JP2021018446A - Security operation support system and method thereof - Google Patents

Abstract

To reduce a test load for verifying an application to which a patch is to be applied.SOLUTION: A server includes a patch collection unit 21 configured to identify a first application that has a function affected by a patch program obtained from a provider, using effect range information that stores a relationship between the patch program and a function of an application affected by the patch program, a test state management unit 22 configured to output test state management information that shows results of a pre-verification test of a second application for a function having a dependence relationship with the affected function of the identified application, and an analysis unit 23 configured to calculate, based on the function of the first application and the function of the second application, the similarity between the two applications, present confirmation information for determining the necessity of the pre-verification test for an application whose calculated similarity satisfies a predetermined condition, and register a determination result including the necessity of the pre-verification test in test state information.SELECTED DRAWING: Figure 2

Description

The present invention relates to a security operation support system and a method thereof.

In recent years, cyber attacks on social infrastructure such as electric power, railways, water, and gas, and control systems used in automobiles have been on the rise. In addition, with the incorporation of general-purpose technology into control systems and the increase in connections with information systems, there is an increasing need for vulnerability countermeasures that have not been implemented in the past.

Vulnerability is a security defect caused by a program defect or design error in an OS (Operating System) or application, and vulnerability information and countermeasures are widely distributed by external security organizations. .. Businesses that use OSs and applications can avoid security risks due to vulnerabilities in advance by applying security patches to the system as a measure against vulnerabilities based on this information and the like.

In information systems, it is basic to implement such vulnerability countermeasures on a regular basis. However, control systems require stricter availability than information systems, so it is often the case that changes are not made to systems that are operating stably. Therefore, even if a vulnerability is found in a part of the system, there are many cases where the security patch for the vulnerability remains unapplied. However, even in a control system that does not connect to an external network, there is a connection to the external network or external system by connecting a USB (Universal Serial Bus) memory or a maintenance PC (Personal Computer) during maintenance work, and malware via them Cases of infection have been reported. For this reason, it has become difficult to ensure the security of the control system in the conventional operation that does not deal with vulnerabilities. In addition, not only in the system operation phase but also in the development phase, it is necessary to use an OS or the like to which an appropriate security patch is applied as a prerequisite environment, and it is necessary to consider which security patch should be applied.

In order to apply a security patch to a control system, it is necessary to confirm (pre-verify) that the middleware and applications operate without problems even with the security patch applied, and then apply it to the on-site system. is there. In other words, in each development department of various middleware and applications, it is necessary to build a system similar to the site and test that it works without problems. In addition, since security patches are issued frequently, it is necessary for each department to carry out preliminary verification each time. If such pre-verification processing is performed in each of a plurality of departments, the overall verification cost will increase. In addition, in the event of an attack that spreads rapidly, it is necessary to apply security patches promptly, so it is necessary to complete the preliminary verification in a short time.

In this way, reducing the cost and time required for pre-verification of security patches is a major issue in implementing vulnerability countermeasures in control systems. As a general test man-hour reduction measure, there is a method of reducing test patterns by devising a method of combining parameters. For example, Patent Document 1 describes a method of generating test data excluding unnecessary combinations by considering screen transitions.

Japanese Unexamined Patent Publication No. 2011-76498

In Patent Document 1, the test pattern can be limited and the test man-hours can be reduced by considering a rational combination method in extracting test items in a single program.

However, in the use case targeted this time, the problem is that pre-verification is required for various programs each time a security patch is issued, and improving the efficiency of pre-verification for a single program is sufficient. Is difficult.

Therefore, it is necessary to reduce the overall verification cost when performing pre-verification for applying the security patch in a plurality of applications. This is not limited to security patches, and similar problems may occur when other patches are applied.

One aspect of the present invention is to provide a security operation support system and a method thereof that can reduce the test load for verifying an application to which a patch is applied.

The security operation support system according to one aspect of the present invention is affected by the patch program obtained from the provider by using the influence range information that stores the relationship between the patch program and the function of the application affected by the patch program. A test status showing the results of a pre-verification test of a second application for a patch collector that identifies a first application that has a function to receive and a function that is dependent on the affected function of the identified application. An application that calculates the similarity between the test status management unit that outputs management information and the function of the first application and the function of the second application, and the calculated similarity satisfies a predetermined condition. Confirmation information for determining the necessity of the preliminary verification test is presented, and the determination result including the necessity of the preliminary verification test for the first application determined based on the presentation is the test status information. It is configured as a security operation support system characterized by having an analysis unit registered in.

