Stack Overflow: A Story of Two Security Tales

Monday, January 27, 2020 - 11:45 am12:15 pm

Felix Fischer, Technical University of Munich

Abstract: 

Stack Overflow helps software developers from all over the world get their daily programming tasks done. Knowledge and source code shared via this platform shape digital services and applications that are used by billions of people every day. The tremendous impact Stack Overflow has had on today's software urges us and many other researchers to investigate to what extent information security is part of the discussions on Stack Overflow, what the biggest security problems are, and how developers solve them.

Our results tell a story of two tales. In the first tale, Stack Overflow seems to be the source of all evil. It's responsible for unintentionally marketing and distributing severe software vulnerabilities we traced in high-profile applications installed by billions of people. It's been demonstrated that these vulnerabilities would allow practical attacks and theft of credentials, credit cards, and other private data. The second tale tells a complete opposite story, where Stack Overflow becomes one of the most usable and effective tools in helping developers get security right. The moral of both stories is that it only takes small design tweaks to get from one to the other.

We are deeply convinced that these kinds of modifications could have an enormous positive effect on software security in general due to the pervasive use of Stack Overflow. Therefore, we want to highlight the most important results from usable security research over the last years to set the ball rolling. These include identified major security problems, what impact they had on real-world applications, and how we modified Stack Overflow to effectively help people develop secure software.

Felix Fischer, Technical University of Munich

Felix Fischer is a Research Associate and PhD student of Jens Grossklags at the Chair of Cyber Trust at Technical University of Munich. He studies the interaction of people with information security and privacy technologies. His most recent publications focus on software engineers struggling with getting cryptography right and explore machine learning as a tool for usable security and privacy. His work has frequently been published at top-tier venues for security and privacy research, such as IEEE S&P, ACM CCS, and USENIX Security.

BibTeX
@conference {244692,
author = {Felix Fischer},
title = {Stack Overflow: A Story of Two Security Tales},
year = {2020},
address = {San Francisco, CA},
publisher = {{USENIX} Association},
month = jan,
}