatives.
In the end, we selected two or three tools for each of the programming languages most used at CERN (C/C++, Java, perl, PHP, python). Those tools were introduced in the package repositories of CERNs most used OS, Scientific Linux CERN.
The thesis I wrote to support this project is available at http://infoscience.epfl.ch/record/153107 and was awarded the Kudelski Prize.
Recently, I was invited to a meeting of the Geneva Chapter of OWASP (Open Web Application Security Project), to present my findings the presentation slides can be viewed below.