Reuse of code examples (CEs) in software engineering can impact code security. Azadeh Mokhberi, a PhD student in my research group, led an interview study to investigate developers’ habits, challenges, and strategies in the life cycle of using security-related code examples (SRCEs), with a focus on exploring the differences between security- and non-security-related CEs.
We found that developers had a habit of reusing vulnerable code from their previous projects. This code reuse unintentionally introduced the same vulnerability into new projects, while that vulnerability had already been fixed in later iterations of the original resource the CE had been taken from. Our results highlight that professional developers need the same number of such CEs even as they gain experience over time, while this may not be the case for NSRCEs.
See the full paper for me details:
Mokhberi, Azadeh, Tiffany Quon, and Konstantin Beznosov. “What Makes Security-Related Code Examples Different,” in Workshop on Security Information Workers, August 8, 2021.
