TY - GEN

T1 - Are Third-Party Libraries Secure?

T2 - 13th International Conference on Risks and Security of Internet and Systems, CRiSIS 2018

AU - Viertel, Fabien Patrick

AU - Kortum, Fabian

AU - Wagner, Leif

AU - Schneider, Kurt

N1 - © 2019 Springer Nature Switzerland AG

PY - 2019/1/25

Y1 - 2019/1/25

N2 - Nowadays, there are many software libraries for different purposes that are used by various projects. An application is only as secure as its weakest component; thus if an imported library includes a certain vulnerability, an application could get insecure. Therefore a widespread search for existing security flaws within used libraries is necessary. Big databases like the National Vulnerability Database (NVD) comprise reported security incidents and can be utilized to determine whether a software library is secure or not. This classification is a very time-consuming and exhausting task. We have developed a tool-based automated approach for supporting developers in this complex task through heuristics embedded in an eclipse plugin. Documented vulnerabilities stored in databases will be taken into consideration for the security classification of libraries. Weaknesses do not always entail the same consequences; a scoring that identifies the criticality oriented on their potential consequences is applied. In this paper, a method for the enrichment of knowledge containing vulnerability databases is considered. Our approach is focussing on the scope of software weaknesses, which are library reasoned and documented in vulnerability databases. The Java Library Checker was implemented as eclipse plugin for supporting developers to make potential insecure third-party libraries visible to them.

AB - Nowadays, there are many software libraries for different purposes that are used by various projects. An application is only as secure as its weakest component; thus if an imported library includes a certain vulnerability, an application could get insecure. Therefore a widespread search for existing security flaws within used libraries is necessary. Big databases like the National Vulnerability Database (NVD) comprise reported security incidents and can be utilized to determine whether a software library is secure or not. This classification is a very time-consuming and exhausting task. We have developed a tool-based automated approach for supporting developers in this complex task through heuristics embedded in an eclipse plugin. Documented vulnerabilities stored in databases will be taken into consideration for the security classification of libraries. Weaknesses do not always entail the same consequences; a scoring that identifies the criticality oriented on their potential consequences is applied. In this paper, a method for the enrichment of knowledge containing vulnerability databases is considered. Our approach is focussing on the scope of software weaknesses, which are library reasoned and documented in vulnerability databases. The Java Library Checker was implemented as eclipse plugin for supporting developers to make potential insecure third-party libraries visible to them.

KW - Metadata

KW - Software library

KW - Vulnerability database

UR - http://www.scopus.com/inward/record.url?scp=85066090259&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-12143-3_2

DO - 10.1007/978-3-030-12143-3_2

M3 - Conference contribution

AN - SCOPUS:85066090259

SN - 978-3-030-12142-6

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 18

EP - 34

BT - Risks and Security of Internet and Systems - 13th International Conference, CRiSIS 2018, Revised Selected Papers

A2 - Zemmari, Akka

A2 - Mosbah, Mohamed

A2 - Cuppens-Boulahia, Nora

A2 - Cuppens, Frédéric

Y2 - 16 October 2018 through 18 October 2018

ER -