According to one aspect of the present invention, the test load for verifying the application to which the patch is applied can be reduced.

It is a figure which illustrates the structure of the test status management system for the control system to which this embodiment is applied. It is a figure which illustrates the internal structure of the test status management server shown in FIG. It is a figure which illustrates the internal structure of the management terminal of the application shown in FIG. It is a figure which illustrates the hardware configuration of the test status management server and the management terminal of an application shown in FIG. It is a figure which illustrates the whole processing flow of the test status management system to which this embodiment is applied. It is a figure which illustrates the processing flow which specifies the influence range of a patch in the whole processing flow of the test situation management system shown in FIG. It is a figure which illustrates the processing flow which extracts the similar application in the whole processing flow of the test situation management system shown in FIG. It is a figure which illustrates the table structure of the patch influence range table held by the test status management server in the test status management system to which this embodiment is applied. It is a figure which illustrates the table structure of the test status management table held by the test status management server in the test status management system to which this embodiment is applied. It is a figure which illustrates the test information confirmation screen of the similar application output from the management terminal of the application in the test situation management system to which this embodiment is applied. It is a figure which illustrates the table structure of the application characteristic table held by the test status management server in the test status management system to which this embodiment is applied.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. The following description and drawings are examples for explaining the present invention, and are appropriately omitted and simplified for the sake of clarification of the description. The present invention can also be implemented in various other forms. Unless otherwise specified, each component may be singular or plural.

The position, size, shape, range, etc. of each component shown in the drawings may not represent the actual position, size, shape, range, etc., in order to facilitate understanding of the invention. Therefore, the present invention is not necessarily limited to the position, size, shape, range and the like disclosed in the drawings.

In the following description, various information may be described by expressions such as "table" and "list", but various information may be expressed by a data structure other than these. The "XX table", "XX list", etc. may be referred to as "XX information" to indicate that they do not depend on the data structure. When expressions such as "identification information", "identifier", "name", "ID", and "number" are used in explaining the identification information, these can be replaced with each other.

When there are a plurality of components having the same or similar functions, they may be described by adding different subscripts to the same reference numerals. However, when it is not necessary to distinguish between these plurality of components, the subscripts may be omitted for explanation.

Further, in the following description, a process performed by executing a program may be described, but the program is determined by being executed by a processor (for example, a CPU (Central Processing Unit) or a GPU (Graphics Processing Unit)). Since the processed processing is appropriately performed using a storage resource (for example, memory) and / or an interface device (for example, a communication port), the main body of the processing may be a processor. Similarly, the subject of processing for executing a program may be a controller, a device, a system, a computer, or a node having a processor. The main body of the processing performed by executing the program may be an arithmetic unit, and may include a dedicated circuit (for example, FPGA (Field-Programmable Gate Array) or ASIC (Application Specific Integrated Circuit)) that performs specific processing. ..

The program may be installed from the program source into a device such as a calculator. The program source may be, for example, a program distribution server or a computer-readable storage medium. When the program source is a program distribution server, the program distribution server includes a processor and a storage resource for storing the program to be distributed, and the processor of the program distribution server may distribute the program to be distributed to other computers. Further, in the following description, two or more programs may be realized as one program, or one program may be realized as two or more programs.

FIG. 1 is a configuration diagram of a test status management system 1000 for a control system according to the present embodiment. In the following, the application may be abbreviated as an application. In addition, when the term "application" or "application" is simply used, it may include an OS, middleware running on the OS, and various applications.

As illustrated in FIG. 1, the test status management system 1000 for the control system of the present embodiment analyzes the test status management of a plurality of applications and the possibility of omitting the test with the external server 11 that provides vulnerability information and security patches. It has a test status management server 12 to be performed, application management terminals 13a to 13n (collectively referred to as "application management terminal 13") provided for each application and managing the test status of each application, and a network 14 and a network 15. It is composed of. Here, the networks 14 and 15 may be the same network.

Next, each device constituting the test status management system 1000 of FIG. 1 will be described. First, the test status management server 12 will be described with reference to FIG.

