金融行业开源软件漏洞风险评估框架研究
|
摘要
在开源软件获得广泛使用的背景下,金融企业对于开源软件仍持有保守态度,主要原因在于对开源软件安全性的担忧。开源软件经常会有漏洞曝光,为了准确评估漏洞带来的风险,需要建立准确、客观、可操作的开源软件漏洞风险的评估框架。提出建立评估模型,并给出具体的实施方案。提出带有校验功能的信息获取方案和单漏洞风险评估攻击图算法。以两个CVE漏洞为例,验证了漏洞风险评估框架的可行性。
In the context of the widespread use of open source software,financial companies still hold a conservative attitude toward open source software,mainly because of concerns about the security of open source software. Open source software often exposes vulnerabilities. In order to accurately assess the risks posed by vulnerabilities,it is necessary to establish an accurate,objective,and operable framework for assessing vulnerability risks of open source software. The author established an evaluation model and gave specific implementation plans. The author also proposed an information acquisition method with a verification function and a single vulnerability risk assessment attack graph algorithm. Taking two CVE vulnerabilities as an example,the feasibility of the vulnerability assessment framework is verified.
In the context of the widespread use of open source software,financial companies still hold a conservative attitude toward open source software,mainly because of concerns about the security of open source software. Open source software often exposes vulnerabilities. In order to accurately assess the risks posed by vulnerabilities,it is necessary to establish an accurate,objective,and operable framework for assessing vulnerability risks of open source software. The author established an evaluation model and gave specific implementation plans. The author also proposed an information acquisition method with a verification function and a single vulnerability risk assessment attack graph algorithm. Taking two CVE vulnerabilities as an example,the feasibility of the vulnerability assessment framework is verified.
引文
[1]Alhazmi 0,Malaiya Y,Ray I.Security Vulnerabilities in Software Systems:A Quantitative Perspective[M]//Data and Applications Security XIX.Springer Berlin Heidelberg,2005:281-294.
[2]鲁刚,米士超,郭荣华.2015年信息安全漏洞研究综述P[J].信息安全与通信保密,2016(5):95-99.
[3]Sridhar S,Altinkemer K,Rees J.Software Vulnerabilities:Open Source versus Proprietary Software Security[C]//A Conference on A Human Scale.Americas Conference on Information Systems,Amcis 2005,Omaha,Nebraska,Usa,August.DBLP,2005:428.
[4]袁霖,王怀民,尹刚,等.开源软件自动化评估证据框架[J].计算机工程与科学,2013,35(2):137-141.
[5]吴世忠,郭涛,董国伟,等.软件漏洞分析技术进展[J].清华大学学报(自然科学版),2012,52(10):1309-1319.
[6]陈秀真,李建华.基于OVAL的新型漏洞评估系统[J].小型微型计算机系统,2007,28(9):1554-1557.
[7]Kayn ar K.A taxonomy for attack graph generation and usage in network security[J].Journal of Information Security and Applications,2016,29(C):27-56.
[8]杨波,于茜,张伟,等.GitHub开源软件开发过程中影响因素的相关性分析[J].软件学报,2017,28(6):1330-1342.
[9]单锦辉,姜瑛,孙萍.软件测试研究进展[J].北京大学学报(自然科学版),2005,41(1):134-145.
[10]方研,殷肖川,李景志.基于贝叶斯攻击图的网络安全量化评估研究[J].计算机应用研究,2013,30(9):2763-2766.
[11]吴迪,连一峰,陈恺,等.一种基于攻击图的安全威胁识别和分析方法[J].计算机学报,2012,35(9):1938-1950.
[12]叶子维,郭渊博,王宸东,等.攻击图技术应用研究综述[J].通信学报,2017,38(11):121-132.
[2]鲁刚,米士超,郭荣华.2015年信息安全漏洞研究综述P[J].信息安全与通信保密,2016(5):95-99.
[3]Sridhar S,Altinkemer K,Rees J.Software Vulnerabilities:Open Source versus Proprietary Software Security[C]//A Conference on A Human Scale.Americas Conference on Information Systems,Amcis 2005,Omaha,Nebraska,Usa,August.DBLP,2005:428.
[4]袁霖,王怀民,尹刚,等.开源软件自动化评估证据框架[J].计算机工程与科学,2013,35(2):137-141.
[5]吴世忠,郭涛,董国伟,等.软件漏洞分析技术进展[J].清华大学学报(自然科学版),2012,52(10):1309-1319.
[6]陈秀真,李建华.基于OVAL的新型漏洞评估系统[J].小型微型计算机系统,2007,28(9):1554-1557.
[7]Kayn ar K.A taxonomy for attack graph generation and usage in network security[J].Journal of Information Security and Applications,2016,29(C):27-56.
[8]杨波,于茜,张伟,等.GitHub开源软件开发过程中影响因素的相关性分析[J].软件学报,2017,28(6):1330-1342.
[9]单锦辉,姜瑛,孙萍.软件测试研究进展[J].北京大学学报(自然科学版),2005,41(1):134-145.
[10]方研,殷肖川,李景志.基于贝叶斯攻击图的网络安全量化评估研究[J].计算机应用研究,2013,30(9):2763-2766.
[11]吴迪,连一峰,陈恺,等.一种基于攻击图的安全威胁识别和分析方法[J].计算机学报,2012,35(9):1938-1950.
[12]叶子维,郭渊博,王宸东,等.攻击图技术应用研究综述[J].通信学报,2017,38(11):121-132.