CN112434299A - Open source software security management method and device - Google Patents
Open source software security management method and device Download PDFInfo
- Publication number
- CN112434299A CN112434299A CN202011149935.8A CN202011149935A CN112434299A CN 112434299 A CN112434299 A CN 112434299A CN 202011149935 A CN202011149935 A CN 202011149935A CN 112434299 A CN112434299 A CN 112434299A
- Authority
- CN
- China
- Prior art keywords
- source software
- open
- open source
- security
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000007726 management method Methods 0.000 title claims description 41
- 230000004044 response Effects 0.000 claims abstract description 84
- 238000012552 review Methods 0.000 claims abstract description 63
- 238000000034 method Methods 0.000 claims abstract description 47
- 230000000977 initiatory effect Effects 0.000 claims description 22
- 230000008569 process Effects 0.000 description 15
- 238000003860 storage Methods 0.000 description 9
- 238000012827 research and development Methods 0.000 description 7
- 238000012544 monitoring process Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000000844 transformation Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000740 bleeding effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method and a device for safely managing open source software, wherein the method comprises the following steps: searching whether the target open-source software is listed in an open-source library list, responding to the target open-source software which is not listed, scanning the target open-source software and generating a safety report, and storing the target open-source software and the safety report into a temporary catalogue of an open-source software warehouse; proposing a technical review application and carrying out technical review aiming at the target open source software; responding to the technical review, proposing a safety review application aiming at the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse; the target open source software is monitored in real time, the security label is changed based on the level of the vulnerability in response to the target open source software developing the vulnerability, and an emergency response is selectively initiated. The method and the system can effectively control the introduction and the use of the open-source software, identify the safety state of the open-source software and ensure the use of the open-source software with safe compliance.
Description
Technical Field
The present invention relates to the field of security, and in particular, to a method and an apparatus for security management of open source software.
Background
Open source software is very popular in the field of software research and development, has the characteristics of openness, freedom, sharing and the like, is widely favored by domestic and foreign enterprises, commercial institutions, research and development personnel, colleges and research institutions, can be preferentially considered to be added when a business application system is built, can save repeated workload and greatly improve the research and development efficiency.
While open source software provides convenience to users, its potential security issues are of great concern. First, compliance issues exist, open source software is open source code, but open source software is not equal to free, and each open source software has a corresponding open source license agreement, which is common: the open source license agreement specifies the rules of use, modification, sharing, distribution and the like of open source software, such as improper use or violation of regulations may be followed by legal responsibility, and part of the open source software relates to export control problems, such as the open source software or the fund to which the open source software belongs may be limited to provide services for the outside, and in this case, the open source software or the fund to which the open source software belongs may not be directly used.
Secondly, security vulnerabilities exist, in the use process of open source software, some security incidents are caused by the open source software vulnerabilities, for example, a large number of private keys and other encrypted information of the global internet are exposed under danger caused by heart bleeding vulnerabilities, the Struts open source software vulnerabilities cause data leakage of the American credit huge Equifax, and frequent server mining incidents caused by unauthorized Redis access vulnerabilities are not enumerated.
Finally, there may be a risk of infringement of patents and intellectual property rights in the open source software, such as the open source contributor or user may apply a patent to an item of open source software and obtain approval, or the open source software includes a patent but not explicitly shown, which may all present the possibility of infringement. Although open source software has many hidden dangers, most enterprises do not establish an effective security management measure at present, the open source risk identification capability is weak, and the production environment security problem is dealt with at a later stage at a low cost and a low cost.
Aiming at the problems of high security risk and difficult management of open source software in the prior art, no effective solution is available at present.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a method and an apparatus for managing security of open source software, which can effectively control introduction and use of the open source software, identify a security state of the open source software, and ensure that the open source software is used in a security compliance.
Based on the above purpose, a first aspect of the embodiments of the present invention provides a method for security management of open source software, including the following steps:
searching whether the target open-source software is listed in an open-source library list, responding to the target open-source software which is not listed, scanning the target open-source software and generating a safety report, and storing the target open-source software and the safety report into a temporary catalogue of an open-source software warehouse;
proposing a technical review application and carrying out technical review aiming at the target open source software;
responding to the technical review, proposing a safety review application aiming at the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse;
the target open source software is monitored in real time, the security label is changed based on the level of the vulnerability in response to the target open source software developing the vulnerability, and an emergency response is selectively initiated.