The test status management server 12 receives instructions from the processing unit 20a, the storage unit 20b, the communication unit 20c for communicating with other devices via the networks 14 and 15, and the user of the test status management server 12. It has an input / output unit 20d for displaying the result to the user.

The processing unit 20a manages / updates the information of the patch collecting unit 21 that accesses the external server 11 and collects security patches, and the test status holding unit 27 based on the information received from the management terminal 13 of each application. It has a unit 22, an analysis unit 23 that analyzes the similarity of each application and determines whether or not the test can be omitted, and a control unit 24 that collectively controls each unit of the test status management server 12.

The storage unit 20b includes a security patch holding unit 25 that holds the security patch acquired from the external server 11, and a patch influence range holding unit 26 that holds a table showing which function of the OS the acquired security patch affects. It has a test status holding unit 27 that holds a table showing the dependency relationship between the OS and the functions of each application and the test status of the dependency portion, and 28 that holds the characteristics of each application.

Next, the application management terminal 13 will be described with reference to FIG. The application management terminal 13 receives support from the processing unit 30a, the storage unit 30b, the communication unit 30c for communicating with other devices via the network 15, and the user of the application management terminal 13, or to the user. It has an input / output unit 30d for displaying the result and the like.

The processing unit 30a includes a DB (Data Base) management unit 31 that manages / updates the test status of the application, and a control unit 32 that collectively controls each unit of the application management terminal 13.

The storage unit 30b is a patch influence range holding unit 33 that holds a security patch holding unit 33 that holds the security patch acquired from the test status management server 12 and a table that shows which function of the OS the acquired security patch affects. It has 34 and a test status holding unit 35 that holds a table showing the dependency relationship between the OS and the function of the application and the test status of the dependent portion.

FIG. 4 is a diagram illustrating the hardware configuration of the test status management server 12 and the application management terminal 13. The test status management server 12 and the application management terminal 13 are configured by connecting the communication device 41, the input / output device 42, the storage device 43, the CPU 44, and the memory 45 by an internal communication line 46 such as a bus. ing.

The processing flow in the test status management system 1000 for the control system of this embodiment will be described. The processing flow described below constitutes a test status management system for a control system by loading a program stored in a storage device of the test status management server 11 or the application management terminal 13 into a memory and executing the program by the CPU. It is executed by each processing unit embodied on the device. In addition, each program may be stored in a storage device in advance, or may be introduced when necessary via another storage medium or communication medium (network or carrier wave propagating in the network).

FIG. 5 is a diagram showing an overall processing flow in the test status management system 1000 to which the present embodiment is applied.

First, the patch collection unit 21 of the test status management server 12 accesses the external server 11 (step S501 (expressed as S501; the same applies hereinafter)) and acquires the security patch if a new security patch exists. (S502).

The patch collecting unit 21 stores the security patch in the security patch holding unit 25, and specifies the range of influence of the security patch on the OS and the range of influence on the application. Then, the strike status management unit 22 sends the security patch and information on the range of influence to be implemented as pre-verification of the security patch to the specified plurality of applications (S503, S504, S505).

The management terminal 13 of each application that has received the security patch and its influence range information displays on the input / output unit 30d that it is necessary to perform pre-verification based on the information, presents it to the person in charge of the application, and is in charge of the application. Performs a test in a pre-verification environment (S506). Specifically, the management terminal 13 of each application is affected by each function of the application in the state before applying the security patch to the application and the state after applying the security patch according to the operation from the person in charge of the application. And confirm that the execution results of both are the same. When the person in charge of each application completes the preliminary verification, the management terminal 13 of each application transmits the preliminary verification result, which is the result of the confirmation, to the test status management server 12 through the management terminal 13 of the application (S507).

In this process, in S507, the person in charge of the application determines whether or not the pre-verification has been completed. However, the management terminal 13 of each application determines whether or not the predetermined condition is satisfied. Whether or not the pre-verification is completed may be automatically determined according to the result of the determination.

In the test status management server 12 that has received the pre-verification result from the application management terminal 13, the test status management unit 22 extracts an application having a high degree of similarity to the application for which the test has been completed (S508), and the degree of similarity is high. Information on the pre-verification of the application for which the pre-verification has been completed is sent to the application management terminal 13 (S509). The same shall be included in the similarities.

The person in charge of the management terminal 13 of the application that has received the pre-verification information of another similar application determines whether to perform the pre-verification in the own application or omits it based on the information (S510), and determines whether to perform the pre-verification or omit the application (S510). The management terminal 13 sends the determination result to the test status management server 12 (S511).

