In the digital age, the software has become an indispensable necessity for people's production and life. With the rapid development of the software industry, security problems introduced by the software supply chain are widespread, including code programming defects, insecure open-source components, and third-party software calls, etc., which makes the number of attacks on the software supply chain increased year by year and become more serious. Through nearly ten years of dedicated research, QI-ANXIN has innovated Software Bulit-in Security-QI-ANXIN Software Supply Chain Security Solution, which provides effective solutions for three scenarios: software supply chain security development, enterprise security management, and industry security management. It's an overall solution for analyzing, detecting and responding to the potential hazards of the software supply chain.
QI-ANXIN Software supply chain security solution includes two major systems: products and services.
1. Product system, which can be used in three software development scenarios of third-party software calling, open-source software calling, and independent software development, making the "security gene" built in the entire process of software development
○ "Tianwen" software space surveying and mapping system mainly conducts in-depth security analysis of software elements for software in binary form, covering various platforms such as desktop software, system programs, IoT firmware, Android APP, etc.;
○ "QI-ANXIN OSS Security" is mainly used to carry out open source component identification, analysis and warnings for software in source code form, for which more than 45 million open source software versions can be identified. Besides, it's compatible with multiple vulnerability libraries such as NVD, CNNVD, CNVD, etc.
○ "QI-ANXIN Codesafe" is mainly used to carry out code defect analysis, audit and repair tracking for software in source code form, supporting more than 20 programming languages such as C, C++, Swift, Java, etc., and can detect more than 1,600 source code security defects. The above-mentioned tools and platforms can be used by users themselves, and do not preserve their source code.
2. Service system, which can provide systematic services for software supply chain security assessment, verification, and optimization
○ Software supply chain security assessment services help companies establish supply chain component asset accounts, including supply chain product lists and supplier lists, perform security analysis on related components, agreements, etc., sort out the supply chain security risk list, and put forward evaluation suggestions, etc.
○ The software supply chain security verification service can be used in the enterprise test environment or other simulation environments. Professionals authorized by the enterprise use relevant vulnerabilities to conduct real attack tests to verify the hidden security risks in the software supply chain. It can also provide software supply chain security crowdsourced testing services and use the power of "White Hats" to help enterprises excavate software supply chain security risks.
○ Software supply chain security optimization services help companies keep track of the public vulnerabilities of related third-party software and open source components, allowing companies to keep abreast of the latest vulnerability information and help complete the repair of related vulnerabilities.
This solution is suitable for major application scenarios such as software supply chain security development, enterprise security management, and industry security management.
○ It can help software developers eliminate security risks in the process of third-party software calls, open source software calls, and independent development in a timely manner in the development process, which can curb the occurrence of security incidents from the source;
○ It can help enterprise security managers continuously evaluate software Supply chain security risks and propose targeted repair suggestions;
○ It can help industry management departments to carry out software supply chain security situation monitoring, timely and accurately assess the impact of unexpected software supply chain security defects and attack events, and achieve early warning and rapid disposal.
This solution has been applied in more than 300 institutions in the government, finance, energy, transportation and other industries, such as the General Administration of Customs, Bank of Communications, General Administration of Civil Aviation, PetroChina, etc., and has tested more than 300,000 projects for customers, involving more than 10 billion lines of code, and more than 20 million security defects were discovered. Based on this solution, QI-ANXIN carried out the largest public welfare program of open-source software and source code security testing in China, and more than 2,200 open-source software were tested cumulatively. QI-ANXIN also supported the formulation of 1 national standard and 3 industry standards, which plays an important role in standardizing software security programming, source code security auditing, etc. This solution has discovered major security vulnerabilities in various widely used software such as operating systems and browsers.
Trailer of World Internet Conference
Copyright © World Internet Conference. All rights Reserved
Presented by China Daily. 京ICP备13028878号-23
Copyright © World Internet Conference. All rights Reserved Presented by China Daily. 京ICP备13028878号-23