This page describes the philosophy or principles behind the ruleset in Scanner-One. By having a consistent set of principles, we ensure that vulnerabilities are prevented efficienly accross all source code, while minimising impact on the freedom of the developers and technology choices.
1) No all-powerfull code
There will be no functions that can create new code, or new functionality without restrictions.
Examples of such functions are 'exec', 'eval' and other functions that can 'do anything' based on their input. Such functions are not allowed to operate on variables at all.
These functions are not always unsafe, and also cannot always be guaranteed to be safe. But since there are alternatives that are easier to verify this option is taken off the table. The security becomes easier to manage, without losing any power in the solutions.
2) No secrets in the source code
Secrets are stored outside of the source tree in password vaults or configuration servers.
Alternatively we could have chosen to allow secrets in source code, and restrict access accordingly. This solution was not chosen, because the benefits of open repositories across a company outweigh the benefits of alternatives.