It’s easy to agree with statements like “the food we buy in supermarkets should be safe to eat.” After all, who wants go to bat for shoddy growers pushing contaminated lettuce, or distributors sending out botulinum-laced fish and meats?
But what about software safety? Suffice it to say that if people ate software applications instead of, say, cinnamon rolls, they’d be dropping like flies. That’s because the code that powers those applications is often riddled with potentially dangerous insecurities. Unlike the food industry, however, there have been only fitful efforts by government and industry to address what everyone recognizes is a widespread problem.
I’ve written elsewhere about the relative lack of a “safety culture” in the software industry compared with industries like civil aviation or even food. (Remember: most of the food recalls and alerts that are issued today are voluntary.) But there’s also a decades-long track record of the government taking a hard stand on lax food safety practices at growers and distributors, including hefty fines and criminal prosecutions in the case of violations that cause public harm.
How do we get that level of accountability in the software industry? That’s the topic of the latest installment of The Security Ledger’s Talking Code, sponsored by Veracode. In this segment, Chris Wysopal, Joshua Corman and I talk about where the responsibility of securing software lies – with vendors, their customers, or someone else?