invited-talk

How APIs Are Both the Illness and the Cure: The Software Heterogeneity Problem in Modern Web Applications

Author:

Jean YangAuthors Info & Claims

PLAS'20: Proceedings of the 15th Workshop on Programming Languages and Analysis for Security

Page 23

https://doi.org/10.1145/3411506.3417602

Published: 09 November 2020 Publication History

Get Access

Abstract

It is easier than ever before to build complex web applications that handle sensitive user data. At same time, regulatory shifts have made data breaches more costly than ever before.

While starting Akita, I discovered just how difficult it is for software teams to maintain an up-to-date picture of how sensitive data flows across complex applications. A major challenge is that modern web applications run across many heterogenous components, often communicating via remote procedure calls. Unfortunately, network calls subvert all known software analysis methods for the application layer---and using network tools alone do not yield the full picture. The result is that developers end up piecing the whole story together through reading code, logs, and documentation.

At Akita, we observed that network-based application programming interfaces (APIs) are both a root cause of what we call the Software Heterogeneity Problem---and also the key to the solution. The proliferation of APIs for both internal and external use, with the rise of service-oriented architectures and the growth of the API economy, have made it easy to quickly build applications that are amalgams of cross-service network calls. At the same time, there is consolidation around a handful of interface definition languages for web APIs. This makes it possible for us to address the Software Heterogeneity problem by applying programming languages techniques at the API layer.

In this talk, I will introduce the Software Heterogeneity Problem and its consequences, demonstrate one way to tackle it at the API layer, and outline API-level security problems I believe we can solve as a community.

Index Terms

How APIs Are Both the Illness and the Cure: The Software Heterogeneity Problem in Modern Web Applications
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Design patterns for annotation-based APIs
SugarLoafPLoP '16: Proceedings of the 11th Latin-American Conference on Pattern Languages of Programming

With the introduction of code annotations in popular languages like Java and C#, several frameworks and platforms adopted a metadata-based API (Application Programming Interface). By using this approach, instead of extending classes, implementing ...
Blindspots in Python and Java APIs Result in Vulnerable Code
Blindspots in APIs can cause software engineers to introduce vulnerabilities, but such blindspots are, unfortunately, common. We study the effect APIs with blindspots have on developers in two languages by replicating a 109-developer, 24-Java-API ...
Analyzing the Eclipse API Usage: Putting the Developer in the Loop
CSMR '13: Proceedings of the 2013 17th European Conference on Software Maintenance and Reengineering

Eclipse guidelines distinguish between two types of interfaces provided to third-party developers, i.e., APIs and non-APIs. APIs are stable and supported, while non-APIs are unstable, unsupported and discouraged as they are subject to arbitrary change ...

Comments

Information & Contributors

Information

Published In

PLAS'20: Proceedings of the 15th Workshop on Programming Languages and Analysis for Security

November 2020

46 pages

ISBN:9781450380928

DOI:10.1145/3411506

Program Chairs:
Alley Stoughton
Boston University, USA
,
Marco Vassena
CISPA, Germany

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2020

Check for updates

Author Tags

Qualifiers

Invited-talk

Conference

CCS '20

Sponsor:

SIGSAC

CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security

November 13, 2020

Virtual Event, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
87
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

Index Terms

Recommendations

Design patterns for annotation-based APIs

Blindspots in Python and Java APIs Result in Vulnerable Code

Analyzing the Eclipse API Usage: Putting the Developer in the Loop

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations