In recent years, there has been a push towards using open-source and third party libraries as part of software development. There are thousands of new libraries released to sites such as npm, RubyGems and Maven Central every day which contributes to this growing phenomenon and allows developers to use package managers to keep track of them. However, alongside the convenience of having pieces of programs pre-written, it also opens up software to third party risk.
There have been a several notable security issues in the news recently due to third party risk. One of these was Heartbleed: an issue found in the OpenSSL cryptography library. Heartbleed affected millions of websites, purely because they were using the vulnerable library. One of the major ways in which applications are opening themselves up to third party risk is due to copy and paste programming. In this work, we study the impact of vulnerabilities that arise solely due to copy-paste code. We call them copy-paste vulnerabilities.
There are three different ways that developers may introduce a copy-paste vulnerability into their application:
Detecting copy-paste vulnerabilities is difficult due to the following challenges:
In this talk, we will look at how we identified these copy-paste vulnerabilities and the impact on open-source community. We will also discuss mitigation strategies and release a proof-of-concept tool for detecting these issues.