Research on the dangers of copy/pasting code

Suppose you need to incorporate crypto into your application. Or you need to write a regex to validate some user input. You might end up on Stack Overflow, where you find a code snippet that you can paste into your application. And even better, it works on the first try! But is the code correct, and is the code secure? In this talk, Jamie and Sazzadur will talk about the potential hazards of copy/pasting crypto and regexes into your software.


Resources mentioned in this session:


Slides: Coming soon

Regexes

- Jamie is the maintainer of the safe-regex module on npm. More accurate super-linear regex detectors are available through the vuln-regex-detector project.

- His regex portability tools can be found in the LinguaFranca project.

- He posts “reader’s digest” summaries of his work on Medium. Here are the posts for his work on regex security and regex portability


Crypto

- Sazzadur’s application-level cryptographic misuse detection paper can be found here.

- You can scan your Java code for cryptographic misuse using his CryptoGuard project.

If any of these tools or resources are helpful, please let us know!


Jamie Davis and Sazzadur Rahaman

Jamie Davis and Sazzadur Rahaman are 5th-year PhD students in Computer Science at Virginia Tech. They both spent a few years in industry before heading back to school. They both study software correctness and security. Jamie focuses on regular expressions and Node.js, while Sazzadur’s interests lie in application-level cryptographic vulnerabilities. Jamie’s research has led to changes in the core libraries of Python and Node.js, and Sazzadur has caused changes in projects like Apache Spark and Apache Ranger.


Find Jamie on twitter

Find Sazzadur on twitter

MyDevSecOps ©2020 POWERED BY SNYK

The MyDevSecOps community is powered by Snyk Ltd. Our aim is to create a vendor-neutral space to share knowledge and best practices related to software security.

avatar-transparent.png
  • White Twitter Icon
  • White YouTube Icon