Does Collaborative Editing Help Mitigate Security Vulnerabilities in Crowd-Shared IoT Code Examples?

TL;DR

This study investigates whether collaborative editing on developer forums effectively reduces security vulnerabilities in shared IoT code snippets, finding limited impact of revisions on vulnerability mitigation.

Contribution

It provides an empirical analysis of vulnerability presence and revision effects in IoT code snippets on Stack Exchange sites, highlighting the limited effectiveness of current collaborative editing.

Findings

Many code snippets contain security vulnerabilities like CWE 788.

Most code snippets are not revised after initial posting.

Revisions rarely reduce vulnerabilities, and often do not change vulnerability levels.

Abstract

Background: With the proliferation of crowd-sourced developer forums, software developers are increasingly sharing more coding solutions to programming problems with others in forums. The decentralized nature of knowledge sharing on sites has raised the concern of sharing security vulnerable code, which then can be reused into mission critical software systems - making those systems vulnerable in the process. Collaborative editing has been introduced in forums like Stack Overflow to improve the quality of the shared contents. Aim: In this paper, we investigate whether code editing can mitigate shared vulnerable code examples by analyzing IoT code snippets and their revisions in three Stack Exchange sites: Stack Overflow, Arduino, and Raspberry Pi. Method:We analyze the vulnerabilities present in shared IoT C/C++ code snippets, as C/C++ is one of the most widely used languages in mission-critical devices and low-powered IoT devices. We further analyse the revisions made to these code snippets, and their effects. Results: We find several vulnerabilities such as CWE 788 - Access of Memory Location After End of Buffer, in 740 code snippets . However, we find the vast majority of posts are not revised, or revisions are not made to the code snippets themselves (598 out of 740). We also find that revisions are most likely to result in no change to the number of vulnerabilities in a code snippet rather than deteriorating or improving the snippet. Conclusions: We conclude that the current collaborative editing system in the forums may be insufficient to help mitigate vulnerabilities in the shared code.