Stack Overflow is a website that many software developers use to find answers to programming questions, including small segments of code that can be copied into software development projects to handle common tasks. Over 72,000 code chunks found on Stack Overflow were analyzed by a coalition of researchers from Canadian and Iranian universities. Most of the most copied code did not include checks that would prevent common attacks from exploiting the software. Some of the problems involved failing to sanitize user input, ignoring user responses, and using out-of-date functions. During the research, GitHub was also examined, and the unsafe code found on Stack Overflow was being used in nearly 2,800 projects. The research teams reached out to those who were using the possibly dangerous code to make them aware that they were putting their apps and programs at risk, but only around 13% responded stating they had fixed the code. Many of the developers claim the code was safe considering it could not be changed after the app has already begun running. Professor Ashkan Sami from Shiraz University in Iran said the team has created a Chrome extension that will examine code copied from Stack Overflow and will let coders know if it is safe and valid.
Analyst Notes
Code found on Stack Overflow should never be fully trusted without further analysis of security vulnerabilities. If and when it becomes available, developers should consider using the Chrome extension for Stack Overflow to help ensure the code they are using is safe. Software developers should be trained by their organizations to understand and use safe software design patterns. Organizations can mitigate the risk of releasing unsecure software by budgeting time and effort toward code reviews and vulnerability testing of software products.
