The last years have seen an increase in Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, software protection, which aims at mitigating MATE attacks, is dominated by fuzzy concepts and security-through-obscurity. This paper presents a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant constructs, models, and methods needed for formalizing and automating the activities in this process in the context of MATE software protection. We highlight the open issues that the research community still has to address. We discuss the benefits that such an approach can bring to all stakeholders. In addition, we present a Proof of Concept (PoC) decision support system that instantiates many of the discussed construct, models, and methods and automates many activities in the risk analysis methodology for the protection of software. Despite being a prototype, the PoC's validation with industry experts indicated that several aspects of the proposed risk management process can already be formalized and automated with our existing toolbox and that it can actually assist decision-making in industrially relevant settings.

翻译：近年来，针对软件应用的终端用户（MATE）攻击在数量和严重程度上均呈上升趋势。然而，旨在缓解MATE攻击的软件保护方法仍主要由模糊概念和“通过隐晦实现安全”的思路主导。本文提出依据NIST SP800-39方法，将软件保护作为风险管理过程进行采纳和标准化的理论依据。我们研究了在MATE软件保护背景下，形式化和自动化该过程各项活动所需的相关结构、模型及方法，着重指出了研究领域仍需解决的开放性问题，并讨论了此类方法能为所有利益相关方带来的益处。此外，我们介绍了一个概念验证（PoC）决策支持系统，该系统实例化了本文讨论的诸多结构、模型和方法，并实现了软件保护风险分析方法中多项活动的自动化。尽管该系统尚为原型，但通过与行业专家进行的验证表明，利用现有工具箱已可对风险管理过程中的若干环节进行形式化和自动化处理，并且该原型能有效辅助工业相关环境中的决策制定。