The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, and security-through-obscurity is omnipresent in this field. In this paper, we present a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the risk management activities, to instigate the necessary actions for adoption. We highlight the open issues that the research community has to address. We discuss the benefits that such an approach can bring to all stakeholders, from software developers to protections designers, and for the security of all the citizens. In addition, we present a Proof of Concept (PoC) of a decision support system that automates the risk analysis methodology towards the protection of software applications. Despite being in an embryonic stage, the PoC proved during validation with industry experts that several aspects of the risk management process can already be formalized and that it is an excellent starting point for building an industrial-grade decision support system.

中文翻译：

---

作为风险分析过程的软件保护

过去几年，针对软件应用程序的 Man-at-the-End (MATE) 攻击在数量和严重性方面都有所增加。然而，MATE 软件保护以模糊的概念和技术为主，在该领域无所不在。在本文中，我们提出了根据 NIST SP800-39 方法采用和标准化软件保护作为风险管理过程的基本原理。我们检查风险管理活动正规化和自动化的相关方面，以采取必要的行动以供采用。我们强调了研究界必须解决的开放性问题。我们讨论了这种方法可以为所有利益相关者带来的好处，从软件开发人员到保护设计人员，以及所有公民的安全。此外，我们提出了决策支持系统的概念证明 (PoC)，该系统可自动执行风险分析方法以保护软件应用程序。尽管处于萌芽阶段，PoC 在与行业专家的验证过程中证明，风险管理流程的几个方面已经可以正式化，并且它是构建工业级决策支持系统的绝佳起点。