In some embodiments, further comprising: in response to scanning for security issues included in the security report generated by the target open source software, the security issues are resolved and the target open source software is rescanned until the generated security report does not include the security issues.
In some embodiments, further comprising: the application is reviewed through the technique in response to the technical review obtaining the target open source software from the temporary catalog and determining that the target open source software has a requirement rationality, satisfies the type selection condition, and satisfies the open source management requirement.
In some embodiments, further comprising: and acquiring the target open source software and the safety report from the temporary catalogue by the safety review, and setting a safety label of one of the following for the target open source software based on the compliance risk degree disclosed by the target open source software and the safety report: preferred, non-preferred, forbidden.
In some embodiments, further comprising: and sending out notice and bringing the target open-source software into the open-source library list while transferring the target open-source software from the temporary catalog to the formal catalog of the open-source software warehouse.
In some implementations, changing the security label based on the level of the vulnerability includes: adjusting the security label to be disabled in response to the level of the vulnerability being a high risk vulnerability; adjusting the security label to be non-preferred in response to the level of the vulnerability being a medium-low risk vulnerability; selectively initiating an emergency response includes: initiating an emergency response in response to the level of the vulnerability being a high risk vulnerability; and not starting an emergency response in response to the grade of the vulnerability being the low-medium risk vulnerability.
In some embodiments, initiating the emergency response comprises: collecting the affected product and/or service inventory and publishing the security bulletin, determining the bug fix date, determining the alternative open source software to use before the fix date.
A second aspect of an embodiment of the present invention provides an open source software security management apparatus, including:
a processor; and
a memory storing program code executable by the processor, the program code when executed performing the steps of:
searching whether the target open-source software is listed in an open-source library list, responding to the target open-source software which is not listed, scanning the target open-source software and generating a safety report, and storing the target open-source software and the safety report into a temporary catalogue of an open-source software warehouse;
proposing a technical review application and carrying out technical review aiming at the target open source software;
responding to the technical review, proposing a safety review application aiming at the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse;
the target open source software is monitored in real time, the security label is changed based on the level of the vulnerability in response to the target open source software developing the vulnerability, and an emergency response is selectively initiated.
In some embodiments, the steps further comprise: in response to the security report generated by the scanning target open source software including a security issue, resolving the security issue and rescanning the target open source software until the generated security report does not include the security issue; the application is reviewed through the technique in response to the technical review obtaining the target open source software from the temporary catalog and determining that the target open source software has a requirement rationality, satisfies the type selection condition, and satisfies the open source management requirement.
In some implementations, changing the security label based on the level of the vulnerability includes: adjusting the security label to be disabled in response to the level of the vulnerability being a high risk vulnerability; adjusting the security label to be non-preferred in response to the level of the vulnerability being a medium-low risk vulnerability;
selectively initiating an emergency response includes: initiating an emergency response in response to the level of the vulnerability being a high risk vulnerability; not initiating an emergency response in response to the vulnerability being at a level of a medium to low risk vulnerability;
initiating an emergency response includes: collecting the affected product and/or service inventory and publishing the security bulletin, determining the bug fix date, determining the alternative open source software to use before the fix date.
The invention has the following beneficial technical effects: according to the open source software safety management method and device provided by the embodiment of the invention, whether the target open source software is listed in the open source library list is searched, the target open source software is scanned and a safety report is generated in response to the target open source software not being listed, and the target open source software and the safety report are stored in a temporary catalogue of an open source software warehouse; proposing a technical review application and carrying out technical review aiming at the target open source software; responding to the technical review, proposing a safety review application aiming at the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse; the technical scheme of monitoring the target open source software in real time, responding to the occurrence of the bug of the target open source software, changing the security label based on the level of the bug, and selectively starting the emergency response can effectively control the introduction and the use of the open source software, identify the security state of the open source software, and ensure the safe and compliant use of the open source software.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a security management method for open source software according to the present invention;
FIG. 2 is a schematic diagram of a platform architecture of the open-source software security management method according to the present invention;
FIG. 3 is a schematic diagram of a warehousing flow of the open-source software security management method provided by the present invention;
fig. 4 is a schematic view of vulnerability management of the open-source software security management method provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the foregoing, a first aspect of the embodiments of the present invention provides an embodiment of a security management method for open source software using open source software, which guarantees security compliance. Fig. 1 is a schematic flow chart of an open-source software security management method provided by the present invention.
