전자통신동향분석 (Electronics and Telecommunications Trends)

한국전자통신연구원 (Electronics and Telecommunications Research Institute)
권호 표지
DOI QR코드

DOI QR Code

SW공급망 관리 및 SBOM 동향

Software Supply Chain Management and SBOM Trends

  • 류원옥 (오픈소스센터 ) ;
  • 박수명 (오픈소스센터 ) ;
  • 이승윤 (오픈소스센터)
  • W.O. Ryoo ;
  • S.M. Park ;
  • S.Y. Lee
  • 발행 : 2023.08.01
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

The increased adoption of open source security management in supply chains is gaining worldwide attention. In particular, as security and threatening situations, such as solar winds, Kaseya ransomware, and Log4j vulnerability, are becoming more common in supply chains using software (SW)-defined networks, SW bills of materials (SBOMs) for SW products should be prepared to protect major countries like the United States. An SBOM provides SW component information and is expected to become required for SW supply chain management. We focus on SW supply chain management policies and SBOM trends in major countries and private organizations worldwide for safe SW use and determine the current status of Korea and ETRI's open source SW supply chain management trends.

키워드

과제정보

본 연구는 한국전자통신연구원 내부연구과제의 일환으로 수행되었음[23YF1100, 개방형 ICT R&D 생태계 강화를 위한 ETRI 오픈소스 R&D 대응체계 구축].

참고문헌

  1. 시놉시스, "시놉시스 2023 오픈소스 보안 및 위험 분석 보고서," 2023, https://www.synopsys.com/ko-kr/software-integrity/em/ossra.html 
  2. Gartner, Gartner Identifies Top Security and Risk Management Trends for 2022, 2022. 3., https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for-2022 
  3. 김항규, "미국 SBOM(Software Bill of Materials) 정책 분석 및 시사점," SPRi, 2022. 12. 
  4. 2023 OSSRA Webinar, "SBOM 소개 및 SBOM 대응을 위한 Black Duck 활용," 2023. 5. 
  5. Synopsys, 2022 Open Source Security and Risk Analysis Report, 2022. 4. 
  6. SPDX, https://spdx.dev/ 
  7. ISO/IEC 5962:2021, Information technology -SPDX® Specification V2.2.1, https://www.iso.org/standard/81870.html 
  8. https://www.csoonline.com/article/3668530/sbom-formats-spdx-and-cyclonedx-compared.html 
  9. https://cyclonedx.org/ 
  10. https://docs.sigstore.dev/cosign/overview/ 
  11. https://owasp.org/blog/2023/02/07/vdr-vex-comparison 
  12. https://open-ae.eu/tag/open-source-software-strategy-2020-2023/ 
  13. DIGIT, Directorate-General for Informatics, https://ec.europa.eu/info/departments/informatics_en 
  14. 김항규, "주요국 SBOM(Software Bill of Materials) 정책분석 및 시사점," SPRi, 2022. 12. 
  15. https://joinup.ec.europa.eu/collection/fosseps 
  16. D-SBOM(Distributed Software Bill of Materials), https://www.trublo.eu/d-sbom/ 
  17. https://openssf.org/community/alpha-omega/ 
  18. 김항규, "소프트웨어공급망 강화를 위한 글로벌 동향," SPRi, 2022. 4. 
  19. TTA, "개방형 연구개발을 위한 공개소프트웨어 커뮤니티 거버넌스 지침," TTAK.KO-11.0256, 2019. 12. 
  20. TTA, "공개 소프트웨어 공급망 관리를 위한 소프트웨어 목록 구성(SBOM) 속성 규격," TTAK.KO-11.0309, 2022. 12. 
  21. The Minimum Elements For a Software Bill of Materials(SBOM), NTIA, 2021. 7., https://ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom 
  22. 과학기술정보통신부, 소프트웨어 진흥 전략, 2023. 4. 
  23. 전자신문, "공급망 보안 위한 S-BOM 협의체 뜬다," 2023. 7. 4., p. 18, http://mail2.scrapmaster.co.kr/mail/include/iitp_display.php?news_id=59628&scrapBookNo=1758&scrapinfo=202307040&article_serial=20230704