Trusting the Big Friendly Giants : large-scale evaluation of dependencies on Finnish websites
Salovaara, Joonas (2018-06-18)
Trusting the Big Friendly Giants : large-scale evaluation of dependencies on Finnish websites
(18.06.2018)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2018070326751
https://urn.fi/URN:NBN:fi-fe2018070326751
Tiivistelmä
Software development companies compete with each other in cost effectiveness, quality and speed of delivery like any other businesses operating on the free market. To keep up with the competition companies reuse code and implement common features with third- party tools and libraries.
Using third-party code can can help in staying ahead of competition but it can also in- crease the attack surface of your application, cause loss of privacy and control and in- crease the likelihood of information leaks.
In this thesis we define a new term (cross-domain) that is better suited for dependency control analysis and develop a dependency checker tool that can find dependencies and the entities behind them on web pages. We also perform and empirical study where we use this tool for a corpus of ∼370,000 Finnish websites and analyze the results.
In the study we find that about half of the dependencies on Finnish websites are cross- domain and that almost 73% of the dependencies are controlled by entities registered to United States. We also find that the cross-domain dependency landscape in Finland is dominated by the ”Big Friendly Giants” Google and Facebook and that this has a negative impact on privacy and security of Finnish websites.
In the end of the thesis we present possible countermeasures that can alleviate the risks caused by third-party dependencies and note that these dependencies should be better understood, monitored and their powers limited.
Using third-party code can can help in staying ahead of competition but it can also in- crease the attack surface of your application, cause loss of privacy and control and in- crease the likelihood of information leaks.
In this thesis we define a new term (cross-domain) that is better suited for dependency control analysis and develop a dependency checker tool that can find dependencies and the entities behind them on web pages. We also perform and empirical study where we use this tool for a corpus of ∼370,000 Finnish websites and analyze the results.
In the study we find that about half of the dependencies on Finnish websites are cross- domain and that almost 73% of the dependencies are controlled by entities registered to United States. We also find that the cross-domain dependency landscape in Finland is dominated by the ”Big Friendly Giants” Google and Facebook and that this has a negative impact on privacy and security of Finnish websites.
In the end of the thesis we present possible countermeasures that can alleviate the risks caused by third-party dependencies and note that these dependencies should be better understood, monitored and their powers limited.