EDITORIAL
All current security vendors of security concept is wrong!
99% of enterprise security systems are defective gene!
This is a selection treasure SYNOPSYS editor and head of department in China, when Coverity product line expert Han Bao first exchanges, the lead thrown his two points!
PART1
Q
As an EDA and a global leader in the field of IP, then why would you want to enter the security market, the market is already very crowded. So your advantage in what?
Bao Han
in fact, over the past 30 years we have been doing, we are going to ensure the reliability and safety of the hardware chip. This complexity is far beyond the current capabilities and needs of the enterprise security market.
Let me give you a small example, such a small seven-nanometer chip nanometer of this small, it may be there are twenty billion transistors on our hand, so for the two ten billion of this magnitude is very great.
Q
ensure the reliability of twenty billion transistors, which means what?
Han Bao
means you need at least two more tens of billions of judgment, so we know its reliability. This difficulty is actually very large. However, we have accumulated a lot of experience in this a top, or so the whole area of this region, we are invincible.
Q
ability to ensure chip reliability, security and information needs, what in common?
Han Bao
corresponding software system is probably twenty billion lines of code, we want to ensure the safety and reliability of such a complex system. , Access to critical information from large-scale data from the inside, which is one thing we are good at. And this ability with the ability to require information security are interlinked.
Q
As a CIO or CTO, ensure enterprise information security, service reliability, the lingua franca is not such a complicated support capabilities?
Han Bao
Traditionally, our understanding of enterprise software projects actually used relatively small 50,000 lines of code 100000 lines of code million lines of code, in fact, for our view of this magnitude, is not particularly large, they are all relatively small project, but we also see the software industry currently has two emerging trend, these two trends we made a decision to enter the field of information security.
The first trend is in our emerging software technologies, such as some trends, artificial intelligence, ROT equipment, Internet or electronic, new automotive industry applications.
It makes the entire software systems become more complex, more and more huge. I, for example, we may hand a lot of people are holding an Android phone, an Android phone, it may be the amount of code, the system will have eighty-nine million lines. Our cars on the road, you can see a variety of entertainment systems, automotive devices, which run the code it may also have one hundred million rows, and even more so for such a large scale, especially in large scale, especially complex systems, you're going to ensure its safety and reliability, the difficulty is very great, but for Synopsys, we are able to go up to the task of.
The second trend we see, in fact, it is in fact in the current state of information explosion, the traditional security vendors, from which vast amounts of data, screening out the real threat to information security incidents, becomes increasingly powerless.
I also cite a simple example, in 2014 there is a very well-known safety incidents, we can say that the entire information security community is very significant security incidents, heartbleed, it affects nearly the whole, that is, two-thirds of the world website, but this is an event you can imagine it? Synopsys it is found that he is not a traditional security vendors found.
Q
This is in front of you to say, do in fact secure core competencies needed is to find out from the mass of information which is dangerous intelligence, found loopholes, and you gained this ability in chips into the security market, is the ability of a smooth migration?
Han Bao
yes.
In fact, this is equivalent to Haidilaozhen process information are like the sea, the sea surging to gush over, but how are you going to get critical information inside.
In fact, we do better than the traditional security vendors, so we are not a smooth transition, but "dimension reduction ***."
PART2
Q
When you enter information security core concept is what?
Han Bao
This is a good question. Because I'm often asked this question. In fact, traditionally, we understand the information security, building security system based on information as the core, but for Synopsys, we believe that a point of view or a practice which is totally wrong.
Q
I'm sorry, I have to interrupt, information security system is not at the core of information, what is that core?
Han Bao
software security as the core.
Q
software as the core?
Han Bao
right, security software as the core. In fact, we see that more than 99 percent of the team we do not pay attention to security software such a thing, however, we believe that software security is the entire genetic information security system, security software if ignored,
You build information security system from congenital or from a gene that is defective.
Q
Why do you think that software security is the information security of the entire gene?
Han Bao
fact, we I can give you a bucket of example, the information security industry, which is actually a very obvious effect of a bucket industry. We make information than water, and that software is the carrier of information, is the bucket of the bucket wall, if we go to ensure water security, what would you do? Strengthening the tank wall, right?
By the same token, the information is water, barrels software is, in fact, information itself is present, the software running on the inside, if there are loopholes in the software, you have no way to ensure that information is secure.
Q
If your software as the core, then such a security architecture is what?
Han Bao
fact, Synopsys in this area has done a lot of investigation and research, we find out that software security, it is completely redefined into two parts after investigation, that is, in the first part of our whole software development life cycle secure security, quality assurance, the second part is on the line after the product, reliability and safety maintenance products, from internal and external mass, acknowledging that there is a threat of intelligence, the second block may be more in line with our conventional understanding information security of these things, which threaten the daily perception, or warning, the threat of early treatment and so on, is our everyday understanding of information security concepts.
Q
This conceptual framework, and the traditional concept of information security, what is the difference?
Han Bao
traditional security vendors just when the train operators on the rail safety, we not only cover this, we train the manufacturing process safety management process is also up.
The traditional concept of security, is to manage daily security; the front of the concept, refers only to a perceived threat in advance, just like when they ran the train on the tracks, a number of internal and external dynamic intelligence.
Synopsys believes sample is not enough, the biggest risk is that the quality of the train itself, but off how to do? So, Synopsys front concept is to manage from the first line of code, the entire system to ensure that the gene is safe.
