Why do you trust this code?

Betreuer: Maximilian Häring (haering@cs.uni-bonn.de)

Developers handle code dependencies all the time. They include libraries and snippets to reach their goal faster. One could argue that not rewriting every functionality, again and again, is what allowed us to write larger code-based projects. But: Is the code developers use secure? This project is not about whether code is secure per se. Historically we know that not every dependency is secure. This project is more on developers’ thoughts on specific code they use or what they do to estimate whether the code is secure to use. What assumptions do they have for that? What tools do they use (do they use any)? Who do they trust? Are they aware of the available tools and alternatives? Do these tools match the need of the developers?

Goal

The project aims to get an impression of how this situation is within the computer science students of the university. It is safe to assume that enough of them coded something in the past and included some external code into this. This could be done in an interview study, but also via experiments or surveys. That depends on you and can be decided in consultation with the supervisor.

A motivation: Part of the result could be a cheat sheet for your fellow students.

Literature to start with

https://saschafahl.de/static/paper/infosources2016.pdf

https://owasp.org/www-community/controls/Static_Code_Analysis

https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities

https://stackoverflow.com/questions/39241124/how-can-we-trust-npm-modules and other online discussions on this topic.

Requirements

You heard and passed the USECAP lecture. If there was no opportunity to do so, I would be happy to provide the material. The lecture teaches the necessary skills to design, conduct and evaluate such a study.

Previous