Secure transfer of source code

ICT Institute often receives source code and other files for analysis. If you are working with us and want to send us code, these are the guidelines.

Collecting source code

We typically analyse the latest production version or the current development version. Please check out the right version to a separate folder.

Deleting unneeded files

In some cases, source code repositories contain large data files. This makes the zip files extremely large and difficult to handle. If the file size is more than one Gigabyte, it is likely that it includes data files that are not source code and can be deleted. Look for images, video files, .data or for .pack. You can use commands like “find . -name “*.pack” -type f -delete” to automatically delete all such files in a folder.

Note that you do not have to delete all unneeded files. Text files are often small and can be left in. Our analysis tools will ignore these automatically.

Encrypting files

gpg-key-ICTIIf the source code is not confidential you can skip this step. If your source code is confidential, make sure you encrypt the file before sending. Email and other services are essentially public and can be read by potentially anyone. We recommend the use of GnuPG (Gnu Privacy Guard) based on the PGP standard. For Mac we recommend gpgtools, for windows there is gpg4win. To encrypt messages to us, use the following ICTI / SoftwareZaken public key.Our key fingerprint is F470 9152 0075 18E3 8E7F 62BC 5182 B08C 4777 6B38. Note that you should validate the fingerprint of any key (from printed materials or by phone/ secure chat) before use.

If you have a good password generation tool installed, you can password protect the file and share this password with us by text message or over the phone.

Sending the output

If the (zipped and encrypted) zipfile is less than 10 megabyte, you can email it directly to sieuwert at ictinstitute.nl. If it is larger, please use a file transfer service like WeTransfer.

What we do with your code

We use your code only for the agreed purpose. So if we agreed we to analyse your code for security advice, we will do exactly that. Nothing more, nothing less. For some projects we work with explicit non-disclosure agreements. Even if these have not been agreed, we always take reasonable care to prevent security breaches on a best effort basis.