Programming Shortcuts ‘Lead To Security Risks’

Programmers may be inadvertently introducing common security bugs into their projects if they make use of code posted on social media, new research suggests.

A study carried out by researchers from Canadian and Iranian universities found that code snippets posted on Stack Overflow, a popular Q&A site for programmers, contained common weaknesses that later appeared in thousands of software projects.

The researchers manually reviewed some 72,483 snippets posted on Stack Overflow over the past ten years, finding a total of 69 vulnerable snippets categorised into 29 types.

All of the snippets reviewed had been used in at least one project on GitHub, a popular code-hosting site.

Vulnerability

While that frequency may appear low, the researchers found that the 69 vulnerable snippets had made their way into some  2,859 GitHub projects.

The researchers contacted the developers who had posted the vulnerable snippets, but many of the snippets remain uncorrected, with only 13 percent of developers saying they had fixed the code.

“Many of the investigated code snippets are still not corrected on Stack Overflow,” the researchers said in the study.

The most commonly found errors in the C++ snippets included a failure to properly check for exceptional conditions and improper validation of user input.

The researchers said they have developed a Chrome browser extension that automatically checks snippets for common code weaknesses as they are being uploaded by a developer.  They plan to release the extension when the research is formally published.

Crowdsourced code

Their paper, “An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples”, is being considered for possible publication in IEEE Transactions on Software Engineering.

Ashkan Sami, associate professor of computer science, engineering, and information technology at Shiraz University in Iran, said the research was intended to highlight the dangers of relying on social media generally for programming examples.

“It’s better for programmers to do it the hard way and learn secure coding,” he told industry publication The Register.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Near Miss With Drone At Gatwick Airport

Rogue drone came within 20m (65ft) of a passenger plane as it flew in to Gatwick Airport in July

13 hours ago

Microsoft, IBM Join Forces With Linux Foundation To Fight Patent Trolls

Don't feed the trolls. Partnership to fight 'Patent Assertion Entities', otherwise known as patent trolls

14 hours ago

Big Data: The Race for Talent

Data is now every business’s most precious commodity. Having a workforce that can manage this resource is an imperative for…

16 hours ago

Cisco Files Lawsuit Against Former Employees

Three former staffers allegedly stole thousands of confidential files when they detected to competitor

16 hours ago

Google Cloud Next UK: Google Highlights European Data Protections

Largest Google Cloud event in Europe sees search engine giant commit to enhance European data protection with additional tools

17 hours ago

Google Cloud Next UK: Google Touts Vodafone, John Lewis Deals

Google kicks off its largest Google Cloud event in Europe touting contracts with Vodafone, as well as the John Lewis…

19 hours ago