TY - JOUR
T1 - Simple stupid insecure practices and GitHub's code search
T2 - A looming threat?
AU - Go, Ken Russel
AU - Soundarapandian, Sruthi
AU - Mitra, Aparupa
AU - Vidoni, Melina
AU - Ferreyra, Nicolás E.Díaz
N1 - Publisher Copyright:
© 2023 Elsevier Inc.
PY - 2023/8
Y1 - 2023/8
N2 - Insecure coding practices are a known, long-standing problem in open-source development, which takes on a new dimension with the current capabilities for mining open-source software repositories through version control systems. Although most insecure practices require a sequence of interlinked behaviour, prior work also determined that simpler, one-liner coding practices can introduce vulnerabilities in the code. Such simple stupid insecure practices (SSIPs) can have severe security implications for package-based software systems, as they are easily spread over version-control systems. Moreover, GitHub is piloting regular-expression-based code searches across public repositories through its “Code Search Technology”, potentially simplifying unearthing SSIPs. As an exploratory case study, we focused on popular PyPi packages and analysed their source code using regular expressions (as done by GitHub's incoming search engine). The goal was to explore how detectable these simple vulnerabilities are and how exploitable “Code Search” technology is. Results show that packages on lower versions are more vulnerable, that “code injection” is the most scattered issue, and that about 20% of the scouted packages have at least one vulnerability. Most concerningly, malicious use of this engine was straightforward, raising severe concerns about the implications of a publicly available “Code Search”.
AB - Insecure coding practices are a known, long-standing problem in open-source development, which takes on a new dimension with the current capabilities for mining open-source software repositories through version control systems. Although most insecure practices require a sequence of interlinked behaviour, prior work also determined that simpler, one-liner coding practices can introduce vulnerabilities in the code. Such simple stupid insecure practices (SSIPs) can have severe security implications for package-based software systems, as they are easily spread over version-control systems. Moreover, GitHub is piloting regular-expression-based code searches across public repositories through its “Code Search Technology”, potentially simplifying unearthing SSIPs. As an exploratory case study, we focused on popular PyPi packages and analysed their source code using regular expressions (as done by GitHub's incoming search engine). The goal was to explore how detectable these simple vulnerabilities are and how exploitable “Code Search” technology is. Results show that packages on lower versions are more vulnerable, that “code injection” is the most scattered issue, and that about 20% of the scouted packages have at least one vulnerability. Most concerningly, malicious use of this engine was straightforward, raising severe concerns about the implications of a publicly available “Code Search”.
KW - GitHub code search
KW - Python
KW - Simple stupid insecure practices
UR - http://www.scopus.com/inward/record.url?scp=85152227507&partnerID=8YFLogxK
U2 - 10.1016/j.jss.2023.111698
DO - 10.1016/j.jss.2023.111698
M3 - Article
SN - 0164-1212
VL - 202
JO - Journal of Systems and Software
JF - Journal of Systems and Software
M1 - 111698
ER -