During Veracode’s Hackathon last year I wanted to answer this question: How secure are the applications that we see in those movie scenes when the source code is scrolling by on an actor’s computer? In the spirit of the Hackathon, where projects range from baking to backdoor detection, I set off. I collected screenshots from four TV shows or movies that featured source code. I found the attribution (link: http://moviecode.tumblr.com/) what application that code was from. And then I scanned the application using the Veracode static platform. The results were put together in a short video clip that was presented at the Hackathon closing ceremonies.

The Results

Three out of Four applications failed a basic security policy. My recommendation: directors need more rigorous audition of the source code they show on the screens. :)

The Lesson

This project was a fun little video done in the spirit of Hackathon. Obviously, a movie set is not a hostile environment and a flaw in the source code of a computer in a movie is not going to change the plot line. In a world where every third party component used in application development introduces an average of twenty new flaws, businesses must do better to “audition” the code they choose to power the systems they use. You can’t yell “Cut” and restart a scene when your insecure code is exposed to the world.

The Scenes

#1 Source: NCIS

“Does this look familiar?”

“Looks like the computer program I designed by my thesis project”

“BS in Terrorism?”


“Yeah, your little number jumble was installed onboard City Lines oil platform before it exploded.”

The reality? The code on the phone was cut and paste from the Microsoft Bing Help Center API page and passed a basic static scan policy. Perhaps static analysis would have saved these detectives some time.

#2 Source: Revolution

“What’s the hold-up?”

“It’s a 62 character override code, okay? It’s going to take a minute.”

“Ok! I got it, I got it! That’s it!”

“Access Granted”

The reality? This is source code from an open source biometrics software. While a Veracode analysis did not identify any override code or backdoor in this software, it software did not pass a basic policy.

#3 Source: Iron Man

 “Finish the last of the power sequence.”


“Function 11. Tell me when you see a progress bar.”

“Got it”

“Press Control I. I Enter. I Enter”

“Come over and button me up.”

While you think you are watching the code that powers the Iron Man suit, the reality is this is code from a Legos Programmable Brick Set controller in C.

#4 Source: Charlie’s Angels

This scene shows them breaking into a digital safe with an LCD touchscreen. The code on the screen is actually nothing more than a Sudoku game.

About Brad Smith

Brad Smith is the Security Program Manager and integration expert for Veracode's enterprise customers. In this role he oversees program strategy, execution and adoption of Veracode's services, and builds customer relationships. Prior to Veracode he worked for Foundstone, Google, and received his M.S. in Information Security from Royal Holloway, University of London. Brad lives in Fountain Valley, California with his wife and sons.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.