Recently, the first ICT Supply Chain Security Community (hereinafter referred to as "Community") member conference was successfully held. Guided by the Cyber Security Administration Of the Ministry of Industry and Information Technology and hosted by the China Academy of Information and Communications Technology (hereinafter referred to as the "China Academy of Information and Communications Technology"), the conference was themed "Strengthening the Security Governance of the Software Supply Chain and Helping the Healthy Development of the Information and Communication Industry", aiming to implement the concept and goals of community construction and enhance the cooperation of community members. More than 100 authoritative experts, scholars and enterprise representatives from the field of domestic network security attended the meeting and witnessed the successful holding of the first community member conference. Yuan Chunyang, deputy director of the Cyber Security Division of the Cyber Security Administration Bureau of the Ministry of Industry and Information Technology, attended the meeting and delivered a speech, and Wei Liang, vice president of the Chinese Academy of Information and Communications Technology, and Shen Changxiang, academician of the Chinese Academy of Engineering, delivered speeches for the conference.
The conference was presided over by Xie Wei, deputy director of the Institute of Security of the Chinese Academy of Information and Communications Technology (INTS), and carried out a series of agendas such as the basic situation report of the community, the introduction of the work vision and work plan, the keynote speech, and the sharing of excellent achievements. At the meeting, NSFOCUS Technology was awarded the first batch of member unit certificates in the community, and the NSFOCUS Software Supply Chain Security Governance Service Program was selected as an excellent achievement in governance practice.
Under the background of the vigorous development of informatization characterized by digitalization, networking and intelligence, and the accelerated integration of new generation information technology and manufacturing industry such as 5G, industrial Internet, artificial intelligence, and big data, software supply chain security is facing great challenges.
NSFOCUS focuses on the process control of the software supply chain production cycle, and helps ensure the security of the software supply chain from the source of the software life cycle by promoting the implementation of the whole process of security control of the software life cycle. By establishing a systematic method to ensure the security of the software supply chain in the software development process, it lays an important foundation for avoiding and eliminating software security defects and ensuring the security of the software supply chain as much as possible in the software development process.
- External defense input: strict input, according to the current introduction time as the starting point, eliminate the software version with vulnerabilities, strictly control the external introduction risk, after identification, the introduced components can be considered safe and can be used internally, until the vulnerability is exposed, the component is marked with a risk state, entering the next cycle;
- Stock governance: Due to the large number of stock systems, in accordance with the principle of limited risk, the dependency relationship between application systems is considered as a whole, and differentiated governance strategies such as priority governance of basic platforms and key governance of Internet applications are formulated, and governance is carried out in batches and in an orderly manner;
- Internal control diffusion: establish a gray and white blacklist mechanism to prevent components with vulnerabilities from being introduced into new systems; flag components or systems that have been exposed to vulnerabilities but have not completed governance, and control them on demand;
- Continuous monitoring: Vulnerabilities will exist for a long time, requiring continuous monitoring, emergency response processes, and orderly governance of open source component security risks.
NSFOCUS Software Supply Chain Security Governance Service Solution integrates the comprehensive technical strength of NSFOCUS in BOM analysis, language support, detection engine and vulnerability database, combined with NSFOCUS' perfect security product system, which can provide users with a comprehensive three-dimensional security linkage defense mechanism and provide security guarantee for the whole life cycle of user software supply chain. As a deep practitioner of the security industry, in the future, NSFOCUS is willing to work together with community members to contribute to the security governance of the software supply chain.