It’s definitely more common for programmers to cut corners than they would care to admit. But not surprisingly these time-saving habits can run serious security risks, especially when insecure code finds its way into community forums.
A recent study into vulnerabilities found in code shared on popular Q&A forum, Stack Overflow, is a strong warning for programmers. As Stack Overflow is the destination of choice for most programmers (in a hurry), users often copy code snippets to solve complex coding issues.
The research paper was one of the first to focus on flaws in C++. The researchers chose to focus on C++ because of its popularity, especially for embedded, resource-constrained programs and large, distributed systems. Also, any vulnerabilities found in these types of systems are likely to have a significant impact.
The team behind the study reviewed 72,483 C++ code snippets for weaknesses defined by the industry Common Weakness Enumeration (CWE) guidelines. They found 69 weaknesses that represented 29 different types of security flaws. Some of the code included bugs that could compromise the security of the software that it ended up being part of.
Whilst this sounds like a low percentage, the 69 vulnerable snippets had actually found their way into a total of 2,859 projects on the Microsoft-owned software development platform, GitHub. When the researchers gave 117 of the affected GitHub project owners the news that their use of borrowed code was infected with bugs, only 15 responded.
Now serial copy and pasters need to work out which code is insecure and which isn’t, especially if it has been implemented into their software. Fear not, as researchers behind the study have developed a useful Chrome extension that can be used to check copied code against the CWE’s database of vulnerable code. There are plans to release the extension in the near future.
Vulnerable code could be floating around on other sites too, so programmers should definitely review their security policies about copying code from any external sites.
Are you a serial copy and paster? Will the recent revelations make you stop? Let us know your thoughts by tweeting us @hyve!