Security & Compliance Risks from Web Services in Open Source Projects

Security and Compliance Risks from Web Services in Open Source Projects

REST and SOAP based Web Services have become a new way of building and delivering software systems. In particular, mobile and cloud applications, social networking websites, and automated business processes are among the key technological drivers that are fueling the growth of RESTful APIs.

At Black Duck Research we are constantly evaluating various ecosystems of Web Services that bring security and compliance risks. For instance, when a developer uses open source software for a set of business or technical functionalities, knowing which Web Services are embedded in that software is important from security and compliance perspectives. Often, Open Source projects “call” multiple Web Services to enable integrations (functionalities) with (from) other software systems provided by other vendors. This is particularly true for Open Source projects that deal with mobile, cloud and social networking applications.           

As I mentioned in my earlier post, the first challenge in managing Web Services related security and compliance risks is discovering the underlying Web Services embedded in software systems. If such services exist, then it's important to be aware of them, keep them up to date, and evaluate them on an ongoing-basis for compliance and security challenges.

Read the 2017 Open Source and Risk Analysis Report

As part of our research investigation to understand the scale of Web Services related security and compliance risks that originate from Open source projects, we analyzed several publicly available Open Source projects. One of these projects is Rocket.Chat, which was selected as a Black Duck Open Source Rookies of the Year – 2016. Rocket.Chat is a JavaScript based toolkit for enabling group/helpdesk messages/chatting, video/voice calls/conferencing, and content/file sharing. It is a very active Open Source project with 280+ contributors and a history of 10,000+ commits. To enable integrations with different applications and platforms, it provides webapp interface, cross-platform desktop client, iOS and Android mobile apps.

I am mainly interested in evaluating this tool kit from the Web Services perspective. Table 1 below lists the list of Web Services (APIs) that we discovered in Rocket.Chat. In particular, Table 1 describes the names of the APIs included in this toolkit, the category and the level of authentications of those APIs. In the last column, the table also lists various legal documents that essentially describe how the corresponding APIs should be used. Some of the typical legal documents are terms of services and privacy statements that govern the usage of the underlying data that come from the corresponding APIs.

API Name

API Category

API Authentication

API Legal Agreements

Google Static Maps API

 

Mapping

 

API Key

 

https://developers.google.com/ad-exchange/buyer-rest/terms/

https://developers.google.com/maps/terms/

https://www.google.com/intl/en/privacy/

https://developers.google.com/site-terms/

Matrix API

Messaging

Token

https://matrix.org/docs/guides/code_of_conduct.html

https://matrix.org/docs/spec/appendices.html

https://matrix.org/docs/spec/

Facebook Messenger Bot API

Bots

Token

https://www.facebook.com/about/privacy/

https://www.facebook.com/help/cookies/  

https://developers.facebook.com/policy/

Zapier Status API

Tools

None

https://zapier.com/privacy/

https://zapier.com/terms/

Blesta API

Financial

Api Key

https://docs.blesta.com/display/user/Blesta+License

https://www.atlassian.com/legal/privacy-policy/

Google Street View Image API

Photos

 

https://developers.google.com/maps/documentation/streetview/usage-limits

https://developers.google.com/maps/terms/

Google Directions API

Mapping

API Key

https://developers.google.com/maps/terms/

https://developers.google.com/maps/documentation/directions/policies

Travis CI API

Open Source

Uknown

https://docs.travis-ci.com/api#overview/

H2O API

Tools

API Key

http://docs.h2o.ai/h2o/latest-stable/h2o-docs/welcome.html/

http://docs.h2o.ai/h2o/latest-stable/h2o-docs/welcome.html#api-users/

Facebook Graph API

Social

OAuth

https://www.facebook.com/about/privacy/

https://www.facebook.com/terms/

Rdio oEmbed API

Music

Unknown

http://embed.ly/legal

Google Time Zone API

Tools

None

https://developers.google.com/site-terms/

https://developers.google.com/maps/documentation/timezone/usage-limits

Google Maps Elevation API

Mapping

None

https://developers.google.com/maps/documentation/elevation/policies

https://developers.google.com/maps/terms

Google Plus History API

Social

API Key,

OAuth 2.0

https://developers.google.com/terms/

BoxBilling API

Financial

Basic Authentication over HTTP

http://www.boxbilling.com/privacy-policy

http://www.boxbilling.com/tos

http://docs.boxbilling.com/en/latest/reference/credits.html

Amazon S3 API

Storage

API Key

https://aws.amazon.com/s3/sla

https://aws.amazon.com/terms/?nc1=f_pr

https://aws.amazon.com/legal/?nc1=f_cc

Google Geocoding API

Mapping

API Key

https://developers.google.com/maps/documentation/geocoding/policies

https://developers.google.com/site-policies

https://developers.google.com/site-terms/

Google Distance Matrix API

Mapping

 

https://developers.google.com/maps/documentation/distance-matrix/usage-limits

https://developers.google.com/maps/documentation/distance-matrix/policies

We Fact Hosting API

Hosting

Unspecified

https://www.wefact.com/wefact-hosting/terms-of-service/

https://www.wefact.com/wefact-hosting/security/

Table 1: A list APIs (and other associated information) discovered in Rocket.Chat software.

Note in Table 1 that several of the APIs have multiple legal documents, which could evolve with time (this is in contrast to the licenses that do not change in general) that could pose legal compliance challenges. Furthermore, the level of authentication (for accessing APIs) and secured protocols for communication (http vs. https) could also reveal operational security aspects of these APIs. Unfortunately, these pieces of information are not always/readily available for the consumers of APIs to make an informed decision. This situation becomes worse with the growing number of APIs.      

Note that Rocket.Chat was just one example to demonstrate some aspects of security and legal challenges that come with the APIs embedded in that specific software. However, we have analyzed hundreds of other Open Source projects to assess a larger ecosystem of APIs embedded in Open Source projects. Discovery of APIs from various software (in this particular example Rocket.Chat) do not necessarily mean that they rely on ANY of the discovered APIs for their basic functionalities. It only means that the corresponding software provide necessary packages to consume the readily available APIs that can be turned on/off through specific access control mechanisms. Nonetheless, it’s important for the consumers (of such software) to know what APIs are being provided to better manage the compliance and security risks.

Did you know that Black Duck has scanning solutions that can automatically (programmatically) discover the underlying Web services embedded in a given software (be Open Source or proprietary) and help in assessing security and compliance risks that come with the usage of those Web Services (APIs). Contact Black Duck Research for more details. 

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

An Overview of Open Standards for IoT Communication Protocols

| Feb 1, 2017

The number of “smart” applications will only increase in 2017 as vendors seek to differentiate themselves in their various marketplaces. This point was made abundantly clear at CES recently as part of the “Trillion Dollar IoT Opportunity.” With an explosion of vendors seeking to make our homes,

| MORE >

Classification of Open Source Licenses: A Developer’s Perspective

| Dec 30, 2016

Throughout my career, I have used various Open Source libraries (software or freeware) to build software systems primarily for data management and analytics applications. I knew Open Source software may be governed by different types of licenses, but I did not necessarily know the details, in

| MORE >