两名实习生如何帮助确保数百万行代码的安全
At Slack, proactively securing our systems is a top priority. One way we achieve this is by automating the detection of security issues with static code analysis, which are tools that inspect programs without executing them. They’re often used with security-based rules to automate identification of vulnerabilities and insecure programming practices, which frees up more bandwidth for security engineers. For us, expanding our static code analysis program became critical as we looked to grow into the public sector, where there are rising demands to show our feature work is secure and to meet security certification requirements. We view static code analysis as guardrails; it prevents the worst kinds of security vulnerabilities from joining our codebases. As a result, static code analysis has been top of mind for the security team at Slack for the past three quarters and remains one of the major focuses for next quarter.
在Slack,积极主动地保护我们的系统是一个首要任务。我们实现这一目标的方法之一是通过静态代码分析来自动检测安全问题,静态代码分析是在不执行程序的情况下检查程序的工具。它们通常与基于安全的规则一起使用,以自动识别漏洞和不安全的编程实践,这为安全工程师释放了更多带宽。对我们来说,扩大我们的静态代码分析计划变得至关重要,因为我们希望发展到公共部门,那里对显示我们的功能工作是安全的和满足安全认证要求的要求越来越高。我们将静态代码分析视为护栏;它可以防止最糟糕的安全漏洞加入我们的代码库。因此,静态代码分析在过去三个季度一直是Slack安全团队的首要任务,并且仍然是下一季度的主要重点之一。
Our codebase is largely written in Hack. While Hack comes from work that Facebook performed to develop a typed version of PHP, it is a separate language and there are no static analysis tools broadly available for it. Given that over 5 million lines of code at Slack are written in Hack, how can we ensure it remains secure at scale?
我们的代码库主要是用Hack编写的。虽然Hack来自于Facebook为开发PHP的类型化版本所做的工作,但它是一种独立的语言,而且没有广泛的静态分析工具可用。鉴于Slack有超过500万行的代码是用Hack编写的,我们如何才能确保它在规模上保持安全?
The problem
This past summer, we (Nicholas Lin and David Frankel) focused on solving this problem as software engineering interns on the Product Security team.
在过去的这个夏天,我们(Nicholas Lin和David Frankel)作为产品安全团队的软件工程实习生专注于解决这个问题。
Building a static analysis tool for Hack
为Hack建立一个静态分析工具
Building a static analysis tool from scratch would be extremely complex, and t...