The open source software security management method, as shown in fig. 1, includes the following steps:
step S101, searching whether the target open-source software is listed in an open-source library list, responding to the target open-source software which is not listed, scanning the target open-source software and generating a safety report, and storing the target open-source software and the safety report into a temporary directory of an open-source software warehouse;
step S103, proposing a technical review application and carrying out technical review aiming at the target open source software;
step S105, responding to the passing of technical review, proposing a safety review application for the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse;
and S107, monitoring the target open source software in real time, responding to the target open source software to generate a bug, changing the security label based on the level of the bug, and selectively starting an emergency response.
The invention manages the open source software used in the enterprise in a unified way by setting up an open source software library platform, and provides a set of open source software safety management method, namely, all the open source software used in the enterprise must be selected from a safe and credible internal open source software library, the external open source software needs to submit an application in storage and is identified and solved by means of tool scanning and manual auditing, the open source software stored in the storage is ensured to be safe and reliable, in addition, use guidance and vulnerability suggestions are given for different open source licenses in the auditing process, after the storage, the safety of the open source software in use is ensured by means of real-time monitoring and emergency response, the safety state of the open source software is identified by a safety label, and the risk brought by the safety problem of the open source software is effectively reduced.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
In some embodiments, the method further comprises: in response to scanning for security issues included in the security report generated by the target open source software, the security issues are resolved and the target open source software is rescanned until the generated security report does not include the security issues.
In some embodiments, the method further comprises: the application is reviewed through the technique in response to the technical review obtaining the target open source software from the temporary catalog and determining that the target open source software has a requirement rationality, satisfies the type selection condition, and satisfies the open source management requirement.
In some embodiments, the method further comprises: and acquiring the target open source software and the safety report from the temporary catalogue by the safety review, and setting a safety label of one of the following for the target open source software based on the compliance risk degree disclosed by the target open source software and the safety report: preferred, non-preferred, forbidden.
In some embodiments, the method further comprises: and sending out notice and bringing the target open-source software into the open-source library list while transferring the target open-source software from the temporary catalog to the formal catalog of the open-source software warehouse.
In some implementations, changing the security label based on the level of the vulnerability includes: adjusting the security label to be disabled in response to the level of the vulnerability being a high risk vulnerability; adjusting the security label to be non-preferred in response to the level of the vulnerability being a medium-low risk vulnerability; selectively initiating an emergency response includes: initiating an emergency response in response to the level of the vulnerability being a high risk vulnerability; and not starting an emergency response in response to the grade of the vulnerability being the low-medium risk vulnerability.
In some embodiments, initiating the emergency response comprises: collecting the affected product and/or service inventory and publishing the security bulletin, determining the bug fix date, determining the alternative open source software to use before the fix date.
The following further illustrates embodiments of the invention in terms of specific examples.
Firstly, an open source software library platform is built, the architecture is shown as the attached figure 2, and the open source software library platform comprises the following components:
1) device layer
The hardware device resources are provided for the upper layer as the platform infrastructure, and the hardware device resources are located in the device layer of the whole architecture and comprise a physical server, a disk array storage device, a network communication device and the like.
2) Virtualization layer
The method includes providing a building environment of a platform based on technologies such as virtualization and container, for example, establishing an open source software management platform by using virtual machines such as bare computers, KVM/Xen/VMware and Docker containers, and in addition, also including a virtual resource pool formed by a virtualization technology, and a centralized management and scheduling program for image/snapshot management, resource scheduling and host monitoring.
3) Persistent layer
The method comprises the steps of establishing an open source software warehouse, establishing a database for storing open source software source codes, binary packages and document data, establishing the database on a physical server by using code management tools such as SVN/Git and the like, directly establishing the database on a bare computer or establishing the database in a virtual machine and a container, considering requirements such as expandability, stability, network accessibility and the like, proposing at least 3T of warehouse capacity, reserving space for future capacity expansion, deploying the software warehouse by using a main HA mode and a standby HA mode, and periodically backing up data. And the warehouse is classified and stored according to the category of the open source software, externally provides a download link and opens the authority, and all the research and development can be accessed by default.
