Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities

Gkortzis, Antonios; Feitosa, Daniel; Spinellis, Diomidis

doi:10.1016/j.jss.2020.110653

Cited by 41 publications

(21 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Almost 40% of the build problems are related to missing dependencies, followed by compilation errors in 22% of the cases. Gkortzis et al [23] observe a very similar build failure rate (33.7%), with the same causes. Neitsch et al [24] analyze the build systems of 5 open-source multilanguage Ubuntu packages.…”

Section: Related Workmentioning

confidence: 65%

DUETS: A Dataset of Reproducible Pairs ofJava Library-Clients

Durieux,

Soto-Valero,

Baudry

2021

Preprint

View full text Add to dashboard Cite

Software engineering researchers look for software artifacts to study their characteristics or to evaluate new techniques. In this paper, we introduce DUETS, a new dataset of software libraries and their clients. This dataset can be exploited to gain many different insights, such as API usage, usage inputs, or novel observations about the test suites of clients and libraries. DUETS is meant to support both static and dynamic analysis. This means that the libraries and the clients compile correctly, they are executable and their test suites pass. The dataset is composed of open-source projects that have more than five stars on GitHub. The final dataset contains 395 libraries and 2,874 clients. Additionally, we provide the raw data that we use to create this dataset, such as 34,560 pom.xml files or the complete file list from 34,560 projects. This dataset can be used to study how libraries are used by their clients or as a list of software projects that successfully build. The client's test suite can be used as an additional verification step for code transformation techniques that modify the libraries.

show abstract

Section: Related Workmentioning

confidence: 65%

DUETS: A Dataset of Reproducible Pairs ofJava Library-Clients

Durieux,

Soto-Valero,

Baudry

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…The effect of software reuse on security is investigated by Gkortzis et al in [2], who show empirical evidence of the relation between the size of a code base and its likelihood to contain some vulnerabilities. Recently, Soto-Valero et al conducted a large-scale study to assess the prevalence of bloated dependencies in the Maven ecosystem [1].…”

Section: Related Workmentioning

confidence: 99%

“…While automated dependency management simplifies software reuse, it may contribute to the phenomenon of software bloat [1]. As Gkortzis et al put it "code reuse cuts both ways", since "a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies" [2].…”

Section: Introductionmentioning

confidence: 99%

The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

Ponta¹,

Fischer²,

Plate³

et al. 2021

Preprint

View full text Add to dashboard Cite

Software reuse may result in software bloat when significant portions of application dependencies are effectively unused. Several tools exist to remove unused (byte)code from an application or its dependencies, thus producing smaller artifacts and, potentially, reducing the overall attack surface. In this paper we evaluate the ability of three debloating tools to distinguish which dependency classes are necessary for an application to function correctly from those that could be safely removed. To do so, we conduct a case study on a real-world commercial Java application.Our study shows that the tools we used were able to correctly identify a considerable amount of redundant code, which could be removed without altering the results of the existing application tests. One of the redundant classes turned out to be (formerly) vulnerable, confirming that this technique has the potential to be applied for hardening purposes. However, by manually reviewing the results of our experiments, we observed that none of the tools can handle a widely used default mechanism for dynamic class loading.

show abstract

“…The web application is protected within the developer's skill set, and therefore, they require to know about all the exploits and the approach to work around them. It can be challenging for small web applications and examine the web application for security vulnerabilities [5,6]. Vulnerabilities and attack detection processes are reported based on features' selection [7].…”

Section: Introductionmentioning

confidence: 99%

Web Security: Emerging Threats and Defense

Almutairi¹,

Mishra²,

Alshehri³

2022

Computer Systems Science and Engineering

View full text Add to dashboard Cite

Web applications have become a widely accepted method to support the internet for the past decade. Since they have been successfully installed in the business activities and there is a requirement of advanced functionalities, the configuration is growing and becoming more complicated. The growing demand and complexity also make these web applications a preferred target for intruders on the internet. Even with the support of security specialists, they remain highly problematic for the complexity of penetration and code reviewing methods. It requires considering different testing patterns in both codes reviewing and penetration testing. As a result, the number of hacked websites is increasing day by day. Most of these vulnerabilities also occur due to incorrect input validation and lack of result validation for lousy programming practices or coding errors. Vulnerability scanners for web applications can detect a few vulnerabilities in a dynamic approach. These are quite easy to use; however, these often miss out on some of the unique critical vulnerabilities in a different and static approach. Although these are time-consuming, they can find complex vulnerabilities and improve developer knowledge in coding and best practices. Many scanners choose both dynamic and static approaches, and the developers can select them based on their requirements and conditions. This research explores and provides details of SQL injection, operating system command injection, path traversal, and cross-site scripting vulnerabilities through dynamic and static approaches. It also examines various security measures in web applications and selected five tools based on their features for scanning PHP, and JAVA code focuses on SQL injection, cross-site scripting, Path Traversal, operating system command. Moreover, this research discusses the approach of a cyber-security tester or a security developer finding out vulnerabilities through dynamic and static approaches using manual and automated web vulnerability scanners.

show abstract

Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities

Abstract: Take-down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

Cited by 41 publications

References 34 publications

DUETS: A Dataset of Reproducible Pairs ofJava Library-Clients

DUETS: A Dataset of Reproducible Pairs ofJava Library-Clients

The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

Web Security: Emerging Threats and Defense

Contact Info

Product

Resources

About