摘要
随着软件开发模式的演变,软件供应链风险评估已成为亟待解决的重要问题。基于对资产、威胁和脆弱性的分析,建立软件供应链生命周期各阶段的开源和闭源风险指标体系,并利用模糊综合评价法确定风险等级,有效识别和管理潜在的安全威胁。这一方法可以通过软件供应链生命周期的不同阶段指标体系重新组合,得到混源软件供应链生命周期的指标体系,从而实现对混源软件供应链的风险评估。此方法适用于开源、闭源和混源软件供应链的风险分析与评估,是一种融合定性分析与定量分析的综合评估方法,并通过实例验证了该方法的有效性,为软件供应链风险评估提供了新的理论方法。
With the evolution of software development models,the software supply chain risk assessment has become an important issue calling for an urgent addressment.Based on the analysis of assets,threats,and vulnerabilities,this article establishes an open source and closed source risk indicator system for each stage of the software supply chain lifecycle.It adopts a fuzzy comprehensive evaluation method to determine the risk level,and to effectively identify and manage potential security threats.The proposed method recombines the indicator systems of different stages in the software supply chain lifecycle to obtain an indicator system of the entire lifecycle of the mixed source software supply chain,thereby achieving its risk assessments.Therefore,this proposed method is suitable for risk analysis and evaluation of open source,closed source,and mixed source software supply chains,and thus makes it a qualitatively and quantitatively comprehensive evaluation method.This research provides a new theoretical method for software supply chain risk assessments.
作者
郭臣
刘金芳
李嘉宇
GUO Chen;LIU Jinfang;LI Jiayu(China Cybersecurity Review,Certification and Market Regulation Big Data Center,Beijing,100013;School of Mathematics and Statistics,Nanjing University of Science and Technology,Nanjing,Jiangsu,210094)
出处
《南京理工大学学报(社会科学版)》
2024年第4期27-35,共9页
Journal of Nanjing University of Science and Technology:Social Sciences
基金
中国网络安全审查技术与认证中心项目“国内外软件供应链安全风险分析方法研究”(1234031300908)。
关键词
生命周期
软件供应链
指标体系
模糊综合评价法
lifecycle
software supply chain
indicator system
fuzzy comprehensive evaluation method
