Insecure code examples lead to real-life vulnerabilities

In April 2017, seven researchers published a paper called Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery. They used known insecure code samples from popular tutorials on the web to find similar weaknesses in actual software projects on GitHub. The aim was to use the tutorials to find weaknesses. The results prove that bad examples end up in real-world code.

The researchers created a method to look for tutorial-derived code in projects. Then they applied it to both little-known and little-used projects to well-known and well-used projects. When they found a match, they manually verified that the code in question was substantially the same as the code in the insecure tutorial and that it did, in fact, replicate the weaknesses.

The results are telling

Across 64,415 codebases on GitHub, their spider found 820 pieces of code that looked similar to the tutorial code they were looking for. Manual verification confirmed that 117 matches were substantially the same code and contained the same weaknesses as the tutorial code samples. They found these problems in both more and less popular software.

While the numbers may look small, these instances reflect just a few specific insecure code examples that appear to have directly led to the same weaknesses in real-world code in open source projects. They don’t reflect all other bad sample code that developers use each day.

This should be alarming

Developer education all too often teaches developers to do exactly the wrong things when it comes to securing software. These wrong techniques appear in production code, often with little change. When developers learn the wrong methods, they practice and implement those methods in the real world. Combine that with the “get it to work and move on” mindset so many developers pick up along the way, and it’s clear why they aren’t likely to correct their methods before the project’s release. As a result, organizations get hacked.