How Reliable is the Crowdsourced Knowledge of Security Implementation?

Chen, Mengsu; Fischer, Felix; Meng, Na; Wang, Xiaoyin; Großklags, Jens

doi:10.1109/icse.2019.00065

Cited by 54 publications

(23 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Education Could certainly do better [48], though there are encouraging signs [49] and useful ideas when it comes to improving informal resources [59]. However, informal resources can be dangerous when it comes to security, and [49] recommends giving all students the advice in [60]: "If you pick up a SSL/TLS answer from Stack Overflow, there's a 70% chance it's insecure".…”

Section: Discussionmentioning

confidence: 99%

Cybersecurity Education and Formal Methods

Davenport

Crick

2021

Communications in Computer and Information Science

View full text Add to dashboard Cite

Formal methods have been largely thought of in the context of safety-critical systems, where they have achieved major acceptance. Tens of millions of people trust their lives every day to such systems, based on formal proofs rather than "we haven't found a bug" (yet!); but why is "we haven't found a bug" an acceptable basis for systems trusted with hundreds of millions of people's personal data? This paper looks at some of these issues in cybersecurity, primarily focused on the UK as a case study, and the extent to which formal methods, ranging from "fully verified" to better tool support, could help. More importantly, recent policy reports and curricula initiatives appear to recommended formal methods in the limited context of "safety critical applications"; we suggest this is too limited in scope and ambition. Not only are formal methods neded in cybersecurity, the repeated weaknesses of the cybersecurity industry provide a powerful motivation for formal methods.

show abstract

Section: Discussionmentioning

confidence: 99%

Cybersecurity Education and Formal Methods

Davenport

Crick

2021

Communications in Computer and Information Science

View full text Add to dashboard Cite

show abstract

“…For example, Zhang et al found that one third of SO posts contain potential API misuses [47]. Chen et al found that a large proportion of security implementations on SO is insecure, and that the corresponding posts have higher scores and more duplicates compared to posts with secure suggestions [15]. In the future, we also plan to investigate the quality of unocial performance-related information from crowdsourced data.…”

Section: Knowledge In Documentationmentioning

confidence: 97%

Understanding performance concerns in the API documentation of data science libraries

Tao

Jiang

Liu

et al. 2020

Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering

View full text Add to dashboard Cite

The development of ecient data science applications is often impeded by unbearably long execution time and rapid RAM exhaustion. Since API documentation is the primary information source for troubleshooting, we investigate how performance concerns are documented in popular data science libraries. Our quantitative results reveal the prevalence of data science APIs that are documented in performance-related context and the infrequent maintenance activities on such documentation. Our qualitative analyses further reveal that crowd documentation like Stack Overow and GitHub are highly complementary to ocial documentation in terms of the API coverage, the knowledge distribution, as well as the specic information conveyed through performance-related content. Data science practitioners could benet from our ndings by learning a more targeted search strategy for resolving performance issues. Researchers can be more assured of the advantages of integrating both the ocial and the crowd documentation to achieve a holistic view on the performance concerns in data science development.

show abstract

“…Based on best of our knowledge, this is the first study on security of C# codes. several studies investigated security related issues in languages like Java and Python [22], [11], [5]. However, as mentioned no study has focused on security of C# codes and thus no study on C# code snippets in community question and answer websites exist.…”

Section: Related Workmentioning

confidence: 99%

On the use of C# Unsafe Code Context

Firouzi

Sami

Khomh

et al. 2020

Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

Background. C# maintains type safety and security by not allowing direct dangerous pointer arithmetic. To improve performance for special cases, pointer arithmetic is provided via an unsafe context. Programmers can use the C# unsafe keyword to encapsulate a code block, which can use pointer arithmetic. In the Common Language Runtime (CLR), unsafe code is referred to as unverifiable code. It then becomes the responsibility of the programmer to ensure the encapsulated code snippet is not dangerous. Naturally, this raises concern on whether such trust is misused by programmers when they promote the use of C# unsafe context. Aim. We aim to analyze the prevalence and vulnerabilities of share code examples using C# unsafe keyword in Stack Overflow (SO) code sharing platform. Method. By using some regular expressions and manual checks, we extracted C# unsafe code relevant posts from SO and categorized them into some software development scenarios. Results. In the entire SO data dump of September 2018, we find 2,283 C# snippets with the unsafe keyword. Among those posts, 27% of posts are about Image processing, where unsafe codes are mainly used for performance reasons. The second most popular category by 21% of the codes in the posts is used for 'Interoperability' reasons. That is 'unsafe' is used to enable 'Interoperability' between C# managed codes and unmanaged codes. The 'stackalloc' operator is the third category with 9% of unsafe code posts. The stackalloc operator allocates a block of memory on the stack. Since C# 7.2, Microsoft recommends against using 'stackalloc'in unsafe context whenever possible. Manual inspection shows 67 code snippets with dangerous functions that can introduce vulnerability if not used with caution (e.g., buffer overflow). Finally, 35% of 'Interoperability' posts have 'P/Invoke' tag were used outside NativeMethods class, which is in contrast to Microsoft design suggestion. Conclusion. Our study leads to 7 main findings, and these findings show the importance of cautiously using this feature.

show abstract

How Reliable is the Crowdsourced Knowledge of Security Implementation?

Cited by 54 publications

References 38 publications

Cybersecurity Education and Formal Methods

Cybersecurity Education and Formal Methods

Understanding performance concerns in the API documentation of data science libraries

On the use of C# Unsafe Code Context

Contact Info

Product

Resources

About