How workplace safety is similar to software security?

After spending over a decade working in the application security industry, I have recently had a chance to do something different for the past few months. When Veracode was sold to TA Associates in April last year, I was looking for something new and challenging to work on. I happened to join the Singapore Deep Tech Alliance as part of their venture builder cohort of SDTA 23.?

At SDTA, I have spent a lot of time thinking about the problem of workplace safety. According to the International labour Organization (ILO), every year 2.3 million people die due to workplace accidents or occupational diseases. In Singapore last year, we had a total of 46 fatalities due to workplace accidents. Despite a lot of effort by companies and governments, workplace safety remains a big challenge everywhere.?

As I thought deeply about this problem over the last few months, I came to the realisation that the problem of workplace safety is very similar to that of software security. My past experience of building security tools for developers has been really critical for me to understand with the issues of safety at workplace.

In this article, I compare and contrast the issues of workplace safety and software security w.r.t to the 3 Ps - people, problems and processes.

People

It starts with the people or the personas that are of importance in the two domains. In software security, we often talk about how developers are the real users and we build our tools to enable them to write better code or fix bugs. Similarly, in a workplace, workers are the individuals we are trying to protect.?

Developers and workers always operate under the constraints of increasing their productivity. In case of developers, it is about the velocity of application development while in case of workers it is the overall productivity of the task at hand. This focus on always increasing the productivity leads to near-misses at the workplace and bugs in applications.

Another aspect is the interesting dynamics of people involved. There is always a healthy tension between the work of software developers and security engineers. Security folks want the application to be secure and often add checks and gates in the development process that are perceived as impediments by developers (who are just trying to get their work done).

Similarly, in workplace safety, we have safety supervisors that are expected to do inspections and are responsible for the overall safety of a workplace. The reminders from supervisors to workers to focus on safety are often perceived as unnecessary by the worker (who is again just getting their job done).?

A good technology solution for safety and security should focus on these aspects of incentives and behaviours of individuals. Enabling security engineers/safety supervisors to do their jobs without getting in the way of the developers/workers is critical to adoption of any new solution. Finally, the key decision maker or the persona responsible for the budget of workplace safety is the EHS (Environment, Health and Safety) head which is analogous to the CISO or head of application security who has the security budget in a typical organisation. ?

Problems

At a worksite often the trade off made by the supervisor is about increasing productivity while managing the risks of safety. This is very similar to software development where the velocity of new releases often at odds with the need to properly test and secure applications. This means that often companies have to prioritise the risk from work activities and software development based on the severity.

In fact, we can visualise the overall risks in a very similar way in both domains:

As shown above,?in the vulnerability iceberg, most of the vulnerabilities in software are in parts of the code that is not written directly by the developer but is hidden in third party dependencies.

On the other hand, in the safety pyramid we see that for every single fatality usually there are orders of magnitude more major injuries, minor injuries and so on all the way down to the risky work behaviours.

Also, in both cases most often the only reason companies care and take action is because of compliance and regulations. In application security this is in form of regulations like SOX, PCI DSS, HIPAA, etc. and in worker safety it is usually due to acts like OSHA, WSHA etc.?

Processes

To comply with different safety regulations at workplaces various SOPs (standard operating procedures) have to be followed. Depending on the activity and risk involved these can be very detailed and require care and oversight to enforce. Similarly, for software security most companies would try to minimise risks by enforcing a policy based on severity and priority of vulnerabilities and threats.?

Only by carefully managing the policies and processes an organization is able enforce the necessary regulation or standards. Any technology solution which seeks to address these issues both for worker safety or software security needs to be flexible and configurable enough to support the underlying policy that needs to be implemented.

In conclusion, the parallels between software security and workplace safety are evident, with both domains focusing on people, prioritization, and well-defined processes. Recognizing these similarities has inspired two innovative projects:

1. Securade.ai: A generative AI-based video analytics platform aimed at enhancing workplace safety and productivity. By identifying safety hazards and risky behaviors in real-time, it empowers safety supervisors to intervene effectively without disrupting workers.
2. Patched.codes: An AI-based vulnerability remediation service that provides fully vetted fixes for software vulnerabilities. By automating remediation analysis and offering actionable recommendations, security engineers can address vulnerabilities efficiently.

These two projects represent my dedication to solving critical issues in workplace safety and software security. By embracing the power of AI and innovative technologies, I am confident that we can make significant strides in addressing these challenges and creating safer and more secure environments for workers and software users alike.