idw – Informationsdienst Wissenschaft

Nachrichten, Termine, Experten

Grafik: idw-Logo
Science Video Project
idw-Abo

idw-News App:

AppStore

Google Play Store



Instanz:
Teilen: 
26.08.2024 15:47

Outdated code snippets from Stack Overflow jeopardise software security

Felix Koltermann Unternehmenskommunikation
CISPA Helmholtz Center for Information Security

    A common practice among software developers is to use so-called code snippets from the platform Stack Overflow. A study by CISPA researcher Alfusainey Jallow now shows that this can lead to security risks in the long run. One of the reasons for this is that security-relevant updates to the code snippets often do not find their way into the software in which the snippets are used. Jallow published the results of his study in the paper "Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security" at the IEEE Symposium on Security and Privacy (SP) 2024.

    During their everyday programming work, software developers frequently encounter problems for which they need a quick solution. "Earlier studies have shown that the most prominent information source developers consult is not textbooks but Stack Overflow," explains CISPA researcher Alfusainey Jallow. Stack Overflow is part of the Stack Exchange Network and is a popular online platform for programmers and developers to find answers to various programming topics and problems. "The popularity of Stack Overflow is due to the fact that it offers functional code snippets. A code snippet is a chunk of code, written in a particular programming language, that solves a specific problem. You can usually use it directly in your own project with little to no changes," Jallow continues.

    Search for outdated code snippets in GitHub projects

    It is known from prior research that there are security-critical variants of the code snippets on Stack Overflow. Whether the code copied from Stack Overflow is secure can be checked, for instance, with the help of browser plugins. It is also known that the code snippets are not static but constantly evolving. "However, what had not yet been investigated is the question of whether developers who copy code snippets from Stack Overflow into their software also update them when changes are made to the snippets on Stack Overflow," Jallow says. In order to find out about that, Jallow and his colleagues examined open software projects on the popular platform GitHub. "GitHub is used to host code and to collaborate with others on a specific software project," explains the CISPA researcher. He developed a multi-step procedure to detect outdated versions of code snippets in GitHub projects and to check whether or not security-relevant updates have been performed on these code snippets.

    Missing updates to code snippets lead to vulnerabilities

    In their investigation of around 11,500 Github projects, Jallow and his colleagues found that every second reused code snippet is outdated, regardless of the programming language. They found no evidence showing that GitHub developers had implemented updates to Stack Overflow code snippets in their projects. According to Jallow, the dangers linked to these findings lie in the almost unlimited distribution potential of the software. "If you copy a code snippet from Stack Overflow that can violate users’ privacy, and they install the app on their phone, it will have a lot of social implications. If privacy is violated by a code snippet from Stack Overflow, it’s a really big problem," he is convinced. Jallow and his colleagues conclude from their findings that "developers do not check the snippets copied from Stack Overflow for any updates, or are not aware that the code they reuse is being discussed and updated or fixed on Stack Overflow."

    Missing tool is a mission for the future

    Jallow’s current advice to developers: "Be careful when using code snippets from Stack Overflow. And when you use them, find a way to remember them." As there is no automated tool yet, developers have to check for themselves if there is an update for the copied snippets available on Stack Overflow. This is what drives Jallow, as he explains in the interview: "In order to close this gap, I want to develop a tool. If it is not going to happen in the course of my PhD thesis, then at a later point in my career. CISPA has this amazing ecosystem that transfers research results to industry, and promotes spin-offs and start-ups. It's a great opportunity that CISPA offers, and I would like to take advantage of it."


    Originalpublikation:

    Jallow, Alfusainey and Schilling, Michael and Backes, Michael and Bugiel, Sven
    (2024) Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security. In: 45th IEEE Symposium on Security and Privacy.
    Conference: SP IEEE Symposium on Security and Privacy


    Bilder

    Visualization to the paper "Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security"
    Visualization to the paper "Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-S ...

    CISPA


    Merkmale dieser Pressemitteilung:
    Journalisten, Wissenschaftler
    Informationstechnik
    überregional
    Forschungsergebnisse
    Englisch


     

    Visualization to the paper "Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security"


    Zum Download

    x

    Hilfe

    Die Suche / Erweiterte Suche im idw-Archiv
    Verknüpfungen

    Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.

    Klammern

    Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).

    Wortgruppen

    Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.

    Auswahlkriterien

    Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).

    Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).