4) Business layer
The processes related to the import of the open source software and the audit are processed in a business layer, the warehousing approval process of the open source software is customized on the basis of PLM/PDM or other software with the process approval function, the process comprises two-stage approval of technical review and safety review, and three roles are involved:
the method comprises the following steps: putting a warehousing application for open source software needing to be introduced
Manager: the main approver of the process is responsible for technical review and judgment of the reasonability of the requirements, such as whether the information is wrong, whether the type selection condition is met, whether the open source management requirement is met and the like
Safety: is responsible for the security approval of the open source software and the examination of the license compliance risk, the use limitation, the intellectual property risk, the security vulnerability and the like of the open source software
5) Revealing layer
The method comprises two parts of a query page and an information publishing page:
a) query page
Providing a Web query page for researching and searching the warehoused open-source software, wherein a query object is a software warehouse, searching and screening conditions are displayed above the page, a searching result list is displayed below the page, all warehoused open-source software is displayed in the list in a default mode, an open-source software list in an Excel format can be derived, and the open-source software comprises the following fields:
software name, value: user input
Software introduction, value: user input
Software version, value, user input
Supporting platform, the value: unix-like, Windows, Android and the like
And (3) downloading link of software, taking values: software addresses or extranet links in a software repository
Scanning reports, taking values: scanning report generated by BlackDuck/FOSSID and other tools
Submitting a person, and taking values: list of research and development personnel
Submitting the department to which the person belongs, and taking values: all research and development departments
And (4) warehousing time, taking values: calendar control
And (4) warehousing state, taking values: in the process of auditing, the product is put in storage and fails to pass
Software category, value: predefining
Security label, value: preferred, non-preferred, forbidden
The country belongs to, and takes values: name of country
Programming language, value: C/C + +, Java, Python, Ruby, Go, etc
Copyright agreement, value: GPL, BSD, Apache, MIT, etc
Software form, value: source code, binary, etc
b) Information publishing page
The embedded module of the Web page or the information system home page issues announcements of open source software warehousing, version updating, bug repairing and the like, provides real-time dynamic information of the open source software library, and is maintained by an administrator, and the announcement range at least covers all open source library users and maintainers.
Based on the established open source platform, firstly, warehousing the platform by the method shown in fig. 2. Searching whether the target open-source software is in the open-source library list or not by inquiring a page, and if the target open-source software exists, acquiring the software by the provided download address; if the problem does not exist, open source software can be searched and downloaded on the network by self, safety scanning is carried out by using tools such as BlackDuck/FOSSID and the like, a report is generated, if a safety problem is found, research and development are needed to be carried out, and zero clearing is carried out, then the open source software is uploaded to a temporary directory of a software warehouse, if the problem which is misinformation or cannot be repaired due to special reasons exists, a description needs to be submitted independently, and a scanning report and a description file are attached to a warehousing auditing flow which is submitted on a process approval platform.
After receiving the application submitted by research and development, the administrator organizes technical review and gives approval opinions, and if the approval opinions are passed, the administrator transfers to the next link for safety approval.
The safety approver refers to the scanning report, confirms that all safety problems are cleared, judges whether compliance risks exist or not, gives out limit instructions, use suggestions and risk prompts aiming at different open source licenses, and stores the limit instructions, the use suggestions and the risk prompts in a software warehouse in an open source software use guide mode for research, development, acquisition and reference, so that the compliance risks in the open source use process are reduced. The safety approver stamps a safety label for the safety approver according to the comprehensive safety condition of the open source software, and the safety approver comprises the following steps: the security label is preferably (recommended to use), not preferably (not recommended to use) and forbidden (forbidden to use), and the security label can change with the time. And after the safety approver passes the approval, informing an administrator of finishing the approval, and entering a link of warehousing and releasing the software.
And the administrator receives the notice of ending the process, uploads the developed open source software submitted to the temporary directory to the formal directory of the software warehouse according to classification, and the system automatically sends a mail to inform that the developed open source software is put in storage after the process is formally ended. The administrator issues a notice on the information publishing page, notices the information of the owner of the newly-stored open source software, and automatically updates the retrievable information of the inquiry page.
