A Survey of Third-Party Library Security Research in Application Software

TL;DR

This survey reviews existing research on third-party library security in application software, highlighting detection, ecosystem understanding, and defense strategies to mitigate associated vulnerabilities and threats.

Contribution

It comprehensively summarizes current research achievements and future directions in third-party library security, aiding developers and researchers in improving software safety.

Findings

Third-party libraries pose significant security risks.

Detection tools assist in identifying third-party libraries.

Fortification defenses are crucial for mitigating vulnerabilities.

Abstract

In the current software development environment, third-party libraries play a crucial role. They provide developers with rich functionality and convenient solutions, speeding up the pace and efficiency of software development. However, with the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent. Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information, posing a severe threat to software security. Research on third-party libraries in software becomes paramount to address this growing security challenge. Numerous research findings exist regarding third-party libraries' usage, ecosystem, detection, and fortification defenses. Understanding the usage and ecosystem of third-party libraries helps developers comprehend the potential risks they bring and select trustworthy libraries. Third-party library detection tools aid developers in automatically discovering third-party libraries in software, facilitating their management. In addition to detection, fortification defenses are also indispensable. This article profoundly investigates and analyzes this literature, summarizing current research achievements and future development directions. It aims to provide practical and valuable insights for developers and researchers, jointly promoting the healthy development of software ecosystems and better-protecting software from security threats.