In recent years, from the Prism event to XcodeGhost, from the HP-driven keylogging backdoor event, to the Xshell backdoor, python pip source deceptive pollution, and VSCODE plug-in phishing. Software supply chain security incidents not only occur frequently, but also have the characteristics of many types of threat objects, extreme concealment, wide latitude, low attack cost and high return, and difficulty in detection.
In response to this, Alibaba Security announced the official launch of the "Gongshoudao" Alibaba Software Supply Chain Security Competition . The official website of this event ( https://softsec.security.alibaba.com/index.html ) is also launched simultaneously, and the registration entry will be opened in the near future.
According to Hunter, who is in charge of the event and a senior security expert from Alibaba, the purpose of this competition is to "meet friends through martial arts and learn from both offense and defense" to promote the development of software supply chain security technology. Through "checking for deficiencies and filling leaks, eliminating gaps and preventing micro-organisms", the security of the software supply chain is guaranteed; "scratching the cocoons, tracing the sea of code", discovering the security problems of the software supply chain.
As we all know, in the current rapid development process of the security industry, there are some "weird status quo" that need to be solved urgently. For example, the industry generally pays attention to "offense" and ignores "defense", resulting in an extreme shortage of defensive talents, which in turn makes the offense and defense unbalanced. For another example, the industry generally attaches great importance to "human flesh", while despising "automation", so that a lot of security work is low-level and repetitive, and the efficiency is very low. In addition, in the security industry, there is still a focus on "offensive and defensive" and despise "data"; emphasis on "single point, destruction", despise "system and construction"; emphasis on "technology", despise "business"; emphasis on "reverse capability", despise A series of questions such as "positive ability".
Hunter said that the Alibaba Software Supply Chain Security Competition is based on "truly trying to solve the above-mentioned industry pain points and improve the security industry's protection capabilities", and can achieve the precipitation of security capabilities. The competition also has great innovations in the competition system. All kinds of characters wrestle on the same stage, triggering fierce ability confrontation.
It is reported that the registration period for the Alibaba Software Supply Chain Security Competition is from February to March 2018 ; the software supply chain security test competition will be held from March to April 2018, the sub-station competition will be held from April to September, and the total competition will be held in October. final .
In order to attract more outstanding contestants, this competition provides up to 1.5 million yuan in prize money. Whether it is from a company, a university, or a research group, everyone can participate, and whether it is a team or "single-handed", everyone can participate.
"This is a feast of offense and defense confrontation of automated software supply chain security risk point detection," Hunter concluded.