Snakes in Paradise?: Insecure Python-Related Coding Practices in Stack Overflow

Rahman, Akond; Farhana, Effat; Imtiaz, Nasif

doi:10.1109/msr.2019.00040

Cited by 21 publications

(12 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Vast number of researches focused on security assessment in different programming languages [22], [2], [31], [21], [28]. Security assessment in languages like Java, C and C++ have established guidelines, standardizations and even recommendations [12], [26], [23].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

On the use of C# Unsafe Code Context

Firouzi

Sami

Khomh

et al. 2020

Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

Background. C# maintains type safety and security by not allowing direct dangerous pointer arithmetic. To improve performance for special cases, pointer arithmetic is provided via an unsafe context. Programmers can use the C# unsafe keyword to encapsulate a code block, which can use pointer arithmetic. In the Common Language Runtime (CLR), unsafe code is referred to as unverifiable code. It then becomes the responsibility of the programmer to ensure the encapsulated code snippet is not dangerous. Naturally, this raises concern on whether such trust is misused by programmers when they promote the use of C# unsafe context. Aim. We aim to analyze the prevalence and vulnerabilities of share code examples using C# unsafe keyword in Stack Overflow (SO) code sharing platform. Method. By using some regular expressions and manual checks, we extracted C# unsafe code relevant posts from SO and categorized them into some software development scenarios. Results. In the entire SO data dump of September 2018, we find 2,283 C# snippets with the unsafe keyword. Among those posts, 27% of posts are about Image processing, where unsafe codes are mainly used for performance reasons. The second most popular category by 21% of the codes in the posts is used for 'Interoperability' reasons. That is 'unsafe' is used to enable 'Interoperability' between C# managed codes and unmanaged codes. The 'stackalloc' operator is the third category with 9% of unsafe code posts. The stackalloc operator allocates a block of memory on the stack. Since C# 7.2, Microsoft recommends against using 'stackalloc'in unsafe context whenever possible. Manual inspection shows 67 code snippets with dangerous functions that can introduce vulnerability if not used with caution (e.g., buffer overflow). Finally, 35% of 'Interoperability' posts have 'P/Invoke' tag were used outside NativeMethods class, which is in contrast to Microsoft design suggestion. Conclusion. Our study leads to 7 main findings, and these findings show the importance of cautiously using this feature.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Based on best of our knowledge, this is the first study on security of C# codes. several studies investigated security related issues in languages like Java and Python [22], [11], [5]. However, as mentioned no study has focused on security of C# codes and thus no study on C# code snippets in community question and answer websites exist.…”

Section: Related Workmentioning

confidence: 99%

On the use of C# Unsafe Code Context

Firouzi

Sami

Khomh

et al. 2020

Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

show abstract

“…Stack Overflow is regarded as the most popular question and answer website for software developers [15]. Software developers benefit from SO posts, while programming [8], [12], [18], [19], [20], and read about the technologies and tools needed for development [21], [22], [23]. Thus, research on Stack Overflow is of high importance in software community.…”

Section: Reusing Of Code Shared In Stack Overflowmentioning

confidence: 99%

“…Studies [8], [29] in java Script and android application, [7], [30], [35] in java and [23] in python showed the Stack Overflow have a security vulnerability in their code snippets that uses in applications, open source projects, and APIs.…”

Section: Security Of C++ Posts In Stack Overflowmentioning

confidence: 99%

An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples

Verdi¹,

Sami²,

Akhondali³

et al. 2019

Preprint

View full text Add to dashboard Cite

Software developers share programming solutions in Q&A sites like Stack Overflow. The reuse of crowd-sourced code snippets can facilitate rapid prototyping. However, recent research shows that the shared code snippets may be of low quality and can even contain vulnerabilities. This paper aims to understand the nature and the prevalence of security vulnerabilities in crowd-sourced code examples. To achieve this goal, we investigate security vulnerabilities in the C++ code snippets shared on Stack Overflow over a period of 10 years. In collaborative sessions involving multiple human coders, we manually assessed each code snippet for security vulnerabilities following CWE (Common Weakness Enumeration) guidelines. From the 72,483 reviewed code snippets used in at least one project hosted on GitHub, we found a total of 69 vulnerable code snippets categorized into 29 types. Many of the investigated code snippets are still not corrected on Stack Overflow. The 69 vulnerable code snippets found in Stack Overflow were reused in a total of 2859 GitHub projects. To help improve the quality of code snippets shared on Stack Overflow, we developed a browser extension that allow Stack Overflow users to check for vulnerabilities in code snippets when they upload them on the platform.

show abstract

“…Meng et al[Men18] studied bad coding practices related to the security of Java Spring Framework in Stack Overflow, and reported 9 out of 10 SSL/TLS-related posts to discuss insecure coding practices. Rahman et al[Rah19a] studied Python code blocks posted on Stack Overflow, and observed that 7.1% of the 44,966 Python-related answers to include at least one insecure coding practice. Fahl et al[Fah12] investigated inappropriate use of SSL/TLS protocols, such as, trusting all certificates and stripping SSL, for Android applications.…”

mentioning

confidence: 99%

Anti-Patterns in Infrastructure as Code

Rahman

2018

2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST)

Self Cite

View full text Add to dashboard Cite

RAHMAN, AKOND ASHFAQUE UR. Anti-patterns in Infrastructure as Code. (Under the direction of Laurie Williams). In continuous deployment, infrastructure as code (IaC) scripts are used by practitioners to create and manage an automated deployment pipeline that enables information technology (IT) organizations to release their software changes rapidly at scale. Low quality IaC scripts can have serious consequences, potentially leading to widespread system outages and service discrepancies. By systematically identifying which characteristics are correlated with low quality IaC scripts, we can identify anti-patterns i.e. recurring practices with negative consequences, which may help practitioners to take informed actions in creating and maintaining defect-free IaC scripts. The goal of this thesis is to help practitioners in increasing quality of IaC scripts by identifying development and security anti-patterns in the development of infrastructure as code scripts. Using open source repositories, we conduct five research studies and identify (i) defect categories in IaC scripts; (ii) operations that characterize defective IaC scripts; (iii) code properties that correlate with defective IaC scripts; (iv) development anti-patterns for IaC scripts; and (v) security anti-patterns in IaC scripts that are indicative of security weaknesses. From our conducted empirical studies, we observe defect category distribution of IaC scripts are different to that of general purpose programming languages. We observe three operations that characterize defective IaC scripts, namely file system operations, infrastructure provisioning, and user account management. We identify 10 source code properties that correlate with defective scripts, of which size and hard-coded strings as configuration values show the strongest correlation with defective scripts. We identify 13 development anti-patterns that are development activities, which correlate with defective scripts. We also identify 9 security anti-patterns i.e. coding patterns that are indicative of security weaknesses. We hope outcomes of the thesis i.e. findings, tools, and datasets will facilitate further research in the area of IaC.

show abstract

Snakes in Paradise?: Insecure Python-Related Coding Practices in Stack Overflow

Cited by 21 publications

References 11 publications

On the use of C# Unsafe Code Context

On the use of C# Unsafe Code Context

An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples

Anti-Patterns in Infrastructure as Code

Contact Info

Product

Resources

About