A Methodology for Quantifying Risks from Web Services

A Methodology for Quantifying Risks from Web Services

In my previous blogs, I explored the challenges of managing Web Services in applications, including the ones that use Open Source. In this blog, I have described a methodology that our research team has developed to quantify the risks that come with using Web Services that make calls to various APIs available commercially and in public domain for “free” usage.

Although the definition of “free” is subjective, every API comes with a set of obligations, which are typically documented in various (legally binding) agreements (for example, Terms of Service, Developer Agreement, Privacy Statement) that govern the usage of API and its underlying data and functionalities. According to our research there are essentially four key factors that affect the governance of API usage.

Some Key Factors in Governance

Arguably, a large number of agreements mean more legal and/or technical requirements that could enforce various constraints on the usage of an API (factor 1). The larger the size of the agreement the more time consuming it is to conduct the due diligence needed for an API usage (factor 2). Furthermore, the more often agreements change, more frequently due diligence might be needed to re-evaluate the usage of an API (factor 3). Finally, understanding the natural language of the agreements is important for using an API in a clear and compliant way (factor 4).

Importance of Natural Language Processing

Natural language processing is a non-trivial problem and still an active area of research. Fortunately, various computational techniques are available that can be used (with a varying degree of accuracy) for extracting the semantic meanings of agreements written in natural language. Essentially, these techniques allow us to represent the semantic meanings (extracted from the statements written in natural language) through numerical values. These numerical values can then be used to quantify the risks that are associated with the usage of APIs.

Risk Quantification

The intuition here is that each statement poses some “risk” in terms of how the corresponding APIs must be used. Usually these risks are evaluated/decided by experts such as lawyers who have a good understanding of technical legal compliance issues in Intellectual Property matters. Table 1 summarizes some statements (from the real-world API agreements) and their risks as assigned by our researchers/experts.

 

Statement

Risk Level

1

Your device may have sensors that provide information to assist in a better understanding of your location. For example, an accelerometer can be used to determine things like speed, or a gyroscope to figure out direction of travel.

Low

2

The IP address assigned to your device is used to send the data you requested back to your device. For example, if you have many different sharing options, enables sharing with others quickly and easily.

Low

3

We may share aggregated, non-personally identifiable information publicly. When lots of people start searching for something, it can provide very useful information about particular trends at that time.

Medium

4

We regularly review our compliance with our Privacy Policy. We also adhere to several self-regulatory frameworks, including the EU-US and Swiss-US Privacy Shield Frameworks. When we receive formal written complaints, we will contact the person who made the complaint to follow up.

Medium

5

Your domain administrator may be able to: view statistics regarding your account, like statistics regarding applications you install.

High

6

You grant us and our partners or sublicenses the right to use the name that you submit in connection with such content, if they choose. You acknowledge that (a) we have not tested or screened Third Party Content, (b) your use of any Third-Party Content is at your sole risk, and (c) Third Party Content may be subject to separate license terms as determined by the Third Party.

High

Table 1

One key scalability challenge here is that there are thousands of APIs and hundred-thousands of agreements (that govern those APIs). Constantly tracking changes and quantifying risks is a non-trivial problem that cannot be solved by human experts alon due to the scalability challenges. In this context, computational techniques for Natural Language Processing play an important role in assisting human experts such as lawyers, technical architects and developers.

Beside the four factors mentioned earlier, there are potentially many more factors that could contribute toward API risks, such as reliability of an API provider, the country of origin of an API (and their underlying data) and similar others. All these factors can eventually be converted into numerical values to quantify their prospective risks. My purpose here is not to list all the possible factors, but to discuss some of them to understand the basics of a methodology that can potentially quantify the risks associated with APIs.

Black Duck Research is tracking 50,000+ web services, 25,000+ providers, 500+ categories of web services and 100,000+ agreements (including terms of services, privacy statements and legal acts) to implement the methodology described above. Furthermore, our state of the art technology allows us to discover vulnerable libraries and SDKs that enable various APIs from various providers. Intuitively, usage of such vulnerable libraries and SDKs may lead to data security and/or privacy issues. The technologies and methodologies developed by our team at Black Duck Research allow its customers to discover the usage of web services in their code base and in quantifying and mitigating the risks in an efficient and cost-effective way. Email Black Duck Research to schedule a demo for a Web Services Management solution.

Open Source Security & Risk

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

Security & Compliance Risks from Web Services in Open Source Projects

| May 15, 2017

REST and SOAP based Web Services have become a new way of building and delivering software systems. In particular, mobile and cloud applications, social networking websites, and automated business processes are among the key technological drivers that are fueling the growth of RESTful APIs. At

| MORE >

An Overview of Open Standards for IoT Communication Protocols

| Feb 1, 2017

The number of “smart” applications will only increase in 2017 as vendors seek to differentiate themselves in their various marketplaces. This point was made abundantly clear at CES recently as part of the “Trillion Dollar IoT Opportunity.” With an explosion of vendors seeking to make our homes,

| MORE >