Безопасность информационных технологий (Sep 2019)
Information security systematics of software supply chains
Abstract
The results of the systematization of measures to protect information resources from attacks on the supply chain of software and computer systems are presented. The phenomena, relevance and popular topics of protecting the supply chains of IT products are noted. Statistics on borrowed components of software products and software systems are presented. Examples of computer attacks on resources and processes of the software supply chain are given. The analysis of the existing terminological base in the field of security of supply chains of software is carried out. The features of the terms for supply chain and supply chain attack are formulated. The analysis of existing models of information security threats associated with computer attacks on the supply chain of software products is done. Limitations of models of threats to information security of the software supply chain are revealed. A review and systematization of measures to protect information from threats in the information sphere related to computer attacks on the software supply chain has been carried out. Known regulatory and methodological documents in the field of the supply chain of IT products are considered. It is concluded that it is necessary to develop the Russian legislative and regulatory framework for information security on the subject of software supply chains. A version of the systematics of information security measures in the life cycle of software delivery of information systems is proposed. Classification signs such as the used controls, information security methods, phases of the software development process are proposed. Possible directions of improving measures to protect information from computer attacks on the supply chain of software in the national and international information security are formulated.
Keywords