Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2024
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2408.02846 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Table of Contents:
- Knowing what sensitive resources a dependency could potentially access would help developers assess the risk of a dependency before selection. One way to get an understanding of the potential sensitive resource usage by a dependency is using security-sensitive APIs, i.e., the APIs that provide access to security-sensitive resources in a system, e.g., the filesystem or network resources. However, the lack of tools or research providing visibility into potential sensitive resource usage of dependencies makes it hard for developers to use this as a factor in their dependency selection process. The goal of this study is to aid developers in assessing the security risks of their dependencies by identifying security-sensitive APIs in packages through call graph analysis. In this study, we present a novel methodology to construct a security-sensitive API list for an ecosystem to better understand and assess packages before selecting them as a dependency. We implement the methodology in Java. We then compare the prevalence of security-sensitive APIs in functionally similar package groups to understand how different functionally similar packages could be in terms of security-sensitive APIs. We also conducted a developer survey (with 110 respondents) to understand developers' perceptions towards using security-sensitive API information in the dependency selection process. More than half of the developers would use security-sensitive API information in the dependency selection process if available. Finally, we advocate for incorporating security-sensitive API information into dependency management tools for easier access to the developers in the dependency selection process.