TY - JOUR
T1 - Simple Stupid Insecure Practices and GitHub's Code Search: A Looming Threat?
AU - Go, Ken Russel
AU - Soundarapandian, Sruthi
AU - Mitra, Aparupa
AU - Vidoni, Melina
AU - Díaz Ferreyra, Nicolás
PY - 2023
Y1 - 2023
N2 - Insecure coding practices are a known, long-standing problem in open-source development, which takes on a new dimension with the current capabilities for mining open-source software repositories through version control systems. Although most insecure practices require a sequence of interlinked behaviour, prior work also determined that simpler, one-liner coding practices can introduce vulnerabilities in the code. Such simple stupid insecure practices (SSIPs) can have severe security implications for package-based software systems, as they are easily spread over version-control systems. Moreover, GitHub is piloting regular-expression-based code searches across public repositories through its Code Search Technology, potentially simplifying unearthing SSIPs. As an exploratory case study, we focused on popular PyPi packages and analysed their source code using regular expressions (as done by GitHub’s incoming search engine). The goal was to explore how detectable these simple vulnerabilities are and how exploitable Code Search Technology is. Results show that packages on lower versions are more vulnerable, that code injection is the most scattered issue, and that about 20% of the scouted packages have at least one vulnerability. Concerningly, malicious use of this engine was straightforward, raising severe concerns about the implications of a publicly available Code Search Technology.
AB - Insecure coding practices are a known, long-standing problem in open-source development, which takes on a new dimension with the current capabilities for mining open-source software repositories through version control systems. Although most insecure practices require a sequence of interlinked behaviour, prior work also determined that simpler, one-liner coding practices can introduce vulnerabilities in the code. Such simple stupid insecure practices (SSIPs) can have severe security implications for package-based software systems, as they are easily spread over version-control systems. Moreover, GitHub is piloting regular-expression-based code searches across public repositories through its Code Search Technology, potentially simplifying unearthing SSIPs. As an exploratory case study, we focused on popular PyPi packages and analysed their source code using regular expressions (as done by GitHub’s incoming search engine). The goal was to explore how detectable these simple vulnerabilities are and how exploitable Code Search Technology is. Results show that packages on lower versions are more vulnerable, that code injection is the most scattered issue, and that about 20% of the scouted packages have at least one vulnerability. Concerningly, malicious use of this engine was straightforward, raising severe concerns about the implications of a publicly available Code Search Technology.
U2 - 10.1016/j.jss.2023.111698
DO - 10.1016/j.jss.2023.111698
M3 - Article
VL - 202
SP - 1
EP - 9
JO - Journal of Systems and Software
JF - Journal of Systems and Software
ER -