Outdated code snippets from Stack Overflow jeopardise software security

Visualization to the paper "Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security"
(c) CISPA

A common practice among software developers is to use so-called code snippets from the platform Stack Overflow. A study by CISPA researcher Alfusainey Jallow now shows that this can lead to security risks in the long run. One of the reasons for this is that security-relevant updates to the code snippets often do not find their way into the software in which the snippets are used. Jallow published the results of his study in the paper “Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security” at the IEEE Symposium on Security and Privacy (SP) 2024.

During their everyday programming work, software developers frequently encounter problems for which they need a quick solution. “Earlier studies have shown that the most prominent information source developers consult is not textbooks but Stack Overflow,” explains CISPA researcher Alfusainey Jallow. Stack Overflow is part of the Stack Exchange Network and is a popular online platform for programmers and developers to find answers to various programming topics and problems. “The popularity of Stack Overflow is due to the fact that it offers functional code snippets. A code snippet is a chunk of code, written in a particular programming language, that solves a specific problem. You can usually use it directly in your own project with little to no changes,” Jallow continues.

Search for outdated code snippets in GitHub projects

It is known from prior research that there are security-critical variants of the code snippets on Stack Overflow. Whether the code copied from Stack Overflow is secure can be checked, for instance, with the help of browser plugins. It is also known that the code snippets are not static but constantly evolving. “However, what had not yet been investigated is the question of whether developers who copy code snippets from Stack Overflow into their software also update them when changes are made to the snippets on Stack Overflow,” Jallow says. In order to find out about that, Jallow and his colleagues examined open software projects on the popular platform GitHub. “GitHub is used to host code and to collaborate with others on a specific software project,” explains the CISPA researcher. He developed a multi-step procedure to detect outdated versions of code snippets in GitHub projects and to check whether or not security-relevant updates have been performed on these code snippets.

Missing updates to code snippets lead to vulnerabilities

In their investigation of around 11,500 Github projects, Jallow and his colleagues found that every second reused code snippet is outdated, regardless of the programming language. They found no evidence showing that GitHub developers had implemented updates to Stack Overflow code snippets in their projects. According to Jallow, the dangers linked to these findings lie in the almost unlimited distribution potential of the software. “If you copy a code snippet from Stack Overflow that can violate users’ privacy, and they install the app on their phone, it will have a lot of social implications. If privacy is violated by a code snippet from Stack Overflow, it’s a really big problem,” he is convinced. Jallow and his colleagues conclude from their findings that “developers do not check the snippets copied from Stack Overflow for any updates, or are not aware that the code they reuse is being discussed and updated or fixed on Stack Overflow.”

Missing tool is a mission for the future

Jallow’s current advice to developers: “Be careful when using code snippets from Stack Overflow. And when you use them, find a way to remember them.” As there is no automated tool yet, developers have to check for themselves if there is an update for the copied snippets available on Stack Overflow. This is what drives Jallow, as he explains in the interview: “In order to close this gap, I want to develop a tool. If it is not going to happen in the course of my PhD thesis, then at a later point in my career. CISPA has this amazing ecosystem that transfers research results to industry, and promotes spin-offs and start-ups. It’s a great opportunity that CISPA offers, and I would like to take advantage of it.”

Originalpublikation:

Jallow, Alfusainey and Schilling, Michael and Backes, Michael and Bugiel, Sven
(2024) Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security. In: 45th IEEE Symposium on Security and Privacy.
Conference: SP IEEE Symposium on Security and Privacy

https://cispa.de/en/jallow-stackoverflow

Media Contact

Felix Koltermann Unternehmenskommunikation
CISPA Helmholtz Center for Information Security

All latest news from the category: Information Technology

Here you can find a summary of innovations in the fields of information and data processing and up-to-date developments on IT equipment and hardware.

This area covers topics such as IT services, IT architectures, IT management and telecommunications.

Back to home

Comments (0)

Write a comment

Newest articles

NASA: Mystery of life’s handedness deepens

The mystery of why life uses molecules with specific orientations has deepened with a NASA-funded discovery that RNA — a key molecule thought to have potentially held the instructions for…

What are the effects of historic lithium mining on water quality?

Study reveals low levels of common contaminants but high levels of other elements in waters associated with an abandoned lithium mine. Lithium ore and mining waste from a historic lithium…

Quantum-inspired design boosts efficiency of heat-to-electricity conversion

Rice engineers take unconventional route to improving thermophotovoltaic systems. Researchers at Rice University have found a new way to improve a key element of thermophotovoltaic (TPV) systems, which convert heat…