Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

Software developers share programming solutions in Q&A sites like Stack Overflow, Stack Exchange, Android forum, and so on. The reuse of crowd-sourced code snippets can facilitate rapid prototyping. However, recent research shows that the shared code snippets may be of low quality and can even contain vulnerabilities. This paper aims to understand the nature and the prevalence of security vulnerabilities in crowd-sourced code examples. To achieve this goal, we investigate security vulnerabilities in the C++ code snippets shared on Stack Overflow over a period of 10 years. In collaborative sessions involving multiple human coders, we manually assessed each code snippet for security vulnerabilities following CWE (Common Weakness Enumeration) guidelines. From the 72,483 reviewed code snippets used in at least one project hosted on GitHub, we found a total of 99 vulnerable code snippets categorized into 31 types. Many of the investigated code snippets are still not corrected on Stack Overflow. The 99 vulnerable code snippets found in Stack Overflow were reused in a total of 2859 GitHub projects. To help improve the quality of code snippets shared on Stack Overflow, we developed a browser extension that allows Stack Overflow users to be notified for vulnerabilities in code snippets when they see them on the platform.

Conference Day
Thu 27 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:30 - 17:30
3.4.2. Security Vulnerabilities: From 3rd Parties' CodeTechnical Track / SEIP - Software Engineering in Practice / Journal-First Papers at Blended Sessions Room 2 +12h
Chair(s): Jeff CarverUniversity of Alabama
16:30
20m
Paper
An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code ExamplesJournal-First
Journal-First Papers
Morteza VerdiShiraz University, Ashkan SamiShiraz University, Jafar AkhondaliShiraz University, Foutse KhomhPolytechnique Montréal, Gias UddinUniversity of Calgary, Canada, Alireza Karami MotlaghShiraz University
Link to publication DOI Pre-print Media Attached
16:50
20m
Paper
Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHubSEIP
SEIP - Software Engineering in Practice
Danielle GonzalezRochester Institute of Technology, Thomas ZimmermannMicrosoft Research, Patrice GodefroidMicrosoft Research, USA, Max SchaeferGitHub, Inc.
Pre-print Media Attached
17:10
20m
Paper
Why Security Defects Go Unnoticed during Code Reviews? A Case-Control Study of the Chromium OS ProjectArtifact ReusableTechnical TrackArtifact Available
Technical Track
Rajshakhar PaulWayne State University, Asif Kamal TurzoWayne State University, Amiangshu BosuWayne State University
Pre-print Media Attached

Conference Day
Fri 28 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

04:30 - 05:30
3.4.2. Security Vulnerabilities: From 3rd Parties' CodeTechnical Track / Journal-First Papers / SEIP - Software Engineering in Practice at Blended Sessions Room 2
04:30
20m
Paper
An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code ExamplesJournal-First
Journal-First Papers
Morteza VerdiShiraz University, Ashkan SamiShiraz University, Jafar AkhondaliShiraz University, Foutse KhomhPolytechnique Montréal, Gias UddinUniversity of Calgary, Canada, Alireza Karami MotlaghShiraz University
Link to publication DOI Pre-print Media Attached
04:50
20m
Paper
Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHubSEIP
SEIP - Software Engineering in Practice
Danielle GonzalezRochester Institute of Technology, Thomas ZimmermannMicrosoft Research, Patrice GodefroidMicrosoft Research, USA, Max SchaeferGitHub, Inc.
Pre-print Media Attached
05:10
20m
Paper
Why Security Defects Go Unnoticed during Code Reviews? A Case-Control Study of the Chromium OS ProjectArtifact ReusableTechnical TrackArtifact Available
Technical Track
Rajshakhar PaulWayne State University, Asif Kamal TurzoWayne State University, Amiangshu BosuWayne State University
Pre-print Media Attached