摘要
当前软件供应链安全事件频发,对其进行安全风险评估可以发现潜在风险,这是管理安全风险和预防安全事件的重要手段之一。作为信息系统的核心基础软件,混源操作系统广泛应用于政务、电力、金融和通信等重要领域,其供应链安全风险引起业内的高度重视。混源操作系统具有代码来源多样、代码规模大、结构和组件依赖关系复杂的特点,而现有的软件供应链安全风险评估方法不够完善,用于评估供应链安全风险的评估指标不完全适用于混源操作系统。为了解决该问题,文章提出了供应链安全的可溯性、可用性和安全性保障目标,根据这些保障目标分析影响混源操作系统供应链安全的风险因素,并设计了一个可度量的指标体系以评估其安全风险。文章通过实例验证了该指标体系的有效性,并总结阐述了一些可用于评估重要指标的相关技术手段和工具。
At present,software supply chain security incidents occur frequently,and conducting security risk assessments can identify potential risks.This is an important method to manage security risks and prevent security incidents.As the core foundational software of information systems,the mixed source operating system(MSOS)is widely used in the government,power,finance,communication and other important fields,and its supply chain should be paid more attention to.Due to the diverse code sources,large code scale,and complex structure and component dependencies of MSOS,existing software supply chain security risk assessment methods are not fully applicable to MSOS in terms of ensuring goals and indicator systems.To address this issue,the article proposed traceability,availability and security assurance objectives for supply chain security.Based on these assurance objectives,risk factors affecting the supply chain security of MSOS was analyzed,and a measurable indicator system was designed to evaluate its security risk.The effectiveness of the indicator system was verified through examples,and some relevant technical means and tools that can be used to evaluate important indicators were summarized and elaborated.
作者
赵俊
任怡
李宝
谭郁松
ZHAO Jun;REN Yi;LI Bao;TAN Yusong(College of Computer Science and Technology,National University of Defense Technology,Changsha 410073,China)
出处
《信息网络安全》
CSCD
北大核心
2023年第5期50-61,共12页
Netinfo Security
基金
国家自然科学基金[U19A2060]。
关键词
混源
操作系统
供应链安全
风险因素
mixed source
operating system
security of supply chain
risk factors
