Writing quality software is like preparing an amazing meal for your friends. Quality ingredients. Established utensils. A clean kitchen (at least initially). And regular tasting to avoid giving your friends a disappointment (or salmonella). The same thing applies to coding. Choosing a suitable programming language. Using established software and version management tools. Preparing clean and well-documented lines of code. And repeated scanning and testing to find blunders, flaws, weaknesses, bugs and vulnerabilities ─ digital salmonella, in other words ─ in plenty of time and long before the software makes it into production. CERN’s IT department has two new tools that are just the thing to help you prepare a delicious software dinner for your friends: GitLab’s “Static Application Security Testing” and “Secret Detection”. Guaranteed salmonella-free.

Static Application Security Testing (SAST) is a pivotal component for securing your code. It is capable of examining the entire codebase in a quick and automatic manner as early as possible in the software development life cycle. With SAST, vulnerabilities can be found ahead of time in the development process. You just run SAST as another job within your regular pipeline build. Without halting your build process, areas for improvement, vulnerabilities and other kinds of digital salmonella are quickly identified and ready to be addressed by the cook-of-the-keyboard.

Similarly, scanning for secrets – another kind of digital salmonella – is another essential step. Secrets (like passwords, tokens, private keys and certificates) are the glue that bind together various application parts (like SaaS components, databases and cloud infrastructures). Such secrets are frequently hardcoded into source code since they are intended to be used programmatically. In fact, over 5 million secrets were found in public software repositories according to GitGuardian’s 2021 State of Secrets Sprawl report (https://www.gitguardian.com/state-of-secrets-sprawl-on-github-2021), up 20% from the previous year, and not even including plaintext secrets contained in private repositories! So, to keep your secret a secret, to keep the Organization secure, and to keep digital salmonella out, Git’s “Secret Detection” is another important tool to run during your build processes. It will make you aware of the use (and potential exposure!) of secrets, and allow you to get this fixed (see also our recommendations on how to keep secrets secret; https://security.web.cern.ch/recommendations/en/password_alternatives.shtml).

Both of these security tools, SAST and “Secret Detection”, are already available with CERN’s current GitLab Ultimate licence[1]. Details of how to employ them can be found on this dedicated webpage (https://gitlab.docs.cern.ch/docs/Secure%20your%20application/). Once enabled and running, the results are directly visible in the “Vulnerability Report” of your project. While their use is currently on a voluntary basis ─ please opt in! ─, we are planning to run these tools on a regular basis and provide you automagically with the result of our/that pipeline as of Q1/2024. And, cherry on the cake, we also provide you with a second level of security checks (“DAST – Dynamic Application Security Testing”; https://gitlab.docs.cern.ch/docs/Secure%20your%20application/other-security-scans) as well as dedicated training courses (https://gitlab.docs.cern.ch/docs/Secure%20your%20application/security-training). Have a look! As, after all, we don’t want your friends (and CERN’s software stack) getting salmonella! 

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report (https://cern.ch/security/reports/en/monthly_reports.shtml). For further information, questions or help, check our website (https://cern.ch/Computer.Security) or contact us at Computer.Security@cern.ch.