Software Easter Eggs and Security?

An interesting thread started last Friday on /.: Would You Add Easter Eggs To Software Produced At Work?

Easter eggs are hidden message present in movies or softwares (or any kind of medias). It’s a tradition for developers to code some funny features or messages in their softwares. To show them, a special suite of actions is required such as “press CTRL, ALT and click on the small upper-right company log in the same time”.

And what about security? In the software development phases, security aspects must be analyzed from the beginning. Also, code review must be performed, ideally by other developers. If some easter eggs are added after the review, does the code remains valid and ready for production?

On the other side, some easter eggs can introduce vulnerabilities. Example: a specific HTML page is displayed from an alternate server. What will happen if this one is compromized and the page replaced with a malicious one?

I agree with the fact that developers like to keep some signature on their work but, is it really a professional behavior? Like said in the /. discussion:

Do civil or mechanical engineers leave easter eggs? Do nurses? Do doctors? Grow the hell up… people bitch about software folks never being given the same respect as other engineering fields and it is the attitude of the average programmer that has a sizable part in explaining this.

Would you want your doctor leaving an easter egg? Would you want your dentist? Or would you find it funny if your phone dialed random numbers on some developers birthday? Or if your traffic light flashed all green every summer solstice? I think not.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.