Secure transfer of source code
| Sieuwert van Otterloo |
ICT Institute often receives source code and other files for analysis. If you are working with us and want to send us code, there are the guidelines.
Collecting source code
We typically analyse the latest production version or the current development version. Please check out the right version to a separate folder.
Deleting unneeded files
In some cases, source code repositories contain large data files. This makes the zip files extremely large and difficult to handle. . If the file size is more than one Gigabyte, it is likely that it includes data files that are not source code and can be deleted. Look for images, video files, .data or for .pack. You can use commands like “find . -name “*.pack” -type f -delete” to automatically delete all such files in a folder.
Note that you do not have to delete all unneeded files. Text files are often small and can be left in. Our analysis tools will ignore these automatically.
If the source code is not confidential you can skip this step. If your source code is confidential, make sure you encrypt the file before sending. Email and other services are essentially public and can be read by potentially anyone. We recommend the use of GnuPG (Gnu Privacy Guard) based on the PGP standard. For Mac we recommend gpgtools, for windows there is gpg4win. To encrypt messages to us, use the following ICTI / SoftwareZaken public key.Our key fingerprint is F470 9152 0075 18E3 8E7F 62BC 5182 B08C 4777 6B38. Note that you should validate the fingerprint of any key (from printed materials or by phone/ secure chat) before use.
If you have a good password utility installed, you can password protect the file and tell us the password by text message or phone.
Sending the output
If the (zipped and encrypted) zipfile is less than 10 megabyte, you can email it directly to sieuwert at ictinstitute.nl . If it is larger, please use a file transfer service like WeTransfer.
What we do with your code
We use your code only for the agreed purpose. So if we agreed we would analyse your code for security advice, we will do exactly that. For some projects we work with explicit non-disclosure agreements. Even if these have not been agreed, we always take reasonable care to prevent security breaches on a best effort basis.
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.