CISPA
Browse

Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security

Download (5.87 MB)
conference contribution
posted on 2024-03-05, 12:21 authored by Alfusainey JallowAlfusainey Jallow, Schilling, Michael, Michael BackesMichael Backes, Sven BugielSven Bugiel
This paper assesses the effects of Stack Overflow code snippet evolution on the security of open-source projects. Users on Stack Overflow actively revise posted code snippets, sometimes addressing bugs and vulnerabilities. Accordingly, developers that reuse code from Stack Overflow should treat it like any other evolving code dependency and be vigilant about updates. It is unclear whether developers are doing so, to what extent outdated code snippets from Stack Overflow are present in GitHub projects, and whether developers miss security-relevant updates to reused snippets. To shed light on those questions, we devised a method to 1) detect outdated code snippets versions from 1.5M Stack Overflow snippets in 11,479 popular GitHub projects and 2) detect security-relevant updates to those Stack Overflow code snippets not reflected in those GitHub projects. Our results show that developers do not update dependent code snippets when those evolved on Stack Overflow. We found that 2,405 code snippet versions reused in 2,109 GitHub projects were outdated, with 43 projects missing fixes to bugs and vulnerabilities on Stack Overflow. Those 43 projects containing outdated, insecure snippets were forked on average 1,085 times (max. 16,121), indicating that our results are likely a lower bound for affected code bases. An important insight from our work is that treating Stack Overflow code as purely static code impedes holistic solutions to the problem of copying insecure code from Stack Overflow. Instead, our results suggest that developers need tools that continuously monitor Stack Overflow for security warnings and code fixes to reused code snippets and not only warn during copy-pasting.

History

Preferred Citation

Alfusainey Jallow, Michael Schilling, Michael Backes, Sven Bugiel. Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security. In: 45th IEEE Symposium on Security and Privacy (SP). 2023.

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date

2023-11-28

Open Access Type

  • Repository

BibTeX

@inproceedings{cispa_all_4053, author = {Alfusainey Jallow AND Michael Schilling AND Michael Backes AND Sven Bugiel}, title = {Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security}, booktitle = {45th IEEE Symposium on Security and Privacy (SP)}, year = {2023} }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC