During CA Veracode’s Hackathon last year I wanted to answer this question: How secure are the applications that we see in those movie scenes when the source code is scrolling by on an actor’s computer? In the spirit of the Hackathon, where projects range from baking to backdoor detection, I set off. I collected screenshots from four TV shows or movies that featured source code. I found the attribution (link: http://moviecode.tumblr.com/) what application that code was from. And then I scanned the application using the CA Veracode static platform. The results were put together in a short video clip that was presented at the Hackathon closing ceremonies.
Three out of Four applications failed a basic security policy. My recommendation: directors need more rigorous audition of the source code they show on the screens. :)
This project was a fun little video done in the spirit of Hackathon. Obviously, a movie set is not a hostile environment and a flaw in the source code of a computer in a movie is not going to change the plot line. In a world where every third party component used in application development introduces an average of twenty new flaws, businesses must do better to “audition” the code they choose to power the systems they use. You can’t yell “Cut” and restart a scene when your insecure code is exposed to the world.
#1 Source: NCIS
“Does this look familiar?”
“Looks like the computer program I designed by my thesis project”
“BS in Terrorism?”
“Yeah, your little number jumble was installed onboard City Lines oil platform before it exploded.”
The reality? The code on the phone was cut and paste from the Microsoft Bing Help Center API page and passed a basic static scan policy. Perhaps static analysis would have saved these detectives some time.
#2 Source: Revolution
“What’s the hold-up?”
“It’s a 62 character override code, okay? It’s going to take a minute.”
“Ok! I got it, I got it! That’s it!”
The reality? This is source code from an open source biometrics software. While a CA Veracode analysis did not identify any override code or backdoor in this software, it software did not pass a basic policy.
#3 Source: Iron Man
“Finish the last of the power sequence.”
“Function 11. Tell me when you see a progress bar.”
“Press Control I. I Enter. I Enter”
“Come over and button me up.”
While you think you are watching the code that powers the Iron Man suit, the reality is this is code from a Legos Programmable Brick Set controller in C.
#4 Source: Charlie’s Angels
This scene shows them breaking into a digital safe with an LCD touchscreen. The code on the screen is actually nothing more than a Sudoku game.