Copy/Paste is a dangerous coding technique

Published Sep 30, 2017
by Pieter Danhieux
tl;dr?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Researchers from VirginiaTech released a paper after analysing hundreds of posts on the most popular developer forum (Stack Overflow). They looked at the type of questions asked around security, the most popular answers given by the community and the effect it has on code software engineers.

Not a real surprise for people who have been in Cyber Security for a while, but more awareness is needed around this problem from a developer perspective:

  • Security features provided by coding frameworks (e.g. JAVA Spring) are overly complicated and poorly documented
  • A substantial number of developers do not appear to understand the security implications of coding options, showing a lack of cyber security training
  • Many of the suggestions and "fixes" on these forums are not secure but were getting positives votes and thus higher in ratings

The report suggests the following solutions:

  • Workforce retraining
  • Semi-Automating security bug detection and fixing

We need to make security easy for developers and built-in from the start in order to maintain the speed in which businesses operate today.

"The significance of this work is that we provided empirical evidence for a significant number of alarming secure coding issues, which have not been previously reported," the paper says. "These issues are due to a variety of reasons, including the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries."

https://www.theregister.com/2017/09/29/java_security_plagued_stack_overflow/

View Resource

Want more?

Dive into onto our latest secure coding insights on the blog.

Our extensive resource library aims to empower the human approach to secure coding upskilling.

View Blog
Want more?

Get the latest research on developer-driven security

Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.

Resource Hub

Copy/Paste is a dangerous coding technique

Published Mar 07, 2023
By Pieter Danhieux

Researchers from VirginiaTech released a paper after analysing hundreds of posts on the most popular developer forum (Stack Overflow). They looked at the type of questions asked around security, the most popular answers given by the community and the effect it has on code software engineers.

Not a real surprise for people who have been in Cyber Security for a while, but more awareness is needed around this problem from a developer perspective:

  • Security features provided by coding frameworks (e.g. JAVA Spring) are overly complicated and poorly documented
  • A substantial number of developers do not appear to understand the security implications of coding options, showing a lack of cyber security training
  • Many of the suggestions and "fixes" on these forums are not secure but were getting positives votes and thus higher in ratings

The report suggests the following solutions:

  • Workforce retraining
  • Semi-Automating security bug detection and fixing

We need to make security easy for developers and built-in from the start in order to maintain the speed in which businesses operate today.

"The significance of this work is that we provided empirical evidence for a significant number of alarming secure coding issues, which have not been previously reported," the paper says. "These issues are due to a variety of reasons, including the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries."

https://www.theregister.com/2017/09/29/java_security_plagued_stack_overflow/

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Oopsie daisy