Software is like milk, it goes bad over time: A guide on building safe code

August 14, 2023 - 3 min read

Many moons ago while I was working in the open source software security industry, I came across this statement: “Software is like milk and not a fine wine. A fine wine matures with age, while software and milk go off over time”.

So, what is meant by that you may ask? Well, if we break software down into its raw component parts we are left with code that is bespoke and code that is ‘off the shelf’. A good example of ‘off the shelf’ code are open-source components, which are much like LEGO pieces if you will - with each piece of Lego being uniquely numbered. Similar to LEGO, many open-source code components are like modular building blocks - they are small, reusable units of code serving specific functions or features. And, just like LEGO pieces can be combined to build intricate structures, open-source code components can be combined and connected to create more complex software.

software illustration

The issue with open-source code components is that they are provided by many contributors and are therefore wide open to vulnerabilities if not regularly updated or, worse, abandoned. Fortunately there are some very well-kept repositories that have set the standard when it comes to artefact hygiene. The Maven project (JAVA) is an obvious one that springs to mind. Many other repositories, however, have little hygiene or controls in place to identify dates, owners, and versions of the code. This leaves developers working with the code at a loss as to what is the latest to use.

Another issue with software is that as developers naturally work at speed to get projects built on time, security is often a secondary thought and can be seen to slow down their work. With this being the case, some have the tendency to use artefacts they have used in the past, thereby creating their own ‘golden repository’. This is ok as long as the repository is regularly monitored and cross referenced for age, updates, and Common Vulnerabilities and Exposures (CVE). But alas, often this is not the case leading to the unwitting creation of potential ‘back-doors’ in the software build.

Vulnerabilities like these are something the security industry is getting acutely aware of. Fortunately there are companies now addressing these issues by providing health checks and bills of materials that identify components in the build - through cross reference of repositories and CVE databases - that may be vulnerable or have, in effect, ‘gone off’ - hence the ‘like milk’ analogy.

It may sound obvious that writing good software is important. But, as said before, it is all too often sacrificed for speed. To say Hackers are lazy is a bit unfair, but by building software with potential vulnerabilities we are leaving easy opportunities for them to exploit. Vulnerability hacking isn’t isolated to small organisations. Companies like Microsoft, Adobe, AMD, Disney, and Lenovo (just to name a few) have been affected from open-source vulnerabilities.

In fact, according to a report from Synopsys and The Consortium for Information and Software Quality, poor software quality may have cost $2.41 trillion in 2022 in the US alone and related cyber crime cost the world approximately $7 trillion. The report also found that the cost of accumulated technical debt in the US caused by cutting corners to expedite feature or software release delivery with a ‘build now fix later’ mentality had risen to $1.52 trillion.

It’s really important when building or h that care is taken in ensuring you or your selected partner are using clean code. At Vodworks, our focus on ensuring security is paramount throughout the SDLC (Software Development Lifecycle), all the way from how we build and maintain code to ensuring sensitive information is never leaked and our clients are constantly informed on areas we see need addressing.

More Case Studies

Accelerate Your Projects With Our On-Demand Developers

Let's Talk

Talent Shortage Holding You Back? Scale Fast With Us

Get Started Today

Frequently Asked Questions

In what industries can Web3 technology be implemented?

Web3 technology finds applications across various industries. In Retail marketing Web3 can help create engaging experiences with interactive gamification and collaborative loyalty. Within improving online streaming security Web3 technologies help safeguard content with digital subscription rights, control access, and provide global reach. Web3 Gaming is another direction of using this technology to reshape in-game interactions, monetize with tradable assets, and foster active participation in the gaming community. These are just some examples of where web3 technology makes sense however there will of course be use cases where it doesn’t. Contact us to learn more.

How do you handle different time zones?

With a team of 150+ expert developers situated across 5 Global Development Centers and 10+ countries, we seamlessly navigate diverse timezones. This gives us the flexibility to support clients efficiently, aligning with their unique schedules and preferred work styles. No matter the timezone, we ensure that our services meet the specific needs and expectations of the project, fostering a collaborative and responsive partnership.

More about Vodworks

What levels of support do you offer?

We provide comprehensive technical assistance for applications, providing Level 2 and Level 3 support. Within our services, we continuously oversee your applications 24/7, establishing alerts and triggers at vulnerable points to promptly resolve emerging issues. Our team of experts assumes responsibility for alarm management, overseas fundamental technical tasks such as server management, and takes an active role in application development to address security fixes within specified SLAs to ensure support for your operations. In addition, we provide flexible warranty periods on the completion of your project, ensuring ongoing support and satisfaction with our delivered solutions.

Tell us more about your project

Who owns the IP of my application code/will I own the source code?

As our client, you retain full ownership of the source code, ensuring that you have the autonomy and control over your intellectual property throughout and beyond the development process.

Tell us more about your project

How do you manage and accommodate change requests in software development?

We seamlessly handle and accommodate change requests in our software development process through our adoption of the Agile methodology. We use flexible approaches that best align with each unique project and the client's working style. With a commitment to adaptability, our dedicated team is structured to be highly flexible, ensuring that change requests are efficiently managed, integrated, and implemented without compromising the quality of deliverables.

What is the estimated timeline for creating a Minimum Viable Product (MVP)?

The timeline for creating a Minimum Viable Product (MVP) can vary significantly depending on the complexity of the product and the specific requirements of the project. In total, the timeline for creating an MVP can range from around 3 to 9 months, including such stages as Planning, Market Research, Design, Development, Testing, Feedback and Launch.

Explore our Startup Software Development Services & Solutions

Do you provide Proof of Concepts (PoCs) during software development?

Yes, we offer Proof of Concepts (PoCs) as part of our software development services. With a proven track record of assisting over 70 companies, our team has successfully built PoCs that have secured initial funding of $10Mn+. Our team helps business owners and units validate their idea, rapidly building a solution you can show in hand. From visual to functional prototypes, we help explore new opportunities with confidence.

Are we able to vet the developers before we take them on-board?

When augmenting your team with our developers, you have the ability to meticulously vet candidates before onboarding. \n\n We ask clients to provide us with a required developer’s profile with needed skills and tech knowledge to guarantee our staff possess the expertise needed to contribute effectively to your software development projects. You have the flexibility to conduct interviews, and assess both developers’ soft skills and hard skills, ensuring a seamless alignment with your project requirements.

Explore how we work

Is on-demand developer availability among your offerings in software development?

We provide you with on-demand engineers whether you need additional resources for ongoing projects or specific expertise, without the overhead or complication of traditional hiring processes within our staff augmentation service.

Explore our Team and Staff Augmentation services

Do you collaborate with startups for software development projects?

Yes, our expert team collaborates closely with startups, helping them navigate the technical landscape, build scalable and market-ready software, and bring their vision to life.

Our startup software development services & solutions:

MVP & Rapid POC's
Investment & Incubation
Mobile & Web App Development
Team Augmentation
Project Rescue