# How Reliable is the Crowdsourced Knowledge of Security Implementation?

**Authors:** Mengsu Chen, Felix Fischer, Na Meng, Xiaoyin Wang, Jens Grossklags

arXiv: 1901.01327 · 2019-01-08

## TL;DR

This study investigates the reliability of security advice on Stack Overflow, revealing many insecure suggestions, ineffective community feedback, and the failure of reputation systems to identify trustworthy security solutions.

## Contribution

The paper provides an empirical analysis of security-related answers on Stack Overflow, highlighting the prevalence of insecure advice and the community's inability to distinguish secure solutions.

## Key findings

- Insecure answers have higher views and scores than secure ones.
- 34% of advice from reputable users was insecure.
- Community feedback does not effectively differentiate secure from insecure answers.

## Abstract

Stack Overflow (SO) is the most popular online Q&A site for developers to share their expertise in solving programming issues. Given multiple answers to certain questions, developers may take the accepted answer, the answer from a person with high reputation, or the one frequently suggested. However, researchers recently observed exploitable security vulnerabilities in popular SO answers. This observation inspires us to explore the following questions: How much can we trust the security implementation suggestions on SO? If suggested answers are vulnerable, can developers rely on the community's dynamics to infer the vulnerability and identify a secure counterpart?   To answer these highly important questions, we conducted a study on SO posts by contrasting secure and insecure advices with the community-given content evaluation. We investigated whether SO incentive mechanism is effective in improving security properties of distributed code examples. Moreover, we also traced duplicated answers to assess whether the community behavior facilitates propagation of secure and insecure code suggestions. We compiled 953 different groups of similar security-related code examples and labeled their security, identifying 785 secure answer posts and 644 insecure ones. Compared with secure suggestions, insecure ones had higher view counts (36,508 vs. 18,713), received a higher score (14 vs. 5), and had significantly more duplicates (3.8 vs. 3.0) on average. 34% of the posts provided by highly reputable so-called trusted users were insecure.   Our findings show that there are lots of insecure snippets on SO, while the community-given feedback does not allow differentiating secure from insecure choices. Moreover, the reputation mechanism fails in indicating trustworthy users with respect to security questions, ultimately leaving other users wandering around alone in a software security minefield.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1901.01327/full.md

## Figures

7 figures with captions in the complete paper: https://tomesphere.com/paper/1901.01327/full.md

## References

73 references — full list in the complete paper: https://tomesphere.com/paper/1901.01327/full.md

---
Source: https://tomesphere.com/paper/1901.01327