摘要
随着近年来开源软件的蓬勃发展,现代化软件的开发和供应模式极大地促进了开源软件自身的快速迭代和演进,也提高了社会效益.新兴的开源协作的软件开发模式,使得软件开发供应流程由较为单一的线条转变为复杂的网络形态.在盘根错节的开源软件供应关系中,总体安全风险趋势显著上升,日益受到学术界和产业界的重视.针对开源软件供应链,厘清了其关键环节,基于近10年的攻击事件,归纳了开源软件供应链的威胁模型和安全趋势,并通过对现有安全研究成果的调研分析,从风险识别和加固防御这两个方面总结了开源软件供应链安全的研究现状,最后对开源软件供应链安全所面临的挑战和未来研究方向进行了展望和总结.
In recent years, the vigorous development of open source software and the modern software development and supply models have greatly facilitated the rapid iteration and evolution of open source software, resulting in increased social benefits. T he emerging collaborative software development model of open source has transformed the software development supply process from a relatively linear path to a complex network structure. Within open-source software’s complex and intertwined supply relationships, the overall security risk trend has significantly increased, drawing increasing attention from the academic and industrial communities. This work tries to define the new open-source software supply chain model and, based on attacks that have occurred over the past decade, summarizes the threat model and security trends of the open-source software supply chain. For securing the open-source software supply chain, this work provides a systematic overview from the perspectives of risk identification and reinforced defense and also highlight the new challenges and opportunities.
作者
纪守领
王琴应
陈安莹
赵彬彬
叶童
张旭鸿
吴敬征
李昀
尹建伟
武延军
JI Shou-Ling;WANG Qin-Ying;CHEN An-Ying;ZHAO Bin-Bin;YE Tong;ZHANG Xu-Hong;WU Jing-Zheng;LI Yun;YIN Jian-Wei;WU Yan-Jun(College of Computer Science and Technology,Zhejiang University,Hangzhou 310007,China;Binjiang Institute of Zhejiang University,Hangzhou 310053,China;Intelligent Software Research Center,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;Shanghai Huawei Technologies Co.Ltd.,Shanghai 201206,China)
出处
《软件学报》
EI
CSCD
北大核心
2023年第3期1330-1364,共35页
Journal of Software
基金
国家自然科学基金(U1936215)
浙江省自然科学基金(LR19F020003)。
关键词
开源软件供应链
风险识别
风险管理
安全加固
open-source software supply chain
risk identification
risk management
security hardening