In this process, in S510, the person in charge of the application determines whether or not to carry out the preliminary verification, but the management terminal 13 of each application determines whether or not the predetermined condition is satisfied. It may be automatically determined whether or not to carry out the preliminary verification according to the result of the determination.

When the analysis unit 23 of the test status management server 12 receives the pre-verification implementation necessity determination result, the analysis unit 23 manages the status of each application by registering the result in the DB (S512). For example, the analysis unit 23 of the test status management server 12 registers the determination result input from the user who confirmed the presented confirmation information in the test status information in S512.

The specific processing of S503 and S508 will be described later, but in the test status management server 12, the patch collection unit 21 has a relationship between the patch program and the function of the application (for example, OS or application) affected by the patch program. By using the patch influence range table 800 which is the influence range information stored in the above, the first application having a function affected by the patch program obtained from the provider (for example, the external server 11) is identified, and the test status management is performed. Unit 22 outputs the test status management table 900, which is the test status management information indicating the result of the pre-verification test of the second application for the functions that are dependent on the affected functions of the specified application. The analysis unit 23 calculates the similarity between the two based on the function of the first application and the function of the second application (for example, the similarity is calculated by comparing the functions of both), and the calculation is performed. The test information confirmation screen 100 of a similar application, which is confirmation information for determining the necessity of the above-mentioned pre-verification test for an application whose similarity satisfies a predetermined condition (for example, a match rate of 80% or more as the similarity), is displayed on the application. The test results (for example, the correspondence status of the patch list 101 to be applied to the application) including the necessity of the pre-verification test for the first application judged based on the presentation to the management terminal 13 are tested. Register in the status information.

Therefore, the user who manages the application can omit the pre-verification utilizing the pre-verification result in the similar application, and can reduce the test load for the verification. Further, since the user who manages each application registers each judgment result in one of the above test status information, it is aggregated as one information reflecting each judgment result, so that when applying the patch program. You can centrally manage the test status of the application.

FIG. 6 is a diagram showing a specific processing flow of the patch influence range specifying processing (S503) in the overall processing flow of FIG.

The administrator of the test status management server 12 separately investigates which function of the OS the patch affects the downloaded security patch. The test status management server 12 registers the investigation result in the patch influence range table 800 (FIG. 8) held in the patch influence range holding unit 26 according to the operation from the administrator (S602). Specifically, the patch collection unit 21 of the test status management server 12 adds the identification name (“p3” or the like) of the downloaded security patch to the security patch column 801 of the patch influence range table 800. Then, "○" is registered at the intersection with each function of the OS affected by the security patch. In the example of FIG. 8, "○" is registered at the point 803 where the OS function "F_x3" affected by the security patch "p3" intersects, and the security patch "p3" affects the OS function "F_x3". It is shown that.

Next, the patch collection unit 21 of the test status management server 12 identifies the range of influence of the security patch on the application (S603). Specifically, the test status management server 12 is affected by the security patch and the affected application within the application based on the test status management table 900 (FIG. 9) held in the test status holding unit 27. Identify the function. The test status management table 900 is created in advance based on the information from the person in charge of each application. For example, the patch collection unit 21 receives information on the test status input from the management terminal 13 of each application, and aggregates and creates the test status management table 900.

The test status management unit 22 of the test status management server 12 uses the function name of the affected OS specified in the previous step as a key to display the application and the function of the application with a mark such as "○" in the function of the OS. Extract. For example, the test status management server 12 uses the OS function name of "F_x3" as a key to extract the "F_a3" function of the "AP_a" application and the "F_b3" function of the "AP_b" application. In FIG. 9, the mark of the intersection is "○" with a dependency (untested), "●" with a dependency (tested: no problem), and "▲" with a dependency (tested: with a problem). It shows that there is. In this way, in the test status management table 900, the test execution status and the execution result of the item are registered in addition to the dependency.

Next, the test status management unit 22 of the test status management server 12 generates patch and influence range information to be sent to the management terminals 13 of all the applications affected by the patch acquired in the previous step (S604). ). In the patch and the range of influence information, the security patch itself (for example, p3) and the function name of each application affected by the patch (for example, F_a3, F_b3) are described.

