Advertisement

Are Third-Party Libraries Secure? A Software Library Checker for Java

  • Fabien Patrick ViertelEmail author
  • Fabian Kortum
  • Leif Wagner
  • Kurt Schneider
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11391)

Abstract

Nowadays, there are many software libraries for different purposes that are used by various projects. An application is only as secure as its weakest component; thus if an imported library includes a certain vulnerability, an application could get insecure. Therefore a widespread search for existing security flaws within used libraries is necessary. Big databases like the National Vulnerability Database (NVD) comprise reported security incidents and can be utilized to determine whether a software library is secure or not. This classification is a very time-consuming and exhausting task.

We have developed a tool-based automated approach for supporting developers in this complex task through heuristics embedded in an eclipse plugin. Documented vulnerabilities stored in databases will be taken into consideration for the security classification of libraries. Weaknesses do not always entail the same consequences; a scoring that identifies the criticality oriented on their potential consequences is applied. In this paper, a method for the enrichment of knowledge containing vulnerability databases is considered.

Our approach is focussing on the scope of software weaknesses, which are library reasoned and documented in vulnerability databases. The Java Library Checker was implemented as eclipse plugin for supporting developers to make potential insecure third-party libraries visible to them.

Keywords

Software library Vulnerability database Metadata 

References

  1. 1.
    Acar, Y., Stransky, C., Wermke, D., Mazurek, M.L., Fahl, S.: Security developer studies with GitHub users: exploring a convenience sample. In: Symposium on Usable Privacy and Security (SOUPS) (2017)Google Scholar
  2. 2.
    Cheikes, B.A., Waltermire, D., Scarfone, K.: Common platform enumeration: naming specification version 2.3. NIST Interagency Report 7695, NIST-IR 7695 (2011)Google Scholar
  3. 3.
    de la Mora, F.L., Nadi, S.: Which library should I use? A metric-based comparison of software libraries (2018)Google Scholar
  4. 4.
    Fox, D.: Open web application security project. Datenschutz und Datensicherheit - DuD 30(10), 636 (2006)CrossRefGoogle Scholar
  5. 5.
    Giffhorn, D., Hammer, C.: Precise analysis of Java programs using JOANA. In: Cordy, J.R. (ed.) Eighth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 267–268. IEEE, Piscataway (2008)Google Scholar
  6. 6.
    Hoepman, J.H., Jacobs, B.: Increased security through open source. Commun. ACM 50(1), 79–83 (2007)CrossRefGoogle Scholar
  7. 7.
    Homaei, H., Shahriari, H.R.: Seven years of software vulnerabilities: The ebb and flow. IEEE Secur. Priv. 1, 58–65 (2017)CrossRefGoogle Scholar
  8. 8.
    Hovemeyer, D., Pugh, W.: Finding bugs is easy. ACM SIGPLAN Not. 39(12), 92–106 (2004)CrossRefGoogle Scholar
  9. 9.
    Louridas, P.: Static code analysis. IEEE Softw. 23(4), 58–61 (2006)CrossRefGoogle Scholar
  10. 10.
    Manning, C.D., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2009). Reprinted ednzbMATHGoogle Scholar
  11. 11.
    Watanabe, T., et al.: Understanding the origins of mobile app vulnerabilities: a large-scale measurement study of free and paid apps. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, pp. 14–24. IEEE, Piscataway (2017)Google Scholar
  12. 12.
    Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29044-2CrossRefzbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Fabien Patrick Viertel
    • 1
    Email author
  • Fabian Kortum
    • 1
  • Leif Wagner
    • 1
  • Kurt Schneider
    • 1
  1. 1.Software Engineering GroupLeibniz Universität HannoverHannoverGermany

Personalised recommendations