The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, and security-through-obscurity is omnipresent in this field. In this paper, we present a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the risk management activities, to instigate the necessary actions for adoption. We highlight the open issues that the research community has to address. We discuss the benefits that such an approach can bring to all stakeholders, from software developers to protections designers, and for the security of all the citizens. In addition, we present a Proof of Concept (PoC) of a decision support system that automates the risk analysis methodology towards the protection of software applications. Despite being in an embryonic stage, the PoC proved during validation with industry experts that several aspects of the risk management process can already be formalized and that it is an excellent starting point for building an industrial-grade decision support system.
翻译:在过去的几年里,对软件应用的 " 人在线 " (MATE)攻击在数量和严重程度上都有所增加,然而,MATE软件保护主要以模糊的概念和技术为主,安全通过隐蔽性在这一领域是无处不在的。我们在本文件中提出了根据NIST SP800-39方法将软件保护作为风险管理程序加以采用和标准化的理由。我们审查了风险管理活动正规化和自动化的相关方面,以促使采取必要的行动予以采纳。我们强调了研究界必须解决的公开问题。我们讨论了这种方法能够给所有利益攸关方带来的益处,从软件开发者到保护设计者,以及所有公民的安全。此外,我们提出了决定支持系统的概念证明(POC),将风险分析方法自动化,以保护软件应用。尽管处于萌芽阶段,但POC在与行业专家验证时证明,风险管理进程的若干方面已经正式化,它是建立工业级决策系统的一个极好的起点。