Share, But be Aware: Security Smells in Python Gists

2019 IEEE International Conference on Software Maintenance and Evolution (ICSME) Pub Date : 2019-09-01 DOI:10.1109/ICSME.2019.00087

Md. Rayhanur Rahman, A. Rahman, L. Williams

{"title":"Share, But be Aware: Security Smells in Python Gists","authors":"Md. Rayhanur Rahman, A. Rahman, L. Williams","doi":"10.1109/ICSME.2019.00087","DOIUrl":null,"url":null,"abstract":"Github Gist is a service provided by Github which is used by developers to share code snippets. While sharing, developers may inadvertently introduce security smells in code snippets as well, such as hard-coded passwords. Security smells are recurrent coding patterns that are indicative of security weaknesses, which could potentially lead to security breaches. The goal of this paper is to help software practitioners avoid insecure coding practices through an empirical study of security smells in publicly-available GitHub Gists. Through static analysis, we found 13 types of security smells with 4,403 occurrences in 5,822 publicly-available Python Gists. 1,817 of those Gists, which is around 31%, have at least one security smell including 689 instances of hard-coded secrets. We also found no significance relation between the presence of these security smells and the reputation of the Gist author. Based on our findings, we advocate for increased awareness and rigorous code review efforts related to software security for Github Gists so that propagation of insecure coding practices are mitigated.","PeriodicalId":106748,"journal":{"name":"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"16","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSME.2019.00087","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 16

Abstract

Github Gist is a service provided by Github which is used by developers to share code snippets. While sharing, developers may inadvertently introduce security smells in code snippets as well, such as hard-coded passwords. Security smells are recurrent coding patterns that are indicative of security weaknesses, which could potentially lead to security breaches. The goal of this paper is to help software practitioners avoid insecure coding practices through an empirical study of security smells in publicly-available GitHub Gists. Through static analysis, we found 13 types of security smells with 4,403 occurrences in 5,822 publicly-available Python Gists. 1,817 of those Gists, which is around 31%, have at least one security smell including 689 instances of hard-coded secrets. We also found no significance relation between the presence of these security smells and the reputation of the Gist author. Based on our findings, we advocate for increased awareness and rigorous code review efforts related to software security for Github Gists so that propagation of insecure coding practices are mitigated.

查看原文本刊更多论文

分享，但要警惕：Python Gists 中的安全隐患

Github Gist 是 Github 提供的一项服务，用于开发人员共享代码片段。在共享时，开发人员可能会无意中在代码片段中引入安全隐患，例如硬编码密码。安全漏洞是一种重复出现的编码模式，表明存在安全漏洞，有可能导致安全漏洞。本文旨在通过对公开发布的 GitHub Gists 中的安全隐患进行实证研究，帮助软件从业人员避免不安全的编码实践。通过静态分析，我们在 5,822 个公开的 Python Gist 中发现了 13 种类型的安全漏洞，共出现了 4,403 次。其中 1817 个 Gists（约占 31%）至少有一种安全隐患，包括 689 个硬编码秘密实例。我们还发现，这些安全隐患的存在与 Gist 作者的声誉之间没有显著关系。基于我们的研究结果，我们主张提高 Github Gist 的软件安全意识，并对其进行严格的代码审查，以减少不安全编码实践的传播。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)

自引率

0.00%

发文量