Deploying watertight and 100% secure IT services and applications belongs to the dream world. No single software has ever proven 100% secure. Which is normal. Which is natural. Which is human. As, usually and despite ChatGPT entering this scene, too, IT services and applications are designed, architected, developed and deployed by humans. And humans make mistakes. Still, some mistakes can be avoided. The usual blunder. The basic errors that others have made in the past. The phase space of mistakes is so vast that repeating those already made by others is just a waste of energy. There are libraries full of books on software engineering, secure coding practices and the most dangerous programming errors. There are standards and best practices. Unfortunately, these are all long compendiums, with many pages, lots of details and sometimes a complicated and "heavy" language. Let's try a shorter version. Security: easily applied!
So, to make your life easier, the Computer Security Office has compiled four shortlists of so-called "Security Principles". They contain the essence of how to properly apply a first layer of security best practices to your operating system, container, virtual machine or web application and how to develop software in a secure way. They are split into the MUST do, SHOULD do and COULD do for further guidance. And we suggest you have a read-through to improve your skills, deepen your knowledge and help further secure CERN:
- The Principles for Software Developers focus on a proper secure software development life cycle in order to catch mistakes early: Train, Architect, Reuse, Produce quality, Test and Document. In particular, they provide a shortlist of best practices for writing secure code.
- The Principles for (Server) Operating Systems and Containers outline in about 10-15 steps how to best configure your server's operating system or your containers/virtual machines so that they respect basic security measures, are locked down and expose only the necessary, are periodically updated, protect sensitive data and run in a restricted context.
- The Principles for Web Applications, finally, state the obvious for internet-exposed websites: have a landing page, do not expose more than what you need, have strong encryption, use the CERN SSO, etc.
Where possible, these Security Principles give examples and links to more technical details on how to apply each principle to your, e.g. Linux or Windows servers, Kubernetes or Docker containers, Apache or nginx web server. Have a read. Check them out. Apply them. Security: easily applied.
Please note that, for the moment, although they are mandated by CERN's Computing Rules (i.e. its Subsidiary Rules DEV2 and OPS2), these Security Principles are not yet enforced. However, during 2026 the Computer Security Office will start reviewing all IT services and all web applications for compliance with the Principles. Non-compliant services, especially those without any upgrade plan, might lose their access to the internet in order to better protect the Organization (as also required by the 2023 CERN cybersecurity audit's recommendation R-5.1 and others). So, have a read now. Check them out now. Apply them now. And let us know what worked and what worked less well. Security: easily applied (we believe)!
