During their everyday programming work, software developers frequently encounter problems for which they need a quick solution. "Earlier studies have shown that the most prominent information source developers consult is not textbooks but Stack Overflow," explains CISPA researcher Alfusainey Jallow. Stack Overflow is part of the Stack Exchange Network and is a popular online platform for programmers and developers to find answers to various programming topics and problems. "The popularity of Stack Overflow is due to the fact that it offers functional code snippets. A code snippet is a chunk of code, written in a particular programming language, that solves a specific problem. You can usually use it directly in your own project with little to no changes," Jallow continues.
Search for outdated code snippets in GitHub projects
It is known from prior research that there are security-critical variants of the code snippets on Stack Overflow. Whether the code copied from Stack Overflow is secure can be checked, for instance, with the help of browser plugins. It is also known that the code snippets are not static but constantly evolving. "However, what had not yet been investigated is the question of whether developers who copy code snippets from Stack Overflow into their software also update them when changes are made to the snippets on Stack Overflow," Jallow says. In order to find out about that, Jallow and his colleagues examined open software projects on the popular platform GitHub. "GitHub is used to host code and to collaborate with others on a specific software project," explains the CISPA researcher. He developed a multi-step procedure to detect outdated versions of code snippets in GitHub projects and to check whether or not security-relevant updates have been performed on these code snippets.
Missing updates to code snippets lead to vulnerabilities
In their investigation of around 11,500 Github projects, Jallow and his colleagues found that every second reused code snippet is outdated, regardless of the programming language. They found no evidence showing that GitHub developers had implemented updates to Stack Overflow code snippets in their projects. According to Jallow, the dangers linked to these findings lie in the almost unlimited distribution potential of the software. "If you copy a code snippet from Stack Overflow that can violate users’ privacy, and they install the app on their phone, it will have a lot of social implications. If privacy is violated by a code snippet from Stack Overflow, it’s a really big problem," he is convinced. Jallow and his colleagues conclude from their findings that "developers do not check the snippets copied from Stack Overflow for any updates, or are not aware that the code they reuse is being discussed and updated or fixed on Stack Overflow."
Missing tool is a mission for the future
Jallow’s current advice to developers: "Be careful when using code snippets from Stack Overflow. And when you use them, find a way to remember them." As there is no automated tool yet, developers have to check for themselves if there is an update for the copied snippets available on Stack Overflow. This is what drives Jallow, as he explains in the interview: "In order to close this gap, I want to develop a tool. If it is not going to happen in the course of my PhD thesis, then at a later point in my career. CISPA has this amazing ecosystem that transfers research results to industry, and promotes spin-offs and start-ups. It's a great opportunity that CISPA offers, and I would like to take advantage of it."
