Open Source and API Security

Research || || Baljeet Malhotra || June 27, 2019

Open Source Software and Web APIs have become an important part of our digital world. Many Open Source projects provide various business and technical functionalities through APIs. These APIs are usually publicly available through the Web, have added another dimension to cyber security. Besides their obvious benefits of transparency and openness, Open Source solutions face greater security challenges. Due to their inherent open nature, i.e., availability of publicly facing Web APIs, source codes; detection and exploitation of security vulnerabilities, Open Source solutions are more prone to cyber-attacks. National Vulnerability Database (NVD) is a reliable source for finding vulnerabilities in Open Source. Unfortunately, many vulnerabilities never make it to NVD, which is a matter of concern that we addressed in our previous research: https://www.computer.org/csdl/proceedings-article/pst/2018/08514187/17D45XvMce9     

The recent exploitations of vulnerability (CVE-2017-5638) in Apache Struts reminds us of severe consequences that enterprises (as well individuals) face from Open Source solutions. As various Open Source solutions expand to different industries and markets, the timely discovery and mitigation of publicly known vulnerabilities has become increasingly important. Unfortunately, security experts who often discover these vulnerabilities (with the intention of mitigating the risks) are finding it extremely difficult to analyze the vulnerabilities. For instance, to determine various threat levels and exploitability factors, security experts are often required to determine: (1) access/authentication complexity, (2) confidentiality, integrity and availability impacts of vulnerabilities, and (3) numerical scores to quantify the items mentioned in (1) and (2). A good source for (one of the several) vulnerability assessment methodologies can be found here: https://nvd.nist.gov/vuln-metrics/cvss

Overall vulnerability analysis is a time-consuming task, which ironically must be done in a time-sensitive manner without compromising with the essential steps of analysis that are much needed to mitigate the risks in an effective way. Unfortunately, this situation is becoming worse due to the increased number of vulnerabilities that are being discovered (recall Figure 1 again). On a given day, security experts end up analyzing tens of vulnerabilities (discovered within millions of Open Source Software and APIs that we are publicly available) to make the consumers (of the affected Open Source Software and APIs) more secure and compliant. In this context, we are using cutting edge Artificial Intelligence (AI) solutions to help security experts in conducting API security assessments and vulnerability analysis at a large scale; yet in a time-sensitive and accurate manner. It will not only be time-effective but also cost-effective, if computing machine (powered by AI solutions) can do such analysis independently and automatically.

Do you want to know more about our cutting-edge AI-driven solutions or want to get involved in our research projects? Contact us for more details.