Hello and welcome to the Wednesday, June 7, 2020,

edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Well, today I wrote up a little experiment that I actually conducted last week. And the goal of the experiment

was to compare how a novice developer would use tools like GitHub copilot or just simply

Googling for code snippets and what the respective security impact would be of code derived either way.

As an example, I took a very simple task, a simple form written in PHP,

where you would collect some data and then insert it into a SQL database.

Turns out that the GitHub co-pilot didn't really vary too much about

cross-site scripting, but did proper prepared statements for the SQL queries, so no

SQL injection, while the random code snippet that I was able to find via Google to do the same thing, actually

from a PHP tutorial.

Well, it had Siegel Injection and CrossSight scripting.

As far as input validation goes, GitHub copilot once you sort of came up with the right

prompts, meaning you added comments to actually do it,

it did a reasonable job with it and so it can code securely, but it's still something that

as a developer, if you're using these tools, you have to be more aware of and definitely

review the code before you just blindly use it.

For sites like Stack Overflow or such that you often end up with, if you're just Googling for a code,

it has been shown that many, many of the samples are insecure, are containing vulnerabilities

like Segal Injection, or may enough in my little test.

I didn't end up with a Stack Overflow sample, but one other caveat here is I actually tried

...