On February 16, 2023, the first ICT software supply chain security governance forum and the second member meeting of the information communication software supply chain security community were successfully held in Beijing. Attended, shared the foresight and thinking about the sustainability of the software supply chain and the security governance industry for the audience.
During the conference, the [Software Supply Chain Security Management Platform] independently developed by Murphy Security was awarded the Independent Research and Development Innovation Achievement Award. In the afternoon of the meeting, Murphy Security assisted China Mobile in holding a sub-session forum "Promoting Standard System Construction and Evaluation to Ensure the Safety and Credibility of Software Supply Chain". Representative praise.
conference awards
An award ceremony was held at the conference, and Murphy Security [Software Supply Chain Security Management Platform] won the Independent Research and Development Innovation Achievement Award.
On the afternoon of the same day, Murphy Security assisted China Mobile in organizing the sub-venue forum "Promoting the Construction and Evaluation of Standard System to Ensure the Safety and Credibility of the Software Supply Chain" . Application of Supply Chain Vulnerabilities and Poisoning Intelligence in Compliance Scenarios" . Based on the national standard of "Information Security Technology Software Supply Chain Security Requirements" (the draft for comments has been released in 2022), it deeply analyzed the risks of vulnerability exploitation and software backdoor implantation, and how to improve risk response capabilities through intelligence to help enterprises meet compliance requirements. regulatory requirements.
"Information Security Technology Software Supply Chain Security Requirements" may become the basic requirements for future software supply chain security compliance, which mentions 10 types of risks, and vulnerability exploitation and software backdoor implantation are the risks to focus on. From the perspective of the software supply chain, dependent open source components, deployed open source applications, and used commercial software are three typical scenarios for risk introduction of vulnerability exploitation. In the standard, the risk of software backdoor implantation is subdivided into backdoors reserved by suppliers and malicious implantation scenarios by attackers. From historical cases, software product backdoors and routers and firewalls involved in a large number of communication industries In the scenario where the attacker maliciously implants the backdoor, there are still typical popular components such as faker.js and node-ipc in NPM in 2022. Events that add malicious logic.
For these risk requirements in the "Information Security Technology Software Supply Chain Security Requirements":
Fix/mitigate vulnerabilities in open source software, third-party components
- The purchaser shall require the supplier to promise that the open source software and third-party components used have no unfixed disclosed vulnerabilities, or if there are unrepaired disclosed vulnerabilities, but there are remedial measures after evaluation, corresponding security measures shall be provided. analysis report;
Do not install backdoors in software products
- The purchaser shall require the supplier not to set up backdoors in software products, or use the convenient conditions of software products to illegally obtain user data, control and manipulate user systems and equipment, and shall not use the dependence of software products to seek illegitimate interests, and shall not Upgrade or update software products under certain circumstances;
Carry out testing and evaluation
- The purchaser should clarify the requirements for testing and evaluating the functions, performance, and security risks of software products or services, and clarify the scope of testing and evaluation, including but not limited to software asset identification, loopholes, backdoors, penetration testing, etc. Qualifications of third-party organizations;
Continuous monitoring to detect risks in time
- The supply and demand parties should form a normalized risk monitoring mechanism according to the agreement, and timely discover and deal with continuous supply risks such as software interruption, authorization, and product upgrades, technical security risks such as loopholes and backdoors, and data security risks such as information leakage and data tampering;
In response to such risks, through the intelligence data represented by vulnerability intelligence and poisoning intelligence, it can help enterprises realize three types of typical control capabilities: access and blocking before introduction, detection and repair during introduction, and risk after introduction Monitoring and Disposition.
The construction of current vulnerability and poisoning intelligence still faces many challenges, such as incomplete and low-quality data in the public vulnerability database, and no public data on poisoning intelligence.
Murphy Security continues to build vulnerability and poisoning intelligence capabilities. Through self-built vulnerability databases and poisoning intelligence mining capabilities, providing effective intelligence can help companies realize risk screening and continuous monitoring, improve the efficiency of security engineers' operations, and achieve Software supply chain security compliance governance.
In the afternoon of the meeting, at the telecom sub-forum "Building a Supply Chain Evaluation System to Address Security Threats and Challenges", Che Zhiyuan, co-founder and product manager of Murphy Security, shared "Software Supply for High-precision Detection and Automatic Repair Covering All File Objects " Chain Security Technology" .
Share key technical capabilities such as the ability to cover all file-type objects, high-precision detection capabilities, and automatic repairs that companies rely on when conducting software supply chain security risk management based on SBOM:
- The coverage ability of all file type objects solves complex supply chain software types: the difficulties and techniques of source code SBOM analysis; the difficulties and techniques of binary SBOM analysis and their application scenarios.
- The high-precision detection capability solves the false negatives and false positives in risk detection: from the accuracy, difficulty and technical aspects of the vulnerability knowledge base, as well as the business scenario of real risk assessment of code vulnerabilities.
- The automatic repair capability solves the high repair cost of risks: compatibility problems of version upgrades, code patch generation problems, and binary file vulnerability repairs.
It introduces in detail the application scenarios and pain point solutions of SBOM key technologies that software supply chain security governance relies on, and provides construction ideas for enterprises in the implementation of risk governance.
During the whole meeting, the Murphy Safety Exhibition Area prepared relevant materials and electronic complete information packages of various industries for all participants at any time, and introduced and explained the questions raised by everyone.
In the future, the community will continue to flourish with the care and support of the guiding unit and the joint efforts of community members. As one of them, Murphy Security will strive to contribute to the security governance of the software supply chain!
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products.
Mofei Security provides customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair. At the same time, the product can be integrated with various tools in the existing development process at a very low cost, including seamless integration of dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus. At present, Murphy Security has served hundreds of enterprise customers including Ant, Ping An, and Kuaishou.
Official website address: https://www.murphysec.com/
Open source project: https://github.com/murphysecurity/murphysec
Redis 7.2.0 was released, the most far-reaching version Chinese programmers refused to write gambling programs, 14 teeth were pulled out, and 88% of the whole body was damaged. Flutter 3.13 was released. System Initiative announced that all its software would be open source. The first large-scale independent App appeared , Grace changed its name to "Doubao" Spring 6.1 is compatible with virtual threads and JDK 21 Linux tablet StarLite 5: default Ubuntu, 12.5-inch Chrome 116 officially released Red Hat redeployed desktop Linux development, the main developer was transferred away Kubernetes 1.28 officially released