What's in a Package? Getting Visibility Into Dependencies Using Security-Sensitive API Calls

TL;DR

This paper introduces a methodology to identify security-sensitive APIs in software dependencies to help developers assess potential security risks before choosing dependencies.

Contribution

The study presents a novel call graph analysis approach to construct a security-sensitive API list for ecosystems, aiding security-aware dependency selection.

Findings

Over half of developers would consider security-sensitive API info in dependency choices.

The methodology effectively identifies security-sensitive APIs in Java packages.

Developers perceive security-sensitive API info as valuable for risk assessment.

Abstract

Knowing what sensitive resources a dependency could potentially access would help developers assess the risk of a dependency before selection. One way to get an understanding of the potential sensitive resource usage by a dependency is using security-sensitive APIs, i.e., the APIs that provide access to security-sensitive resources in a system, e.g., the filesystem or network resources. However, the lack of tools or research providing visibility into potential sensitive resource usage of dependencies makes it hard for developers to use this as a factor in their dependency selection process. The goal of this study is to aid developers in assessing the security risks of their dependencies by identifying security-sensitive APIs in packages through call graph analysis. In this study, we present a novel methodology to construct a security-sensitive API list for an ecosystem to better understand and assess packages before selecting them as a dependency. We implement the methodology in Java. We then compare the prevalence of security-sensitive APIs in functionally similar package groups to understand how different functionally similar packages could be in terms of security-sensitive APIs. We also conducted a developer survey (with 110 respondents) to understand developers' perceptions towards using security-sensitive API information in the dependency selection process. More than half of the developers would use security-sensitive API information in the dependency selection process if available. Finally, we advocate for incorporating security-sensitive API information into dependency management tools for easier access to the developers in the dependency selection process.