Research on Risk Analysis of Opensource Software Supply Chain Security

Abstract

Abstract: Opensource software has become one of the most fundamental elements that support the operation of the digital society. It has also been penetrated to various industries and fields. As the opensource software supply chain becomes increasingly complex and diversified, the risks caused by security attacks on the opensource software supply chain are also intensified. This paper summarizes the current development of the opensource software supply chain ecosystem and the strategic layout of opensource software supply chain security in major countries. From the dimensions of development security, usage security, and operation security, this paper proposes an opensource software supply chain security risk analysis system. It identifies the major security risks currently faced by the opensource software supply chain. Besides, this paper constructs a security assurance model for the opensource software supply chain and offers countermeasures and suggestions for the security and development of China’s opensource software supply chain from the dimensions of supply chain phases, relevant entities, and safeguard measures.

Key words: network security, software security, opensource software, software supply chain, opensource software supply chain security

摘要： 开源软件已经成为支撑数字社会正常运转的最基本元素之一，渗透到各个行业和领域.随着开源软件供应链越发复杂多元，开源软件供应链安全攻击事件造成的危害也越发严重.梳理了开源软件供应链生态发展现状和世界主要国家开源软件供应链安全战略布局，从开源软件开发安全、使用安全和运营安全维度，提出了开源软件供应链安全风险分析体系，给出当前开源软件供应链面临的主要安全风险，构建了开源软件供应链安全保障模型，并从供应链环节、相关主体和保障措施3个维度提出我国开源软件供应链安全与发展对策建议.

关键词: 网络安全, 软件安全, 开源软件, 软件供应链, 开源软件供应链安全

CLC Number:

TP309

王江, 姜伟, 张璨, . 开源软件供应链安全风险分析研究[J]. 信息安全研究, 2024, 10(9): 862-.

References

参考文献
［1］纪守领, 王琴应, 陈安莹, 等. 开源软件供应链安全研究综述［J］. 软件学报, 2023, 34(3): 13301364［2］Synopsys. 2024年开源安全和风险分析报告［EBOL］. ［20240610］. https:www.synopsys.comzhcnsoftwareintegrityresourcesanalystreportsopensourcesecurityriskanalysis.html［3］袁豪杰, 赵冉, 唐刚. 面向开源软件的安全风险分析与防范［J］. 信息安全与通信保密, 2023 (2): 125134［4］GitHub. Octoverse: The state of open source and rise of AI in 2023［EBOL］. ［20240610］. https:github.blog20231108thestateofopensourceandai［5］Gitee. 2023中国开源开发者报告［EBOL］. ［20240610］. https:talk.gitee.comreportchinaopensource2023annualreport.pdf［6］The Linux Foundation. Annual Report 2023 Rising Tides of Open Source［EBOL］. ［20240610］. https:www.linuxfoundation.orghubfsReports2023_lf_annual_report_122123a.pdf［7］Apache Software Foundation. The Apache Software FoundationAnnual ReportFY2023［EBOL］. ［20240610］. https:apache.orgfoundationdocsFY2023Annual Report.pdf［8］董国伟. 从美行政令看软件供应链安全标准体系的构建［J］. 中国信息安全, 2022 (2): 8487［9］CCIA网安产业联盟. ICT供应链安全政策法规和标准研究［EBOL］. ［20240610］. https:mp.weixin.qq.comsREjvYcIy7wsLauAgsV23A［10］蒋艳, 赵冉, 张格. 国外开源软件安全治理模式研究及工作建议［J］. 中国信息安全, 2023 (3): 7679［11］新华网. 苹果APP遭恶意代码感染谁来守护信息安全?［EBOL］. ［20240610］. https:www.cac.gov.cn20150920c_1116618485.htm［12］新浪科技. 邮件披露1.28亿iOS用户受到了2015年的XcodeGhost恶意软件影响［EBOL］. ［20240610］. https:finance.sina.com.cntech20210508docikmyaawc 4085083.shtml［13］罗丹, 吴荣春. 国内开源软件的发展现状与风险分析［J］. 通信世界, 2022 (15): 3334［14］奇安信. 2023中国软件供应链安全分析报告［EBOL］. ［20240610］. https:www.qianxin.comthreatreportdetail?report_id=297［15］Cloudflare. 2023年度回顾［EBOL］. ［20240610］. https:blog.cloudflare.comzhcnradar2023yearinreviewzhcn［16］Synopsys. 2023年全球DevSecOps现状调查［EBOL］. ［20240610］. https:www.synopsys.comzhcnsoftwareintegrityresourcesanalystreportsstateofdevsecops.html［17］GitGuardian. The State of Secrets Sprawl 2024［EBOL］. ［20240610］. https:www.gitguardian.comfilesthestateofsecretssprawlreport2024［18］云计算开源产业联盟. 软件物料清单(SBOM)发展洞察报告(2023年)［R］. 北京: 云计算开源产业联盟, 2023

[1]	. Research on Risk Analysis and Countermeasures of Software Supply Chain in Critical Information Infrastructure [J]. Journal of Information Security Reserach, 2024, 10(9): 833-.
[2]	. Network Traffic Measurement Based on Multilayer Sketch in SDN [J]. Journal of Information Security Reserach, 2024, 10(9): 840-.
[3]	. Research Advance and Challenges of Fuzzing Techniques [J]. Journal of Information Security Reserach, 2024, 10(7): 668-.
[4]	. Intelligent Fuzzy Testing Method Based on Sequence Generative Adversarial Networks [J]. Journal of Information Security Reserach, 2024, 10(6): 490-.
[5]	. Design of Vulnerability Tracking and Disposal Platform Based on Fine Management of Massive Assets [J]. Journal of Information Security Reserach, 2024, 10(6): 568-.
[6]	. Research on Data Reuse Model of Classified Protection of Cybersecurity Based on Data Mining [J]. Journal of Information Security Reserach, 2024, 10(4): 353-.
[7]	. Research on Banking DAO Digital Security Operation System [J]. Journal of Information Security Reserach, 2024, 10(4): 360-.
[8]	. Analysis of Security Blind Area of Large LAN#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(4): 335-.
[9]	. Research and Implementation of Intelligent Permission Management [J]. Journal of Information Security Reserach, 2024, 10(10): 912-.
[10]	. Security and Privacy Protection in 6G Network: A Survey [J]. Journal of Information Security Reserach, 2023, 9(9): 822-.
[11]	. Design of Network Security Protection System for Meteorological Big Data Cloud Platform [J]. Journal of Information Security Reserach, 2023, 9(7): 701-.
[12]	. Research on Network Security Governance and Response of Largescale AI Model [J]. Journal of Information Security Reserach, 2023, 9(6): 551-.
[13]	. Research on Active Defense Method of Network Security Under APT Organization Attack Behavior [J]. Journal of Information Security Reserach, 2023, 9(5): 423-.
[14]	. Research on Security Risk Response for Internet of Body Applications [J]. Journal of Information Security Reserach, 2023, 9(5): 433-.
[15]	. A Unified Model for Information Extraction in the Field of Network Security for Small Samples [J]. Journal of Information Security Reserach, 2023, 9(11): 1067-.