After the open source software is put in storage, the management and maintenance period is entered as shown in fig. 3. And monitoring software bugs in the open source library in real time by security personnel, timely informing an administrator if newly added bugs are found, and correspondingly adjusting the attributes of the security labels according to the bug levels, wherein if the high-risk security bug mark is forbidden to select, the medium-low risk bug mark is non-preferred, and no bug is preferred. The method comprises the steps that an administrator verifies discovered open source software bugs, whether an emergency response flow is started or not is judged according to bug levels, if the emergency response is started, an affected product list is collected and a security notice is issued to the outside, the bugs are repaired within a specified date, the product line needs to replace open source software with problems or use a temporary scheme to reduce existing risks in the period, after an emergency response team issues bug repair patches, patch upgrading is carried out, the administrator issues bug repair notices on an information issuing platform, and security personnel adjust security labels again. If the emergency response is not started, the requirement of repair time is not met, and the risk is prompted only through the change of the security label and the notification of the information issuing platform.
As can be seen from the foregoing embodiments, in the security management method for open-source software according to the embodiments of the present invention, by retrieving whether the target open-source software is listed in the open-source library list, in response to the target open-source software not being listed, the target open-source software is scanned and a security report is generated, and the target open-source software and the security report are stored in the temporary directory of the open-source software repository; proposing a technical review application and carrying out technical review aiming at the target open source software; responding to the technical review, proposing a safety review application aiming at the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse; the technical scheme of monitoring the target open source software in real time, responding to the occurrence of the bug of the target open source software, changing the security label based on the level of the bug, and selectively starting the emergency response can effectively control the introduction and the use of the open source software, identify the security state of the open source software, and ensure the safe and compliant use of the open source software.
It should be particularly noted that, the steps in the embodiments of the above-mentioned open source software security management method may be mutually intersected, replaced, added, and deleted, so that these reasonable permutation and combination transformations of the open source software security management method also belong to the scope of the present invention, and should not limit the scope of the present invention to the described embodiments.
In view of the above object, a second aspect of the embodiments of the present invention provides an embodiment of an open source software security management apparatus using open source software for guaranteeing security compliance. The open source software security management device comprises:
a processor; and
a memory storing program code executable by the processor, the program code when executed performing the steps of:
searching whether the target open-source software is listed in an open-source library list, responding to the target open-source software which is not listed, scanning the target open-source software and generating a safety report, and storing the target open-source software and the safety report into a temporary catalogue of an open-source software warehouse;
proposing a technical review application and carrying out technical review aiming at the target open source software;
responding to the technical review, proposing a safety review application aiming at the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse;
the target open source software is monitored in real time, the security label is changed based on the level of the vulnerability in response to the target open source software developing the vulnerability, and an emergency response is selectively initiated.
In some embodiments, the steps further comprise: in response to the security report generated by the scanning target open source software including a security issue, resolving the security issue and rescanning the target open source software until the generated security report does not include the security issue; the application is reviewed through the technique in response to the technical review obtaining the target open source software from the temporary catalog and determining that the target open source software has a requirement rationality, satisfies the type selection condition, and satisfies the open source management requirement.
In some implementations, changing the security label based on the level of the vulnerability includes: adjusting the security label to be disabled in response to the level of the vulnerability being a high risk vulnerability; adjusting the security label to be non-preferred in response to the level of the vulnerability being a medium-low risk vulnerability;
selectively initiating an emergency response includes: initiating an emergency response in response to the level of the vulnerability being a high risk vulnerability; not initiating an emergency response in response to the vulnerability being at a level of a medium to low risk vulnerability;
initiating an emergency response includes: collecting the affected product and/or service inventory and publishing the security bulletin, determining the bug fix date, determining the alternative open source software to use before the fix date.
As can be seen from the foregoing embodiments, the open-source software security management apparatus provided in the embodiments of the present invention scans the target open-source software and generates a security report in response to not being listed by searching whether the target open-source software is listed in the open-source library list, and stores the target open-source software and the security report in the temporary directory of the open-source software repository; proposing a technical review application and carrying out technical review aiming at the target open source software; responding to the technical review, proposing a safety review application aiming at the target open source software, setting a safety label for the target open source software by the safety review, and transferring the target open source software from the temporary catalog to a formal catalog of an open source software warehouse; the technical scheme of monitoring the target open source software in real time, responding to the occurrence of the bug of the target open source software, changing the security label based on the level of the bug, and selectively starting the emergency response can effectively control the introduction and the use of the open source software, identify the security state of the open source software, and ensure the safe and compliant use of the open source software.
