Code-sharing among software developers can lead to security flaws
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
April 18, 2017
Today's busy software developers' tendency for sharing code among themselves does save their colleagues' a lot of time, but it also means they share security flaws they haven't noticed or are not that apparent.
But that simply means that a smart attacker could follow who's shared what with whom to search the internet for security vulnerabilities and then act upon them.
That worrisome concept comes from a group of security researchers based in Germany with a bit of help from Trend Micro.
Their straightforward reasoning is if they were able to find recurrent Web application security vulnerabilities in reused code snippets, it won't be difficult for potential hackers to do the same.
The German researchers looked at more than 64,000 Web apps and various software. They conclude that “adversary with access to a standard PC can leverage our techniques to efficiently discover recurring security vulnerabilities in web application code”.
Among a group of thirty popular software code-sharing tutorials on a forum, the security researchers said, no less than 9 contained vulnerable code. Worse, six had SQL injection errors, and there were 3 tutorials with XSS errors, among others.
The researchers created a GitHub crawler, dubbed GithubSpider and an analytical tool CA-Detector. Of the projects the researchers examined, more than 6,300 counted as popular with ten stars; 16,000-plus with four to nine stars; and 42,000 unpopular projects, with three stars or less.
The 117 code snippets the researches found might not sound like many, but these are likely repeated all over the web, meaning that hackers would also be able to use the buggy code to bootstrap a widespread list of applications for security vulnerabilities that they inherited from tutorials.
The researchers wrote: “Our most recent study finds some disconcerting evidence of insufficiently reviewed tutorials compromising the security of open-source projects. What's more, our findings also testify to the feasibility of large-scale vulnerability discovery using poorly written tutorials as a starting point”.
And the researchers have a good point. The paper's authors are Tommi Unruh, Bhargava Shastry and Jean-Pierre Seifert of the Technical University in Berlin; Malte Skoruppa of Saarland University; Trend Micro's Federico Maggi, and Konrad Rieck and Fabian Yamaguchi of the Technical University of Braunschweig.
Generally speaking, sharing code among developers is a good way to save time and to help the programmer community, but now, and in view of these potential security issues, better means need to be developed in order to continue to help the community but in a more secure manner.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.