FIG. 7 is a diagram showing a specific processing flow of the extraction processing (S508) of the similar application in the overall processing flow of FIG. The test status management server 12 uses the following for each of the comparison target applications in order to calculate the similarity between the source application (comparison source application) of the pre-verification result received in S507 and each other application (comparison target application). Perform the processing of.

First, the analysis unit 24 of the test status management server 12 acquires information on the comparison source application and the comparison target application (S702). Specifically, the analysis unit 24 acquires the OS function group utilized by each function group of the comparison source application and the comparison target application from the test status management table 900. For example, the analysis unit 24 reads "F_x1" and "F_x3" as the OS function group utilized by each function group of the "AP_a" application.

In addition, the analysis unit 24 acquires the characteristics of each application registered in advance in the application characteristic holding unit 28. As a characteristic of the application, for example, there may be an industry targeted by the application and a system scale assuming that the application is used. It can be said that the characteristics of an application are information that represents the characteristics of the object to which the application is applied.

Next, the analysis unit 24 determines whether or not there is an OS function related to the security patch targeted by the pre-verification result received from the comparison source application in the OS function group utilized by each function group of the comparison target application. (S703). When the analysis unit 24 determines that the comparison target application does not have the OS function and is not utilizing it (No in S703), the analysis unit 24 moves to the processing of the next comparison target application in S708.

On the other hand, when the analysis unit 24 determines that the comparison target application has the OS function and is utilizing it (Yes in S703), the OS function group used by the comparison source application and the OS function group used by the comparison target application. Are compared and the two match rates are calculated (S704). If both use the same OS function, the match rate will be high, and if they use different OS functions, the match rate will be low. In the example of FIG. 9, the "AP_a" application and the "AP_b" application both use "F_x3" among the three OS functions. Therefore, the test status management server 12 calculates the match rate between the two as 1/3.

The analysis unit 24 determines whether or not the match rate is equal to or higher than a predetermined threshold value (S705), and if it determines that the match rate is lower than the predetermined threshold value (No in S705), the comparison target. It is determined that the application is not a similar application, and the process of the next comparison target application is started in S708. On the other hand, when the analysis unit 24 determines that the match rate is equal to or higher than a predetermined threshold value (Yes in S705), the analysis unit 24 determines that the comparison target application is a similar application.

Further, when other application characteristics are set in the application characteristic holding unit 28, the analysis unit 24 compares the application characteristics of the comparison source application and the comparison target application, and extracts the matching characteristics (S706). .. For example, the analysis unit 24 determines that the other application characteristics of the two are matched when the target industries of the application are the same and the system scales assuming that the application is used are the same. Extract the items that show the characteristics of.

The analysis unit 24 collects the above processing results and generates information for the comparison target application. Specifically, the analysis unit 24 generates information including the match rate of the OS function used and the match item of the application characteristics, the target security patch information, and the verification result in the comparison source application as the information to the comparison target application. To do.

With the above, the process related to the comparison target application is completed, and the analysis unit 24 repeatedly executes the steps S703 to S707 until the next comparison target application disappears (S708). When the processing for all the comparison target applications is completed, the analysis unit 24 sends the generated information to the comparison target application to the management terminal 13 of the corresponding application (S509).

As described above, in S704 and S705, the analysis unit 23 of the test status management server 12 has a match rate between the function of the first application as the comparison source and the function of the second application to be compared is equal to or higher than a certain threshold value. (For example, 80% or more) is determined, and an application whose match rate is equal to or higher than a certain threshold value is determined to be an application whose similarity satisfies a predetermined condition, and is confirmation information in S509. The test information confirmation screen 100 of a similar application is presented to the management terminal 13 of the application. As a result, the user can determine the necessity of pre-verification of the application managed by the user by referring to the confirmation information of the application having a high degree of similarity.

Further, in S706, when the analysis unit 23 of the test status management server 12 determines that the match rate is equal to or higher than a certain threshold value, the application characteristic table is application characteristic information in which the application and the characteristics of the application are associated with each other. Using 1100, the characteristics of the matching first application and the second application are presented including them in the confirmation information. This makes it possible to determine the necessity of pre-verification in consideration of the characteristics of the application.

FIG. 10 shows an image of a screen (test information confirmation screen of a similar application) 100 displayed on the management terminal 13 of the application when the information to the comparison target application is received (S509). The management terminal 13 displays a screen including a patch list 101 to be applied to the application and a patch information detail 102.

