Skip to main content
February 20, 2015

Securing the Silver Screen: Source Code in Movies

During Veracode’s Hackathon last year I wanted to answer this question: How secure are the applications that we see in those movie scenes when the source code is scrolling by on an actor’s computer? In the spirit of the Hackathon, where projects range from baking to backdoor detection, I set off. I collected screenshots from four TV shows or movies that featured source code. I found the attribution (link: what application that code was from. And then I scanned the application using the Veracode static platform. The results were put together in a short video clip that was presented at the Hackathon closing ceremonies.

The Results

Three out of Four applications failed a basic security policy. My recommendation: directors need more rigorous audition of the source code they show on the screens. :)

The Lesson

This project was a fun little video done in the spirit of Hackathon. Obviously, a movie set is not a hostile environment and a flaw in the source code of a computer in a movie is not going to change the plot line. In a world where every third party component used in application development introduces an average of twenty new flaws, businesses must do better to “audition” the code they choose to power the systems they use. You can’t yell “Cut” and restart a scene when your insecure code is exposed to the world.

The Scenes

#1 Source: NCIS

“Does this look familiar?”

“Looks like the computer program I designed by my thesis project”

“BS in Terrorism?”


“Yeah, your little number jumble was installed onboard City Lines oil platform before it exploded.”

The reality? The code on the phone was cut and paste from the Microsoft Bing Help Center API page and passed a basic static scan policy. Perhaps static analysis would have saved these detectives some time.

#2 Source: Revolution

“What’s the hold-up?”

“It’s a 62 character override code, okay? It’s going to take a minute.”

“Ok! I got it, I got it! That’s it!”

“Access Granted”

The reality? This is source code from an open source biometrics software. While a Veracode analysis did not identify any override code or backdoor in this software, it software did not pass a basic policy.

#3 Source: Iron Man

 “Finish the last of the power sequence.”


“Function 11. Tell me when you see a progress bar.”

“Got it”

“Press Control I. I Enter. I Enter”

“Come over and button me up.”

While you think you are watching the code that powers the Iron Man suit, the reality is this is code from a Legos Programmable Brick Set controller in C.

#4 Source: Charlie’s Angels

This scene shows them breaking into a digital safe with an LCD touchscreen. The code on the screen is actually nothing more than a Sudoku game.

Related Content

Brad Smith is Sr. Principal Security Program Manager at Veracode. With an eye to hastening digitalization and accelerating the speed of secure software delivery, he guides both front-line engineers and executives at global enterprises through the opportunities presented at the intersection of technology and business. He started as an information security consultant in 2007.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.