It should be particularly noted that, the above-mentioned embodiment of the open-source software security management apparatus adopts the embodiment of the open-source software security management method to specifically describe the working process of each module, and those skilled in the art can easily think that these modules are applied to other embodiments of the open-source software security management method. Of course, since the steps in the embodiment of the open-source software security management method may be mutually intersected, replaced, added, or deleted, these reasonable permutation and combination transformations should also belong to the scope of the present invention for the open-source software security management apparatus, and should not limit the scope of the present invention to the embodiment.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. The open source software security management method is characterized by comprising the following steps:
retrieving whether target open source software is listed in an open source library list, scanning the target open source software in response to not being listed, generating a safety report, and storing the target open source software and the safety report in a temporary directory of an open source software warehouse;
proposing a technical review application and carrying out technical review aiming at the target open source software;
responding to the technical review, proposing a safety review application aiming at the target open-source software, setting a safety label for the target open-source software by the safety review, and transferring the target open-source software from the temporary catalogue to a formal catalogue of the open-source software warehouse;
the target open source software is monitored in real time, the security label is changed based on the level of the vulnerability in response to the target open source software being vulnerable, and emergency response is selectively started.
2. The method of claim 1, further comprising: in response to scanning for security issues included in the security report generated by the open source software, resolving the security issues and rescanning the open source software until the generated security report does not include security issues.
3. The method of claim 1, further comprising: responsive to obtaining the target open-source software from the temporary catalog by a technical review and determining that the target open-source software has a requirement rationality, meets a type selection condition, and meets an open-source management requirement, the application is reviewed by the technique.
4. The method of claim 1, further comprising: obtaining, by a security review, the target open source software and the security report from the temporary catalog, and setting a security label for the target open source software based on the compliance risk levels disclosed by the target open source software and the security report, the security label being one of: preferred, non-preferred, forbidden.
5. The method of claim 1, further comprising: and sending out notice and incorporating the target open-source software into the open-source library list while transferring the target open-source software from the temporary catalog to a formal catalog of the open-source software warehouse.
6. The method of claim 1, wherein altering the security label based on the level of the vulnerability comprises: adjusting the security label to be disabled in response to the level of the vulnerability being a high risk vulnerability; adjusting the security label to be non-preferred in response to the level of the vulnerability being a medium to low risk vulnerability;
selectively initiating an emergency response includes: initiating the emergency response in response to the level of the vulnerability being a high risk vulnerability; not initiating the emergency response in response to the level of the vulnerability being a low-mid risk vulnerability.
7. The method of claim 6, wherein initiating the emergency response comprises: collecting the affected product and/or service inventory and publishing the security bulletin, determining the bug fix date, determining the alternative open source software to use before the fix date.
8. An open source software security management apparatus, comprising:
a processor; and
a memory storing program code executable by the processor, the program code when executed performing the steps of:
retrieving whether target open source software is listed in an open source library list, scanning the target open source software in response to not being listed, generating a safety report, and storing the target open source software and the safety report in a temporary directory of an open source software warehouse;
proposing a technical review application and carrying out technical review aiming at the target open source software;
responding to the technical review, proposing a safety review application aiming at the target open-source software, setting a safety label for the target open-source software by the safety review, and transferring the target open-source software from the temporary catalogue to a formal catalogue of the open-source software warehouse;
the target open source software is monitored in real time, the security label is changed based on the level of the vulnerability in response to the target open source software being vulnerable, and emergency response is selectively started.
9. The apparatus of claim 8, wherein the steps further comprise: in response to scanning for security issues included in the security report generated by the open source software, resolving the security issues and rescanning the open source software until the generated security report does not include security issues; responsive to obtaining the target open-source software from the temporary catalog by a technical review and determining that the target open-source software has a requirement rationality, meets a type selection condition, and meets an open-source management requirement, the application is reviewed by the technique.
