Copy-and-paste sharing on Stack Overflow spreads insecure code
The tricky bit, as a new study called An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples, is working out which code is OK and which isn’t.
After analysing real code from Stack Overflow, the researchers found a small but still significant number of examples where this happened over a 10-year period to 2018.
The team reviewed 72,483 C++ code snippets for weaknesses defined by the industry Common Weakness Enumeration (CWE) guidelines, finding 69 representing 29 different types of security flaw, most often CWE-150 (‘Improper neutralization of space, meta, or control sequence’).
I’d be fascinated to see a study that compared cutting and pasting code – which carries the small risk of copying and pasting security errors – with coders who don’t copy and paste code and solve unfamiliar problems by always writing their own solution.
Solving the problem yourself carries three possible penalties: #1 it will take longer; #2 there is a good chance that the code (which solves a problem the developer is not well versed in solving) will make it in to the world without ever being reviewed by another person; and #3 if it does go unreviewed, there is a good chance the developer will never learn of their mistake and could well end up repeating it, even cutting and pasting it, into other projects.