Common Programming Mistakes Leading to Information Disclosure: A Preliminary Study

It is vital to engineer robust and secure software. Many security strategies and techniques have been proposed. However, technological growth increases security concerns and demands persistent software security analysis. The objective of our study is to analyze vulnerable code components of real-world software code repositories and mine developers' frequent programming mistakes, resulting in information disclosure in the software. Finding common programming mistakes during the implementation phase is a primary step towards building secure software. We investigate the published vulnerabilities in two open-source applications: Apache Tomcat and Android. We focus on the information disclosure vulnerability reported as security advisories and analyze the code to extract or mine the causes of the vulnerability. We found that improper or lack of bound checking is the most frequent programming mistake that can potentially cause information leakage. Our findings can help create awareness among developers of the common programming mistakes that lead to disclosing sensitive information to avoid it, or if such mistakes are already present in the code, they can be handled during the implementation phase. Moreover, our results can be incorporated in tools such as static analyzers to help detect information disclosure instances more accurately prior to software delivery.