1

So ever since we got certified, every time some code from stackoverflow is shown the ISO 27001 argument comes up "we can't copy code".

As a dev, I have to say not allowing code form stackoverflow is insane and nobody listens to that anyway because stackoverflow is literally for solving coding issues.

What's your take as a professional on this? How far is it permitted to copy code from stackoverflow?

Can we copy when we give credit? Do I put a link over each code snippet I copied?

Thanks for the help, in my company everyone and their aunt have their own interpretation of this and the result is, bosses are too scared so the official order is not to allow it.

Edit: We don't use any external repositories. Framework is bought, libraries are either directly from companies (Like Oracle DB library) or built ourself.

Edit 2: For example, I'd copy that piece of code, change some things around so it fits the actual use case, change the name so it fits, and put a link above it:
https://stackoverflow.com/a/2001462/4364057

  • What do you mean with "copy code" exactly? It is like "copy without second thought in the hope that the code is correct" or "copy after understanding what the code does and that it is correct". The first one is definitely a bad idea since there is enough wrong and insecure code on stackoverflow, even in accepted answers. Anyway, I think the question leads to primarily opinion-based answered and should be closed therefore. – Steffen Ullrich Aug 16 '18 at 08:44
  • Aside from ISO 27001, don't do it anyways.You could end up being the next [Nissan](https://www.theverge.com/tldr/2016/5/4/11593084/dont-get-busted-copying-code-from-stack-overflow) media sensation. Or you could [copy some bad code magically](https://security.stackexchange.com/q/39118). You should always read the answer, *transform* the answer into a different form (as much as practical, sometimes there's nothing to do), understand what it does, and then put it in your code. Always avoid direct copy-paste, do your own typing. – phyrfox Aug 16 '18 at 08:53
  • I'm generally talking about not blindly copypasting but understanding whats going on and deciding that that fits. I'll edit the question with an example. – Squirrelkiller Aug 16 '18 at 08:56
  • 3
    I'm not entirely sure this question fits the site, first of all what you're asking is mostly opinion-based as mentioned by Steffen, not to mention as far as I can tell, what you're asking is "Should I copy code from SO?" which isn't even a security question. –  Aug 16 '18 at 08:59
  • 3
    I agree with @Joshua.J. As the question currently is it cares more about how to properly credit this code which has nothing to do with security and also not with ISO 27001. This is more a legal question instead, try [law.se]. – Steffen Ullrich Aug 16 '18 at 09:04

1 Answers1

2

I can hardly imagine an example or direct copy-paste from SO. I do see SO as a nice source for high quality code samples, and I have often used portions of code from SO answers, but then I have always slightly modified this code so that it smoothly integrates into mine: change variable names or formatting so that it respects my own coding standards, remove parts not relevant for my use case, add others. So it now becomes my code.

What is interesting in SO codes is the patterns, the implementation ways, and the comments around the code. It makes sense that code only answers are not well received. So blindly copying code is a poor usage of SO and hopefully is forbidden by your organization rules.

Stephen King
  • 201
  • 2
  • 12
Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84