Safety FirstIs it time to stop talking about “software security”? I believe so - but not for the reasons you might think.

Let’s face it: we routinely underestimate the effect that language has on our perception of the world. This makes sense - we all like to think of ourselves as logical beings, swayed by indisputable facts and direct observations of the world, not words, images and fancy-pants rhetoric. Alas, there’s lots of evidence - anecdotal and otherwise - that just the opposite is true: the language that we use to talk about problems has a huge influence on our perception of those problems and even our willingness to devote resources to solving them.

Take the Estate Tax, for instance. First introduced in 1916, and often referred to as the “Inheritance Tax,” this progressive tax measure sought to curb massive, cross-generational transfers of wealth by assessing a tax on the value of an estate at the time of death. It was widely supported by a broad swatch of the American public for decades. That is, until fiscal conservatives succeeded in shifting the debate from what government could do for people to all the things government did wrong, and the nomenclature from “estate tax” to the “death tax.” At that point, support for the “death tax” dropped precipitously until, by the early part of the last decade, a strong majority of Americans - feeling themselves “overtaxed” -supported repeal of the tax on the wealthy, even though they would never be asked to pay it.

Even more recently, the topic of nomenclature became an issue at The Supreme Court, with conservative jurist Antonin Scalia wondering if the very name of The Voting Rights Act was the reason for its continued, bi-partisan poltical support. “Even the name of it is wonderful: The Voting Rights Act. Who is going to vote against that in the future?” he wondered from the bench.

While the wisdom of that reading of the Congressional record is questionable, there’s no question that what we call things influences our perception of them. In the software security world, I wonder if it has come time to put the term “security” to bed and to start talking, instead, about software “safety.”

The issue is this: “security” as a term isn’t doing the job we want it to. ‘Security’ as it is used in the context of software means the state of being free from dangers and threats. Software that isn’t secure is, we know, ‘insecure,’ meaning it is not free from danger or threat. It is vulnerable - susceptible to attack.

That’s all true, of course, but it also puts the focus on the external actor -the attacker. The software, we’re led to believe, is perfectly safe to use, but a bad guy might come along and smash it. That’s an unlikely event, but not impossible. Be warned.

In this paradigm, security is still considered more of a feature than an essential requirement of software. As Veracode has noted, pre-purchase assessments of security are rare. We expect software to do the job that we acquired it to do. If it is securely designed and deployed - that’s great, but generally not a requirement. And, as we know, most software users take such warnings with much more than a ‘grain of salt’ - try a pinch of salt - anyway.

How different the conversation would be if, instead of talking about software security, we talked about the ‘safety’ of software. You don’t consider safety a ‘nice-to-have’ in your automobile. It’s not satisfactory if your car can basically get you around, but might roll over if you take a turn too fast, or become hard to steer at high speeds. Far from it - we expect our cars to be “safe.” That means they should be engineered to perform flawlessly in expected road conditions and even hazardous conditions. They should also protect us from injury in truly adverse conditions - like collisions or serious accidents. We don’t buy Pintos anymore. Instead, with 65% of those surveyed listing “safety” as their top priority when buying a car, we buy Honda Civics - and largely because they’re safe.

Using the language of “safety” instead of “security” changes the terms of the discussion, just as changing the language from “estate tax” or “inheritance tax” to “death tax” changed the discussion from one about blunting the privilege of birth to one about being kind to the deceased. In the case of software, talking up ‘safety’ over ‘security’ means facing the unavoidable truth that our lives increasingly rely on the proper functioning of software, and that software that is improperly designed, or vulnerable to trivial attacks makes our lives susceptible to disruption and makes us less safe.

Talking about software “safety” means we stop making excuses - or carving loopholes for commercial software publishers. Exempting ourselves from the drama of zero days and emergency patches. We can simply say “Java isn’t safe. It’s dangerous software that Internet users should avoid using at all costs. Seek other options.” That’s, in essence, what companies like Apple have been saying with actions, rather than words. The company automatically blocked Java 7 on OS X systems that had it installed by blacklisting all current versions of the software until a fix for a critical hole was discovered.

But the language of “security” makes it hard to be decisive about such things. We’re constantly left waiting for another patch and hoping that this critical patch, just maybe, will do the trick. This, despite the advice of security experts like HD Moore, who have encouraged web users to consider Java more-or-less permanently vulnerable and to stop using it altogether. That patch isn’t coming. It’s time to make our peace with that and start putting a name to our problem.

About Paul Roberts

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Comments (5)

Bruce Baker, CISSP | March 14, 2013 1:32 pm

"Let’s face it: we routinely underestimate the effect that language has on our perception of the world."

Could not be more true. Sadly, most regualr people hear our warnings as another cry of wolf. Sadly, the pack is gathering and getting large. Poor/weak security in applications is a major vulnerability for our businesses.

Brian Newman | March 15, 2013 4:46 pm

Most users of software are either young (and tend not to care too much about safety or even feel like they are being 'daring' by ignoring safety) or old (and, hence, see safety as something that gets in the way). Look at all the effort required to get people to wear seat belts. "Safety", as a word, just doesn't have the encouraging connotation that you seem to think it does. Plus, it puts the focus on unsafe behavior of the customer rather than unsafe design. Even after the Pinto was found to be unsafe, there were still people driving them for years because they'd already bought the car and couldn't get rid of it - they perceived the expected cost of getting rid of the unsafe product as higher than the expected cost of an accident. We need to focus on what really matters, not "security" and not "safety", but -risk-.

Terry Hardy | March 18, 2013 1:41 pm

Interesting article. Language is very important. Software safety and software security are related concepts, but slightly different and not quite interchangeable. I would refer you to my recent article on the topic on my web site, The System Safety Skeptic, available here:

Bryan Owen | March 20, 2013 8:53 am

Technical distinctions between safety and security are reminiscent of Amoroso’s classic text comparing ‘Safeguards’ and ‘Countermeasures’. But to your point, there is a societal norm where safety takes precedence over most other categories.

The software industry should respect the meaning of safety. For instance characterizing vulnerable medical implant devices as a safety concern is common sense. Comparing JAVA to Pintos or 'unsafe at any speed' tends toward hyperbole.

Nonetheless I concede at least the notion of safeguards are part of the profession verbiage.

[Ref Ch. 15 Fundamentals of Computer Security Technology, 1994 ISBN 0-13-108929-3]

E | May 16, 2013 5:07 pm

Interesting article I must read it again. I think people don't really give it much thought of the safety measures in software, I believe they simply trust the company product. Not to mention the reality of it is that the majority of us will at some point need to use a software someday. It's a no win situation. It's taking chances, I am sure we all do often!

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.