分享興趣,傳播快樂,增長見聞,留下美好。
親愛的您,這裡是LearningYard新學苑!
今天小編為大家帶來軟體供應鍊基礎知識的學習。
歡迎您的通路!
Share interest, spread happiness, increase knowledge, and leave beautiful.
Dear, this is the LearingYard Academy!
Today, the editor brings you the basic knowledge of software supply chain.
Welcome to visit!
1 内容摘要(Content summary)
今天小編将從“思維導圖、精讀内容、知識補充”三個闆塊,解讀分享軟體供應鍊基礎知識。
Today, the editor will interpret and share the basic knowledge of software supply chain from the three sections of "mind map, intensive reading content, and knowledge supplement".
2 思維導圖(Mind mapping)
3 精讀内容(Intensive reading content)
本次小編将廣泛閱讀一些軟體供應鍊方面的文章,了解軟體供應鍊的構成和運作方式,為後續文章模組化尋找部分思路。首先是釋出于Freebuf平台的一篇原創文章,作者開篇介紹了現如今軟體開發的通用方式,即絕大多數開發者為了降低開發成本和提高開發速度,會使用第三方的開源元件和庫進行輔助開發,這就使得企業對軟體的掌控程度降低,增加了風險。
The editor will extensively read articles on the software supply chain, understand its composition and operation, and look for some ideas for subsequent article modeling. The first is an original article published on the Freebuf platform. The author begins by introducing the common way of software development today, that is, most developers use third-party open-source components and libraries to assist in development in order to reduce development costs and improve development speed. This has led to a decrease in the degree of control that enterprises have over the software, increasing the risk.
作者後續介紹了軟體供應鍊的基本概念,軟體供應鍊和制造業生産産品的供應鍊相似,也涉及到多個開發人員、團隊,包含多個步驟和流程。作者将軟體供應鍊定義為在軟體開發中所涉及到的元件、開發流程以及投入生産和最終軟體産品分發的過程。
The author then introduces the basic concept of the software supply chain, which is similar to the supply chain for manufacturing products, involving multiple developers, teams, steps, and processes. The author defines the software supply chain as the components, development processes, and the process of putting into production and distributing the final software products involved in software development.
軟體由多種元件構成,其中有一部分依賴的東西并不是由企業内的軟體團隊所開發,比如硬體和基礎架構、作業系統、驅動和編譯器等,開源腳本、打包好的軟體和代碼倉庫等内容缺少較為統一的标準,且種類繁多,門類繁雜,安全隐患相對較高。軟體供應鍊還包含公司外部的人員配置,更加加劇了安全風險。
Software is composed of various components, some of which rely on things not developed by the in-house software team, such as hardware and infrastructure, operating systems, drivers, and compilers. Open-source scripts, packaged software, and code repositories lack a unified standard and are diverse and complex, posing relatively higher security risks. The software supply chain also includes personnel outside the company, further exacerbating security risks.
軟體供應鍊涉及到的元件和團隊如此之多,如何做好管理工作,以保證供應鍊的安全呢?作者介紹道首先可以撰寫一份軟體材料清單,列出代碼中的第三方成分,增強軟體的可見性,同時建立與客戶間的信任。
With so many components and teams involved in the software supply chain, how can management be done to ensure the security of the supply chain? The author suggests that one can start by writing a software bill of materials, listing the third-party components in the code to enhance the visibility of the software and establish trust with customers.
第二點是可以進行資訊通路管理和資料治理工作,以防止資料洩露或敏感資訊的丢失,現如今各個企業都在試圖消除軟體開發過程中各團隊間的隔閡,跨團隊整合工作流程,這就使得資訊和資料的管理工作更加重要。
The second point is to carry out information access management and data governance to prevent data leaks or loss of sensitive information. Nowadays, companies are trying to eliminate the barriers between teams in the software development process, integrating cross-team workflows, making the management of information and data more important.
作者介紹道,相較于傳統軟體供應鍊受到的黑客攻擊,現如今的黑客攻擊更加針對開源工具。很多開源工具為了保證安全性或功能性,會經常向使用者推送更新更新更新檔,攻擊者頻繁向連接配接全球的開源項目中注入惡意代碼,這些代碼随着更新更新檔的分發下放,最終影響下遊的終端使用者。
The author points out that compared to traditional software supply chain attacks, today's hacker attacks are more targeted at open-source tools. Many open-source tools frequently push updates and patches to users to ensure security or functionality. Attackers often inject malicious code into globally connected open-source projects, which is distributed with the updates and patches, ultimately affecting downstream end-users.
許多公司每月會定期釋出新的安全更新檔,通過破壞軟體的更新,往這些更新檔中植入惡意代碼,攻擊者可以擷取大量的系統通路權限,盜取開發者們的敏感資訊。開源元件和工具的使用會提高軟體供應鍊面臨的風險,如何對這些風險進行更好的管理是一件需要考慮的事情。
Many companies regularly release new security patches every month. By tampering with software updates and planting malicious code in these patches, attackers can gain a large number of system access rights and steal sensitive information from developers. The use of open-source components and tools increases the risks faced by the software supply chain, and how to better manage these risks is something that needs to be considered.
4 知識補充(Knowledge supplement)
什麼是CI/CD流水線?
What is the CI/CD pipeline?
CI全稱Continuous integration,意為持續內建,是頻繁地将代碼內建到主幹,每次內建都通過自動化建構來驗證,進而盡快地發現內建錯誤,它的目的是讓産品可以快速疊代,同時還能保有較高的品質。
CI stands for Continuous Integration, which means frequently integrating code into the main branch, with each integration verified by automated builds to quickly discover integration errors. Its purpose is to allow products to iterate quickly while maintaining high quality.
CD全稱Continuous delivery,意為持續傳遞,簡單來說就是頻繁地将軟體的新版本傳遞給品質團隊或使用者,以供評審,評審通過代碼就進入生産階段。持續傳遞可看作是持續內建的下一步,它強調不管怎麼更新,軟體都是随時可以傳遞的。
CD stands for Continuous Delivery, which simply means frequently delivering new versions of software to the quality team or users for review. Once the review is passed, the code enters the production phase. Continuous delivery can be seen as the next step after continuous integration, emphasizing that the software is always ready for delivery, no matter how it is updated.
通過CI/CD流水線,軟體研發可以實作從代碼簽入、測試、建構和部署直至生産階段都在流水線中向前推進,一旦實施了流水線,就可以将其部分或全部自動化,進而加快開發流程并減少錯誤。
Through the CI/CD pipeline, software development can achieve forward progress from code check-in, testing, building, and deployment to the production phase within the pipeline. Once the pipeline is implemented, it can be partially or fully automated, thereby accelerating the development process and reducing errors.
今天的分享就到這裡了。
如果您對今天的文章有獨特的想法,
歡迎給我們留言,
讓我們相約明天,
祝您今天過得開心快樂!
That's all for today's sharing.
If you have a unique idea about the article,
please leave us a message,
and let us meet tomorrow.
I wish you a nice day!
參考資料:
翻譯:ChatGPT 4
文字:
https://www.freebuf.com/articles/web/336444.html
https://cloud.tencent.com/developer/article/1888577
https://blog.csdn.net/wz_coming/article/details/115478903
本文由LearningYard新學苑整理并發出,如有侵權請背景留言溝通。
文案I姜瘋雨火
排版I姜瘋雨火
稽核Izy