The patch list 101 to be applied to the application shows a list of security patches that have not been applied to the application, and displays the security patch name, the effective date of the patch, and the support status of the pre-verification of the patch.

In the patch information detail 102, when the management terminal 13 receives a click of any patch name in the patch list 101 to be applied to the application, the management terminal 13 displays detailed information about the patch. Specifically, the management terminal 13 displays the name of the patch and the verification result in a similar application for the patch. The verification results for similar apps include whether the names of similar apps, the degree of similarity with the apps, and the characteristics of the apps (target industry and system scale) match, and the results of prior verification for the patch in the similar apps. Based on the above, the recommended countermeasure policy for the app is displayed.

In the screen image of FIG. 10, an image showing a recommended correspondence policy is described, but the present invention is not limited to this. For example, if the degree of similarity or the degree of matching of application characteristics is higher than a certain level, a method of automatically determining and displaying a countermeasure policy may be used.

For example, the analysis unit 23 of the test status management server 12 uses the above confirmation information as a condition (for example, a match rate) in which the pre-verification result of an application whose similarity satisfies a predetermined condition (for example, a match rate of 80% or more) is constant. Is 80% or more, the application characteristics are the same, and the verification result satisfies "no problem"), the response policy for the pre-verification test for the first application based on the pre-verification result (for example, pre-verification). A policy that recommends omitting the verification test) is output and presented to the management terminal 13 of the application. As a result, the user can grasp at a glance the recommended policy based on the pre-verification result of the application having a high degree of similarity, and can easily obtain the material for determining the necessity of the pre-verification.

As the confirmation information, the analysis unit 23 performs a pre-verification test for the first application predetermined by the user when the pre-verification result of the application whose similarity satisfies the predetermined condition satisfies the certain condition. (For example, a policy to contact the administrator) may be output. This allows the user to easily understand how to deal with the necessity of pre-verification even if there is no recommended policy based on the pre-verification results of highly similar apps. ..

FIG. 11 is a diagram showing an example of an application characteristic table 1100 showing the characteristics of each application registered in the application characteristic holding unit 28. As shown in FIG. 11, the application characteristic table 1100 is a table in which the application name 1101 and the application characteristic 1102 are associated with each other. In FIG. 11, for example, the application “AP_a” and the application “AP_b” are both intended for medium-sized industrial systems as application characteristics. Therefore, it is determined that the application "AP_b" has a higher match rate with the application "AP_a" than the application "AP_c".

As described above, by realizing these configurations, procedures, and data structures, it is possible to efficiently perform operation verification before applying a security patch when dealing with vulnerabilities in a control system. .. Specifically, when performing pre-verification of security patches in a large number of applications, it is possible to omit the pre-verification utilizing the pre-verification results of other similar applications, and it is possible to reduce the overall pre-verification cost.

In addition, it is possible to manage the pre-verification status of many applications in an integrated manner and notify the test result of a certain application to an application administrator having a high degree of similarity. Specifically, in the test status management server 12, a table that organizes the dependency relationship between the function of each application and the function of the OS and the test status of the dependent function is prepared in advance, and each application has the test execution status. As a result, pre-verification information such as unexecuted, implemented (no problem), implemented (problem), etc. is transmitted to the test status management server 12 and the table is updated. If there is an app that has a high degree of similarity to the app that updated the test status, the test status management server 12 may notify the administrator of the similar app that it proposes to omit the test based on the test result of the app. it can.

The present invention is not limited to the above embodiment, and various modifications can be made within the scope of the gist thereof. In addition, although the security patch is described assuming that it is related to the OS, it is not limited to the OS and may be a security patch for middleware. Even in the case of the embodiment, there is no essential change in the processing performed in the entire system.

11: External server, 12: Test status management server, 13a to 13n: Application management terminal, 14 to 15 networks, 20a, 30a: Processing unit, 20b, 30b: Storage unit, 20c, 30c: Communication unit, 20d, 30d : Input / output unit, 21: Patch collection unit, 22: Test status management unit, 23: Analysis unit, 24, 32: Control unit, 25, 33: Security patch holding unit, 26, 34: Patch influence range holding unit, 27 , 35: Test status holding unit, 28: Application characteristic holding unit, 31: DB management unit, 33:41: Communication device, 42: Input / output device, 43: Storage device, 44: CPU, 45: Memory, 46: Internal Signal line, 800: Patch influence range table, 801: Security patch column, 802: OS function column, 900: Test status management table, 901: OS function column, 902: App function column, 100: Test information confirmation screen for similar applications , 101: Patch list screen to be applied to the application, 102: Patch information detail screen.

Claims (12)

Patch collection that identifies the first application that has the function affected by the patch program obtained from the provider, using the range of influence information that stores the relationship between the patch program and the function of the application affected by the patch program. Department and
A test status management unit that outputs test status management information indicating the results of the pre-verification test of the second application for the functions that are dependent on the affected functions of the specified application.
The similarity between the first application and the second application is calculated based on the function of the first application, and the necessity of the pre-verification test is determined for the application for which the calculated similarity satisfies a predetermined condition. An analysis unit that presents confirmation information for the purpose and registers the judgment result including the necessity of the preliminary verification test for the first application judged based on the presentation in the test status information.
A security operation support system characterized by being equipped with. The security operation support system according to claim 1.
The analysis unit determines whether or not the match rate between the function of the first application and the function of the second application is equal to or higher than a certain threshold value, and determines an application in which the match rate is equal to or higher than a certain threshold value. It is determined that the application satisfies the predetermined degree of similarity, and the confirmation information is presented.
A security operation support system characterized by this. The security operation support system according to claim 2.
When the analysis unit determines that the match rate is equal to or higher than the threshold value, the analysis unit uses the application characteristic information in which the application and the characteristics of the application are associated with each other to match the first application and the second application. The characteristics of the above are included in the confirmation information and presented.
A security operation support system characterized by this. The security operation support system according to claim 2.
As the confirmation information, the analysis unit performs the pre-verification test for the first application based on the pre-verification result when the pre-verification result of the application whose similarity satisfies a predetermined condition satisfies a certain condition. Output the response policy,
A security operation support system characterized by this. The security operation support system according to claim 2.
As the confirmation information, the analysis unit has a policy for responding to the predetermined pre-verification test for the first application when the pre-verification result of the application whose similarity satisfies a predetermined condition satisfies a certain condition. To output,
A security operation support system characterized by this. The security operation support system according to claim 1.
The analysis unit registers the determination result input from the user who confirmed the presented confirmation information in the test status information.
A security operation support system characterized by this. A first application having a function in which the patch collection unit has a function to be affected by a patch program obtained from a provider by using the influence range information that stores the relationship between the patch program and the function of the application affected by the patch program. Identify and
The test status management unit outputs test status management information indicating the result of the pre-verification test of the second application for the function that is dependent on the affected function of the specified application.
The analysis unit calculates the similarity between the functions of the first application and the functions of the second application.
The analysis unit presents confirmation information for determining the necessity of the pre-verification test for an application whose calculated similarity satisfies a predetermined condition.
The analysis unit registers the determination result including the necessity of the pre-verification test for the first application determined based on the presentation in the test status information.
A security operation support method characterized by this. The security operation support method according to claim 7.
The analysis unit determines whether or not the match rate between the function of the first application and the function of the second application is equal to or higher than a certain threshold value, and determines an application in which the match rate is equal to or higher than a certain threshold value. It is determined that the application satisfies the predetermined degree of similarity, and the confirmation information is presented.
A security operation support method characterized by this. The security operation support method according to claim 8.
When the analysis unit determines that the match rate is equal to or higher than the threshold value, the analysis unit uses the application characteristic information in which the application and the characteristics of the application are associated with each other to match the first application and the second application. The characteristics of the above are included in the confirmation information and presented.
A security operation support method characterized by this. The security operation support method according to claim 8.
As the confirmation information, the analysis unit performs the pre-verification test for the first application based on the pre-verification result when the pre-verification result of the application whose similarity satisfies a predetermined condition satisfies a certain condition. Output the response policy,
A security operation support method characterized by this. The security operation support method according to claim 8.
As the confirmation information, the analysis unit has a policy for responding to the predetermined pre-verification test for the first application when the pre-verification result of the application whose similarity satisfies a predetermined condition satisfies a certain condition. To output,
A security operation support method characterized by this. The security operation support method according to claim 7.
The analysis unit registers the determination result input from the user who confirmed the presented confirmation information in the test status information.
A security operation support method characterized by this.

Images