Copy/Paste is a dangerous coding technique
Researchers from VirginiaTech released a paper after analysing hundreds of posts on the most popular developer forum (Stack Overflow). They looked at the type of questions asked around security, the most popular answers given by the community and the effect it has on code software engineers.
Not a real surprise for people who have been in Cyber Security for a while, but more awareness is needed around this problem from a developer perspective:
- Security features provided by coding frameworks (e.g. JAVA Spring) are overly complicated and poorly documented
- A substantial number of developers do not appear to understand the security implications of coding options, showing a lack of cyber security training
- Many of the suggestions and "fixes" on these forums are not secure but were getting positives votes and thus higher in ratings
The report suggests the following solutions:
- Workforce retraining
- Semi-Automating security bug detection and fixing
We need to make security easy for developers and built-in from the start in order to maintain the speed in which businesses operate today.
"The significance of this work is that we provided empirical evidence for a significant number of alarming secure coding issues, which have not been previously reported," the paper says. "These issues are due to a variety of reasons, including the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries."
https://www.theregister.com/2017/09/29/java_security_plagued_stack_overflow/
Govern AI-driven development before it ships
Measure AI-assisted risk, enforce secure coding policy at commit, and accelerate secure delivery across your SDLC.
Explore more blogs
Lorem ipsum diam quis enim lobortis scelerisque fermentum dui faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis.
%252520%252520(3).avif)
Security as culture: How Blue Prism cultivates world-class secure developers
Learn how Blue Prism, the global leader in intelligent automation for the enterprise, used Secure Code Warrior's agile learning platform to create a security-first culture with their developers, achieve their business goals, and ship secure code at speed
One Culture of Security: How Sage built their security champions program with agile secure code learning
Discover how Sage enhanced security with a flexible, relationship-focused approach, creating 200+ security champions and achieving measurable risk reduction.
Observe and Secure the ADLC: A Four-Point Framework for CISOs and Development Teams Using AI
While development teams look to make the most of GenAI’s undeniable benefits, we’d like to propose a four-point foundational framework that will allow security leaders to deploy AI coding tools and agents with a higher, more relevant standard of security best practices. It details exactly what enterprises can do to ensure safe, secure code development right now, and as agentic AI becomes an even bigger factor in the future.
Secure AI-driven development before it ships
See developer risk, enforce policy, and prevent vulnerabilities across your software development lifecycle.
