It is a common practice among programmers to copy-paste code snippets from the popular Q&A forum Stack Overflow to solve their coding problems.
But it turns out that this lazy habit runs a high-security risk. A paper titled “An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples,” highlights the same.
Copied codes can result in serious vulnerabilities
The authors or the paper reviewed more than 72,000 C++ code snippets taken from 1,325 Stack Overflow posts. They found 69 vulnerable snippets of 29 different types.
While this number might not seem a lot keeping the huge number of GitHub projects in mind, but those 69 vulnerable snippets did show up in 2,589 GitHub repos — which is concerning.
Not everyone cares
Even though the researchers took the responsibility of notifying the authors of affected GitHub projects, only some chose to fix the flaws that consisted of known CWEs (Common Weakness Enumeration).
The research aimed to describe how flawed code finds its way from Stack Overflow to GitHub, and using codes without reviewing it carefully can lead to potential vulnerabilities in software.
For this study, the team chose to focus on projects based on C++. Most of the frequently found CWEs were CWE-20 (Improper Input Validation), CWE-754 (Improper Check for Unusual or Exceptional Conditions), and CWE-1006 (Bad Coding Practices). (Incomplete Sentence)
Wrong use of the platform
Stack Overflow is mainly about questioning and answering. Several developers who submit snippets of code as a solution may not have a sound understanding of code security.
Hence, it’s not wise to use such codes under this assumption. It is better for programmers if they learn it the hard way and adopt secure coding practices.
But there’s a solution to use Stack Overflow codes safely
Giving up on Stack Overflow isn’t that simple for many developers, so the researchers have developed a Chrome extension that can help in determining code security.
On installing the extension, it checks the copied code against the CWE database and alerts the programmer if the code snippet has known flaws.
The developers of the extension are planning to release it soon. We will let you know as soon as that happens. So watch out for this space!