Veracode Talking Code

Software Safety Should Be Treated Just Like Food Safety. Discuss.

It’s easy to agree with statements like “the food we buy in supermarkets should be safe to eat.” After all, who wants go to bat for shoddy growers pushing contaminated lettuce, or distributors sending out botulinum-laced fish and meats?

Veracode Talking Code
Visit to view the entire episode of Talking Code.

But what about software safety? Suffice it to say that if people ate software applications instead of, say, cinnamon rolls, they’d be dropping like flies. That’s because the code that powers those applications is often riddled with potentially dangerous insecurities. Unlike the food industry, however, there have been only fitful efforts by government and industry to address what everyone recognizes is a widespread problem.talking-code-logo-small


I’ve written elsewhere about the relative lack of a “safety culture” in the software industry compared with industries like civil aviation or even food. (Remember: most of the food recalls and alerts that are issued today are voluntary.) But there’s also a decades-long track record of the government taking a hard stand on lax food safety practices at growers and distributors, including hefty fines and criminal prosecutions in the case of violations that cause public harm.

How do we get that level of accountability in the software industry? That’s the topic of the latest installment of The Security Ledger’s Talking Code, sponsored by Veracode. In this segment, Chris Wysopal, Joshua Corman and I talk about where the responsibility of securing software lies – with vendors, their customers, or someone else?

Simply taking a vendor’s word for it when it comes to assessing the security of a software product is a recipe for disaster. Like any other challenge, software buyers need to “trust” their suppliers, but also “verify” that what they’re saying is true. But how? Joshua Corman, the Director of Security Intelligence at Akamai, notes that some large technology buyers are beginning to work language about security quality into their standard IT purchasing agreements. That’s a small step in the right direction…but it is a start.

Comments are closed.