idw - Informationsdienst
Wissenschaft
A common practice among software developers is to use so-called code snippets from the platform Stack Overflow. A study by CISPA researcher Alfusainey Jallow now shows that this can lead to security risks in the long run. One of the reasons for this is that security-relevant updates to the code snippets often do not find their way into the software in which the snippets are used. Jallow published the results of his study in the paper "Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security" at the IEEE Symposium on Security and Privacy (SP) 2024.
During their everyday programming work, software developers frequently encounter problems for which they need a quick solution. "Earlier studies have shown that the most prominent information source developers consult is not textbooks but Stack Overflow," explains CISPA researcher Alfusainey Jallow. Stack Overflow is part of the Stack Exchange Network and is a popular online platform for programmers and developers to find answers to various programming topics and problems. "The popularity of Stack Overflow is due to the fact that it offers functional code snippets. A code snippet is a chunk of code, written in a particular programming language, that solves a specific problem. You can usually use it directly in your own project with little to no changes," Jallow continues.
Search for outdated code snippets in GitHub projects
It is known from prior research that there are security-critical variants of the code snippets on Stack Overflow. Whether the code copied from Stack Overflow is secure can be checked, for instance, with the help of browser plugins. It is also known that the code snippets are not static but constantly evolving. "However, what had not yet been investigated is the question of whether developers who copy code snippets from Stack Overflow into their software also update them when changes are made to the snippets on Stack Overflow," Jallow says. In order to find out about that, Jallow and his colleagues examined open software projects on the popular platform GitHub. "GitHub is used to host code and to collaborate with others on a specific software project," explains the CISPA researcher. He developed a multi-step procedure to detect outdated versions of code snippets in GitHub projects and to check whether or not security-relevant updates have been performed on these code snippets.
Missing updates to code snippets lead to vulnerabilities
In their investigation of around 11,500 Github projects, Jallow and his colleagues found that every second reused code snippet is outdated, regardless of the programming language. They found no evidence showing that GitHub developers had implemented updates to Stack Overflow code snippets in their projects. According to Jallow, the dangers linked to these findings lie in the almost unlimited distribution potential of the software. "If you copy a code snippet from Stack Overflow that can violate users’ privacy, and they install the app on their phone, it will have a lot of social implications. If privacy is violated by a code snippet from Stack Overflow, it’s a really big problem," he is convinced. Jallow and his colleagues conclude from their findings that "developers do not check the snippets copied from Stack Overflow for any updates, or are not aware that the code they reuse is being discussed and updated or fixed on Stack Overflow."
Missing tool is a mission for the future
Jallow’s current advice to developers: "Be careful when using code snippets from Stack Overflow. And when you use them, find a way to remember them." As there is no automated tool yet, developers have to check for themselves if there is an update for the copied snippets available on Stack Overflow. This is what drives Jallow, as he explains in the interview: "In order to close this gap, I want to develop a tool. If it is not going to happen in the course of my PhD thesis, then at a later point in my career. CISPA has this amazing ecosystem that transfers research results to industry, and promotes spin-offs and start-ups. It's a great opportunity that CISPA offers, and I would like to take advantage of it."
Jallow, Alfusainey and Schilling, Michael and Backes, Michael and Bugiel, Sven
(2024) Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security. In: 45th IEEE Symposium on Security and Privacy.
Conference: SP IEEE Symposium on Security and Privacy
Visualization to the paper "Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-S ...
CISPA
Criteria of this press release:
Journalists, Scientists and scholars
Information technology
transregional, national
Research results
English
You can combine search terms with and, or and/or not, e.g. Philo not logy.
You can use brackets to separate combinations from each other, e.g. (Philo not logy) or (Psycho and logy).
Coherent groups of words will be located as complete phrases if you put them into quotation marks, e.g. “Federal Republic of Germany”.
You can also use the advanced search without entering search terms. It will then follow the criteria you have selected (e.g. country or subject area).
If you have not selected any criteria in a given category, the entire category will be searched (e.g. all subject areas or all countries).