Safe vs Secure

A software engineers point of view

Martin Thoma
Sep 27, 2020 · 3 min read

When I hear “safety” in the context of software development, I’m always reminded that I need to automate my backup solution. The potential harm most software developers have to deal with is luckily only data loss due to hardware failures.

Safety is resilience against accidential harm to people, property, or the environment.

  • Availability: A single server could be cut off the internet by construction workers, a hard drive could reach its end of life, a fire could break out, an earthquake could hit the region.
  • Scalability: Web services might go down when they are too successful. It’s sometimes called the “hug of death” when a huge website links to a small one. Or just when you have a successful marketing campaign.
  • Integrity: All ways to send data are prone to errors. Package loss or bit-flips happen. We have error-correcting protocols to deal with that.

Software can also be safety-critical, for example when you think about airbags. A defect there can put lives under risk (example). Other examples of safety-critical software include traffic lights, life-support systems, software managing the electrical power grids, industrial software which is used in machines that produce medicine, pacemakers, and many more.

When we are talking about security in software development, we are thinking about hackers. Wikipedia has a pretty nice explanation:

Security is resilience against harm caused by others.

  • Accountability: You want to have a log of changes. This includes source code. In the version control system git, you can even cryptographically sign the changes so that others cannot tamper with your changes.
  • Availability: An attacker might run a Denial-of-Service attack (DOS).
  • Confidentiality: Man-in-the-middle (MITM) attacks that apply packet sniffing come to my mind. Dharmil Chhadva wrote a nice article about this topic.
  • Integrity: Think of a bank account. An attacker wants to increase the money on one account. Cryptojacking is an example where not data, but the software is affected.

Measures to increase security include:

TL;DR: Differences between Safety and Security

See also

Plain and Simple

Explain concepts in just a few words