The Effect of Google Search on Software Security: Unobtrusive Security Interventions via Content Re-ranking

Felix Fischer, Yannick Stachelscheid, Jens Grossklags

Publikation: Beitrag in Buch/Bericht/KonferenzbandKonferenzbeitragBegutachtung

11 Zitate (Scopus)

Abstract

Google Search is where most developers start their Web journey looking for code examples to reuse. It is highly likely that code that is linked to the top results will be among those candidates that find their way into production software. However, as a large amount of secure and insecure code has been identified on the Web, the question arises how the providing webpages are ranked by Google and whether the ranking has an effect on software security. We investigate how secure and insecure cryptographic code examples from Stack Overflow are ranked by Google Search. Our results show that insecure code ends up in the top results and is clicked on more often. There is at least a 22.8% chance that one out of the top three Google Search results leads to insecure code. We introduce security-based re-ranking, where the rank of Google Search is updated based on the security and relevance of the provided source code in the results. We tested our re-ranking approach and compared it to Google's original ranking in an online developer study. Participants that used our modified search engine to look for help online submitted more secure and functional results, with statistical significance. In contrast to prior work on helping developers to write secure code, security-based re-ranking completely eradicates the requirement for any action performed by developers. Our intervention remains completely invisible, and therefore the probability of adoption is greatly increased. We believe security-based re-ranking allows Internet-wide improvement of code security and prevents the far-reaching spread of insecure code found on the Web.

OriginalspracheEnglisch
TitelCCS 2021 - Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
Herausgeber (Verlag)Association for Computing Machinery
Seiten3070-3084
Seitenumfang15
ISBN (elektronisch)9781450384544
DOIs
PublikationsstatusVeröffentlicht - 12 Nov. 2021
Veranstaltung27th ACM Annual Conference on Computer and Communication Security, CCS 2021 - Virtual, Online, Südkorea
Dauer: 15 Nov. 202119 Nov. 2021

Publikationsreihe

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Konferenz

Konferenz27th ACM Annual Conference on Computer and Communication Security, CCS 2021
Land/GebietSüdkorea
OrtVirtual, Online
Zeitraum15/11/2119/11/21

Fingerprint

Untersuchen Sie die Forschungsthemen von „The Effect of Google Search on Software Security: Unobtrusive Security Interventions via Content Re-ranking“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren