WEKO3
アイテム
Proposal of Vulnerability Assessment Tool for Software Supply Chain Security
https://ipsj.ixsq.nii.ac.jp/records/231553
https://ipsj.ixsq.nii.ac.jp/records/23155366aeb034-2be1-44e6-b410-55a05037327c
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6412011.pdf (1.9 MB)
2025年12月15日からダウンロード可能です。
|
Copyright (c) 2023 by the Information Processing Society of Japan
|
|
| 非会員:¥0, IPSJ:学会員:¥0, 論文誌:会員:¥0, DLIB:会員:¥0 | ||
| Item type | Journal(1) | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2023-12-15 | |||||||||||||||
| タイトル | ||||||||||||||||
| タイトル | Proposal of Vulnerability Assessment Tool for Software Supply Chain Security | |||||||||||||||
| タイトル | ||||||||||||||||
| 言語 | en | |||||||||||||||
| タイトル | Proposal of Vulnerability Assessment Tool for Software Supply Chain Security | |||||||||||||||
| 言語 | ||||||||||||||||
| 言語 | eng | |||||||||||||||
| キーワード | ||||||||||||||||
| 主題Scheme | Other | |||||||||||||||
| 主題 | [特集:次世代デジタルプラットフォームにおける情報流通を支えるセキュリティとトラスト] vulnerability assessment, SBOM, software supply chain security, related products, knowledge graph | |||||||||||||||
| 資源タイプ | ||||||||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||||||||
| 資源タイプ | journal article | |||||||||||||||
| 著者所属 | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属 | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属 | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属 | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属 | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属(英) | ||||||||||||||||
| en | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属(英) | ||||||||||||||||
| en | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属(英) | ||||||||||||||||
| en | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属(英) | ||||||||||||||||
| en | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者所属(英) | ||||||||||||||||
| en | ||||||||||||||||
| Hitachi Ltd. | ||||||||||||||||
| 著者名 |
Rajulapati, Shourya
× Rajulapati, Shourya
× Yoko, Kumagai
× Ashokkumar, C
× Hiroki, Yamazaki
× Hirofumi, Nakakoji
|
|||||||||||||||
| 著者名(英) |
Rajulapati, Shourya
× Rajulapati, Shourya
× Yoko, Kumagai
× Ashokkumar, C
× Hiroki, Yamazaki
× Hirofumi, Nakakoji
|
|||||||||||||||
| 論文抄録 | ||||||||||||||||
| 内容記述タイプ | Other | |||||||||||||||
| 内容記述 | Software supply chain attacks have become more prevalent due to attacker's higher skills and sophisticated attack methods. These attacks can go unnoticed for a long time and cause widespread damage. Therefore, monitoring all software products in the supply chain to detect these attacks is crucial. However, the software supply chain is complex, and tracking suspicious changes to third-party products, services, and libraries used to build software products can be challenging. This makes it difficult for developers to identify and confirm vulnerabilities in the software. Even one vulnerable file in the supply chain can have severe consequences if exploited, so regular vulnerability checks are necessary to keep software products safe. To address this issue, we propose a Vulnerability Assessment Tool that identifies newly found vulnerabilities from public databases and efficiently checks them in existing internal products. Our method uses a two-step process. The first step is estimating related products and directly affected products for a given CVE ID. The second step is a detailed check of the vulnerabilities in the system based on the results estimated in Step 1. This assessment method reduces the time the PSIRT Analyst requires to assess the vulnerabilities. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.31(2023) (online) DOI http://dx.doi.org/10.2197/ipsjjip.31.842 ------------------------------ |
|||||||||||||||
| 論文抄録(英) | ||||||||||||||||
| 内容記述タイプ | Other | |||||||||||||||
| 内容記述 | Software supply chain attacks have become more prevalent due to attacker's higher skills and sophisticated attack methods. These attacks can go unnoticed for a long time and cause widespread damage. Therefore, monitoring all software products in the supply chain to detect these attacks is crucial. However, the software supply chain is complex, and tracking suspicious changes to third-party products, services, and libraries used to build software products can be challenging. This makes it difficult for developers to identify and confirm vulnerabilities in the software. Even one vulnerable file in the supply chain can have severe consequences if exploited, so regular vulnerability checks are necessary to keep software products safe. To address this issue, we propose a Vulnerability Assessment Tool that identifies newly found vulnerabilities from public databases and efficiently checks them in existing internal products. Our method uses a two-step process. The first step is estimating related products and directly affected products for a given CVE ID. The second step is a detailed check of the vulnerabilities in the system based on the results estimated in Step 1. This assessment method reduces the time the PSIRT Analyst requires to assess the vulnerabilities. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.31(2023) (online) DOI http://dx.doi.org/10.2197/ipsjjip.31.842 ------------------------------ |
|||||||||||||||
| 書誌レコードID | ||||||||||||||||
| 収録物識別子タイプ | NCID | |||||||||||||||
| 収録物識別子 | AN00116647 | |||||||||||||||
| 書誌情報 |
情報処理学会論文誌 巻 64, 号 12, 発行日 2023-12-15 |
|||||||||||||||
| ISSN | ||||||||||||||||
| 収録物識別子タイプ | ISSN | |||||||||||||||
| 収録物識別子 | 1882-7764 | |||||||||||||||
| 公開者 | ||||||||||||||||
| 言語 | ja | |||||||||||||||
| 出版者 | 情報処理学会 | |||||||||||||||
