Simple stupid insecure practices and GitHub's code search: A looming threat?

Ken Russel Go, Sruthi Soundarapandian, Aparupa Mitra, Melina Vidoni*, Nicolás E.Díaz Ferreyra

*Corresponding author for this work

    Research output: Contribution to journalArticlepeer-review

    2 Citations (Scopus)

    Abstract

    Insecure coding practices are a known, long-standing problem in open-source development, which takes on a new dimension with the current capabilities for mining open-source software repositories through version control systems. Although most insecure practices require a sequence of interlinked behaviour, prior work also determined that simpler, one-liner coding practices can introduce vulnerabilities in the code. Such simple stupid insecure practices (SSIPs) can have severe security implications for package-based software systems, as they are easily spread over version-control systems. Moreover, GitHub is piloting regular-expression-based code searches across public repositories through its “Code Search Technology”, potentially simplifying unearthing SSIPs. As an exploratory case study, we focused on popular PyPi packages and analysed their source code using regular expressions (as done by GitHub's incoming search engine). The goal was to explore how detectable these simple vulnerabilities are and how exploitable “Code Search” technology is. Results show that packages on lower versions are more vulnerable, that “code injection” is the most scattered issue, and that about 20% of the scouted packages have at least one vulnerability. Most concerningly, malicious use of this engine was straightforward, raising severe concerns about the implications of a publicly available “Code Search”.

    Original languageEnglish
    Article number111698
    JournalJournal of Systems and Software
    Volume202
    DOIs
    Publication statusPublished - Aug 2023

    Fingerprint

    Dive into the research topics of 'Simple stupid insecure practices and GitHub's code search: A looming threat?'. Together they form a unique fingerprint.

    Cite this