1.浙江大学计算机科学与技术学院;2.浙江大学滨江研究院;3.中国科学院软件研究所;4.上海华为技术有限公司;5.浙江大学
Zhejiang University
随着近年来开源软件的蓬勃发展, 现代化软件的开发和供应模式极大地促进开源软件自身的快速迭代和演进, 也提高了社会效益. 新兴的开源协作的软件开发模式使得软件开发供应流程由较为单一的线条转变为复杂的网络形态. 在盘根错节的开源软件供应关系中, 总体安全风险趋势显著上升, 日益受到学术界和产业界的重视.本文总结了开源软件供应链的关键环节, 基于近10年的攻击事件总结了开源软件供应链的威胁模型和安全趋势, 并通过对现有安全研究成果的调研分析, 从风险识别和加固防御两个方面总结了开源软件供应链安全的研究现状, 最后对开源软件供应链安全所面临的挑战和未来研究方向进行了展望和总结.
Software development is changing. Since the Internet allows far-flung development teams to collaboratively create software, open-source software supply chains are becoming more complex and sophisticated. This work tries to define the new open-source software supply chain model and presents a detailed survey of the security issues in the new open-source software supply chain architecture. Various emerging technologies, such as blockchain, machine learning (ML), and continuous fuzzing as solutions to the vulnerabilities in the open-source software supply chain have also been discussed. While many researchers and organizations are have already proposed new technologies and principles to handle the security issues in this area, proper and more effective solutions remain distant. There are new challenges and opportunities to secure the open-source software supply chain, which are also highlighted in this work.