10. The apparatus of claim 8, wherein altering the security label based on the level of the vulnerability comprises: adjusting the security label to be disabled in response to the level of the vulnerability being a high risk vulnerability; adjusting the security label to be non-preferred in response to the level of the vulnerability being a medium to low risk vulnerability;
selectively initiating an emergency response includes: initiating the emergency response in response to the level of the vulnerability being a high risk vulnerability; not initiating the emergency response in response to the vulnerability being at a level of a medium to low risk vulnerability;
initiating the emergency response comprises: collecting the affected product and/or service inventory and publishing the security bulletin, determining the bug fix date, determining the alternative open source software to use before the fix date.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011149935.8A CN112434299A (en) | 2020-10-23 | 2020-10-23 | Open source software security management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011149935.8A CN112434299A (en) | 2020-10-23 | 2020-10-23 | Open source software security management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112434299A true CN112434299A (en) | 2021-03-02 |
Family
ID=74695999
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011149935.8A Withdrawn CN112434299A (en) | 2020-10-23 | 2020-10-23 | Open source software security management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112434299A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113268714A (en) * | 2021-06-03 | 2021-08-17 | 西南大学 | Automatic extraction method for license terms of open source software |
| CN114996668A (en) * | 2022-06-30 | 2022-09-02 | 中国电信股份有限公司 | Processing method, device, equipment and medium for open source assembly |
| CN116756710A (en) * | 2023-08-16 | 2023-09-15 | 深圳开源互联网安全技术有限公司 | Open source treatment method and system based on feature tag tracking technology and electronic equipment |
-
2020
- 2020-10-23 CN CN202011149935.8A patent/CN112434299A/en not_active Withdrawn
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113268714A (en) * | 2021-06-03 | 2021-08-17 | 西南大学 | Automatic extraction method for license terms of open source software |
| CN114996668A (en) * | 2022-06-30 | 2022-09-02 | 中国电信股份有限公司 | Processing method, device, equipment and medium for open source assembly |
| CN114996668B (en) * | 2022-06-30 | 2024-01-02 | 中国电信股份有限公司 | Processing method, device, equipment and medium of open source assembly |
| CN116756710A (en) * | 2023-08-16 | 2023-09-15 | 深圳开源互联网安全技术有限公司 | Open source treatment method and system based on feature tag tracking technology and electronic equipment |
| CN116756710B (en) * | 2023-08-16 | 2024-03-22 | 深圳开源互联网安全技术有限公司 | Open source treatment method and system based on feature tag tracking technology and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112434299A (en) | Open source software security management method and device | |
| US20200104355A1 (en) | Generating Templates for Automated User Interface Components and Validation Rules Based on Context | |
| JP4842248B2 (en) | Procedural defect detection across multiple business applications | |
| US8131606B2 (en) | Model, design rules and system for asset composition and usage | |
| US11870645B1 (en) | Configuration drift management tool | |
| US20220335553A1 (en) | System and a method for generating and managing machine executable digital contracts | |
| US11210640B2 (en) | Blockchain for asset management | |
| Tao et al. | Smart contract swarm and multi-branch structure for secure and efficient BIM versioning in blockchain-aided common data environment | |
| Annett | Working with Legacy Systems: A practical guide to looking after and maintaining the systems we inherit | |
| Nadgowda | Engram: the one security platform for modern software supply chain risks | |
| Soto-Valero et al. | The multibillion dollar software supply chain of Ethereum | |
| Regueiro et al. | Blockchain-based refurbishment certification system for enhancing the circular economy | |
| Yan et al. | Application of microservice architecture in commodity erp financial system | |
| Shan et al. | Road vehicles Cybersecurity system evaluation method | |
| US10838714B2 (en) | Applying packages to configure software stacks | |
| US10095220B1 (en) | Modifying user tools to include control code for implementing a common control layer | |
| Pandya et al. | Business Solutions with Infrastructure as Code | |
| Wirtz et al. | Risk Treatment: An Iterative Method for Identifying Controls | |
| Kouns | Open source vulnerability database project | |
| US11922278B1 (en) | Distributed ledger based feature set tracking | |
| Li et al. | A Data Assurance Policy Specification and Enforcement Framework for Outsourced Services | |
| Perez | Using open source software securely | |
| Bankar et al. | DevOps project artifacts management using blockchain technology | |
| Swanson | Software Identification and Entitlement Tracking Using Blockchain Technology | |
| Doucek et al. | Vulnerability Analysis in the Business Organization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210302 |