Is necessary to ensure the quality of the train itself is to cross the border, but also to ensure trains run on the tracks of the process is secure, we believe the only way to not be considered a genetic defect, complete information security system.
PART3
Synopsys program include?
Q
If security software as the core, do you think the software from R & D, testing, on-line, including the daily operations in the middle of this whole process which risks are, in general, we will come and in what ways we ensure that the software is safe
Han Bao
We put the software life cycle thinking-bit sub-five links, software security, throughout the whole process of the software life cycle.
1, pre-design stage and needs
Mainly security consulting process, companies need to design security rules and framework. The latter is the realization, verification and reconstruction process as well as real-time monitoring.
2, specific to the software implementation phase
According to the software source, it can be divided into: self-development, foreign mining, based on open source code development in several ways again.
In order to ensure software security a variety of channels, the need to adopt the program are:
Static code analysis: by direct detection of the code is positioned directly into the security vulnerabilities in the code
Analysis software components: the component is not used does not comply with copyright law? Known security vulnerabilities to be included?
3, the software testing phase
Mainly in the black box, *** testing, fuzz testing based
Black box for the traditional functional test, or "little point" in the process.
*** test is biased in favor of the security team simulated ******, network protocol Fuzzing analog input of all possible network protocols, look at your software or hardware is secure enough.
4, the software running on the line
In fact, we began the process of monitoring, and this one should combine together traditional information security, is a state view and perception acquisition process.
Q
around the software life cycle tools that you just mentioned, Synopsys those corresponding to the program?
Han Bao
Information security is a systematic project and is a very obvious effect buckets industry, Synopsys around the entire software life cycle, the framework of a security system.
1, pre-design stage and needs
Synopsys' Cigital security service team has a group of the world's leading security consultants, including Dr. Gary McGraw, "*** Exposed" series author Joel. Cigital team made BSIMM concept -Build Security In Maturity Model - This model has been used by more than 200 well-known enterprises.
2, the implementation phase
Depending on the source of the software, there will be a different product
(1) Coverity: static code analysis tool
From Stanford University laboratory, Coverity and the US Department of Homeland Security initially together to provide code quality and safety testing services for the open source project is the only one capable of disposable static code analysis tool to detect hundreds of millions of lines of code.
(2) ProteCode: open source and third-party components audit protocol security vulnerability detection products
The source code for the library open source code and third-party components, ProteCode developed a new generation of analysis engine.
3, the software testing phase
(1) Defensics protocol robustness and security Fuzzing test products
-HeartBleed (heartbleed) discoverer
(2) Cigital's *** testing services
*** test based primarily on security flaws have been found, the simulation method *** *** *** Testing conducted non-destructive nature of the systems and networks.
4, in the daily operational phase
AbuseSA is a threat intelligence platform that helps Safety Center and Computer Emergency Response Team to respond quickly based on intelligence driven strategy.
PART4
In addition to the concept of the integrity of
how each product class performance parameters Synopsys?
Q
Now, on the integrity of your concept approach, we understand, is indeed unique, so specific to these products, how to grade the performance parameters in it?
Han Bao
Because we have the ability to chip-level reliability, making us on a lot of business data, showing the existing tools completely different performance, for example:
- Accuracy (false alarm rate), the rate of false positives Synopsys products complete product line is very low false alarm rate Coverity is about 15%, while other types of tools with more than 70% false positive rate.
2. The ability of large-scale concurrent analysis: Synopsys IC industry have accumulated for large-scale computing processing power and analysis capabilities are top notch, hundreds of millions of lines of source code library can be analyzed at one time through.
- The ability to combine and process integration: the whole software development life cycle integration.
For example: Defensics found heartbleed, Google also found this loophole to get, but the process can be found Defensics will explain the principles are very clear, but also give the appropriate repair recommendations.
Q
You just mentioned, the false positive rate your static code analysis tool Coverity is about 15%, while other types of tools with more than 70% false positive rate, change this parameter, what does it mean?
Han Bao
mean that we let the static code analysis tool to enter a practical state, while the vast majority of peer static code analysis tool is not practical.
In fact, the traditional static code analysis tool can not be a practical reason why, they let us all CIO or R & D teams, security teams the most troublesome point is that it's a false alarm rate is too high, you may I have 100 million lines of code, it swept out the 1 million question
Q
This 1 million problem is real Or is it?
Han Bao
No, not the whole yes.
Q
may itself is not the problem, it is reported out of the problem.
Han Bao
Yes, this is our professional term is called false positives.
If you are a high false alarm rate, then all the people will reject, we all look at the report, OK, I found so many problems, the problem is in this, but who is going to change who is going to repair? No one to manage.
Q
I had a hundred questions inside the 15 questions wrong, then you tell me a hundred questions all wrong, when my heart is collapse, will lose confidence in this tool, is not this mean?
Han Bao
Yes, if we are to give a true and accurate data, that the static tool you can enter a practical state. Let me give you an example, Linux kernel, we are now the product of the false alarm rate is 9.7%, in other words in the text to find a problem, the situation is more than 90%, it is a real problem.
Q
So this is, because of changes in parameters, resulting in a difference between a usability and unavailable.
Han Bao
yes.
Q
Well, that is actually very grateful today to accept our total Korea an interview, thank you for your attention again, today's interview is over!