TUHH Open Research
Help
  • Log In
    New user? Click here to register.Have you forgotten your password?
  • English
  • Deutsch
  • Communities & Collections
  • Publications
  • Research Data
  • People
  • Institutions
  • Projects
  • Statistics
  1. Home
  2. TUHH
  3. Publication References
  4. Simple stupid insecure practices and GitHub's code search: A looming threat?
 
Options

Simple stupid insecure practices and GitHub's code search: A looming threat?

Publikationstyp
Journal Article
Date Issued
2023-08
Sprache
English
Author(s)
Go, Ken Russel  
Soundarapandian, Sruthi  
Mitra, Aparupa  
Vidoni, Melina  
Díaz Ferreyra, Nicolás  orcid-logo
Institut
Software Security E-22  
TORE-URI
http://hdl.handle.net/11420/15219
Journal
The journal of systems and software  
Volume
202
Article Number
111698
Citation
Journal of Systems and Software 202: 111698 (2023-08)
Publisher DOI
10.1016/j.jss.2023.111698
Scopus ID
2-s2.0-85152227507
Insecure coding practices are a known, long-standing problem in open-source development, which takes on a new dimension with the current capabilities for mining open-source software repositories through version control systems. Although most insecure practices require a sequence of interlinked behaviour, prior work also determined that simpler, one-liner coding practices can introduce vulnerabilities in the code. Such simple stupid insecure practices (SSIPs) can have severe security implications for package-based software systems, as they are easily spread over version-control systems. Moreover, GitHub is piloting regular-expression-based code searches across public repositories through its “Code Search Technology”, potentially simplifying unearthing SSIPs. As an exploratory case study, we focused on popular PyPi packages and analysed their source code using regular expressions (as done by GitHub's incoming search engine). The goal was to explore how detectable these simple vulnerabilities are and how exploitable “Code Search” technology is. Results show that packages on lower versions are more vulnerable, that “code injection” is the most scattered issue, and that about 20% of the scouted packages have at least one vulnerability. Most concerningly, malicious use of this engine was straightforward, raising severe concerns about the implications of a publicly available “Code Search”.
Subjects
GitHub code search
Python
Simple stupid insecure practices
TUHH
Weiterführende Links
  • Contact
  • Send Feedback
  • Cookie settings
  • Privacy policy
  • Impress
DSpace Software

Built with DSpace-CRIS software - Extension maintained and optimized by 4Science
Design by effective webwork GmbH

  • Deutsche NationalbibliothekDeutsche Nationalbibliothek
  • ORCiD Member OrganizationORCiD Member Organization
  • DataCiteDataCite
  • Re3DataRe3Data
  • OpenDOAROpenDOAR
  • OpenAireOpenAire
  • BASE Bielefeld Academic Search EngineBASE Bielefeld Academic Search Engine
Feedback