Whether you're a beginner programmer printing your first 'Hello World' or a veteran full-stack developer, at one time or another, you've had to resort to searching online to code even the simplest tasks. There's a tendency to copy-and-paste code from websites like Stack Overflow to get the job done quick and easy.
There's an often-overlooked danger to this practice: reused (and likely outdated) code may leave security vulnerabilities which can be exploited.
Novice programmers are especially susceptible to this since the lack of a trained eye makes it difficult to discern the vulnerabilities in what appears to be a functional code.
While not all developers do this, it's a lot more widespread than you might think due to its convenience.
To illustrate, a study published in the 2017 IEEE Symposium on Security and Privacy found an alarming statistic: of the 1.3 million Android applications on Google Play that were analyzed, 15.4% of them contained reused security-related code from Stack Overflow, of which almost 98% contained vulnerable code snippets.
At the time, this totaled to around 196,000 applications with vulnerable code that could be exploited easily. Many of the applications were in categories that dealt with highly sensitive information, such as in business, health and fitness, finance, and more.
With so many applications at risk, the practice poses a danger to many of its users, especially those that opt to provide highly sensitive information like medical data and financial records.
Recently, researchers from Shiraz University, Polytechnique Montreal University, and Chamran University published their work, An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples, in Cornell University's arXiv repository.
Out of over 70,000 code snippets reviewed on the Stack Overflow over a ten-year period, 69 were identified as vulnerable C++ code snippets, which the researchers found being reused in 2859 GitHub projects.
According to the study, vulnerabilities stemmed from several sources, although the most prominent ones came primarily from bad coding practices, improper checks for exceptional conditions, and improper input validation.
As a barrier of safety against practices like this, the researchers developed a browser extension that detects these commonly used vulnerable snippets. The extension then explains the security risk from the vulnerable code and presents an updated alternative solution for users. According to an interview with The Register, the extension is to be released for Google Chrome once the paper is formally published.
While it's not bad to seek help from places like Stack Overflow and other similar sites (they're a great learning resource to help build your skillset in programming), users should be aware about the possible dangers of reusing code found online without full understanding of them.
Tools like the planned browser extension can help protect against security vulnerabilities, but ultimately the best practice is to be discerning and to understand the code you put into your software fully. The road to becoming a better programmer lies in learning to create high-quality and secure code instead of copy–pasting a potentially risky code.
