Stack Overflow: A Story of Two Security Tales

Stack Overflow helps software developers from all over the world get their daily programming tasks done. Knowledge and source code shared via this platform shape digital services and applications that are used by billions of people every day. The tremendous impact Stack Overflow has had on today's software urges us and many other researchers to investigate to what extent information security is part of the discussions on Stack Overflow, what the biggest security problems are, and how developers solve them.

Our results tell a story of two tales. In the first tale, Stack Overflow seems to be the source of all evil. It's responsible for unintentionally marketing and distributing severe software vulnerabilities we traced in high-profile applications installed by billions of people. It's been demonstrated that these vulnerabilities would allow practical attacks and theft of credentials, credit cards, and other private data. The second tale tells a complete opposite story, where Stack Overflow becomes one of the most usable and effective tools in helping developers get security right. The moral of both stories is that it only takes small design tweaks to get from one to the other.

We are deeply convinced that these kinds of modifications could have an enormous positive effect on software security in general due to the pervasive use of Stack Overflow. Therefore, we want to highlight the most important results from usable security research over the last years to set the ball rolling. These include identified major security problems, what impact they had on real-world applications, and how we modified Stack Overflow to effectively help people develop secure software.