36Kr learned that DevSecOps agile security vendor "Hanging Mirror Security" today officially announced the completion of a multi-hundred million yuan Series B financing. This round of financing is led by Source Code Capital, followed by GGV Source Capital, and Sequoia China continues to support. Yuanqi Capital acted as the exclusive financial advisor for this round.
Suspension Mirror Safety is a hard technology-driven agile security company that 36Kr continues to focus on. It focuses on DevSecOps software supply chain continuous threat integration detection and defense, and its original suspension mirror DevSecOps intelligent adaptation threat management system.
It is understood that this system mainly covers the development and operation of integrated agile security products from threat modeling, open source governance, risk discovery, threat simulation to detection and response, and software supply chain security services featuring actual offensive and defensive confrontation, aiming to help enterprise organizations gradually build an endogenous active defense system that adapts to their own business elastic development, faces agile business delivery and leads the evolution of future architecture. Internationally, Snyk, a peer company of Hanging Mirror, has raised two consecutive rounds of financing E and F in 2021, with a total financing amount of 1.4 billion US dollars.
The company's founder and CEO Ziya introduced to 36Kr that the business progress of Hanging Mirror in the past year is mainly reflected in three aspects: core product research and development, original technology open source and commercialization.
First of all, in terms of product architecture, the suspension mirror has created a relatively complete system, mainly including a full-process platform and four CI/CD toolchain products. Among them, the platform is the Full Process Security Empowerment Platform of Fuzi DevSecOps, and the toolchain includes source identification OSS/Open SCA open source threat governance, Lingmai IAS Gray Box Security Test, Lingmai BAS smart threat simulation and Cloud Shark RASP adaptive threat immunity.
Speaking of differentiation capabilities, 36Kr has observed that at least from 2020 onwards, there will be an increasing number of companies focusing on DevSecOps in the industry, and many companies will also provide products from IAST. In this regard, the current IAST products of the suspension mirror have obvious advantages in the coverage of the development language and the accuracy of the detection rate, and in the 2021 "China DevOps Status Survey Report" of the Academy of Information and Communications Technology, its IAST products ranked first with a market share of 5.84%. The reason why such an effect can be achieved, it said, in the key technical route, the suspension mirror product uses the original code vaccine technology with real adaptive ability, through the lightweight pile probe into the application interior, combined with the self-learning analysis engine, you can quickly identify the application's own defects and security risks on the basis of accurately understanding the context of the situation.
In addition, the company also released the RASP product last year, through the "single probe" strategy, so that users only need to deploy a probe in the application to obtain the dual capabilities of IASD and RASP, while reducing customer deployment costs while rapidly improving the self-security defense capabilities of business applications. At the SCA level, as open source software becomes popular around the world, the importance of open source software security has also increased. In this regard, Hanging Mirror also officially opened the Open SCA open source community in 2021, using open source to do open source governance, and at the same time providing open source versions and enterprise versions of SCA products. Ziya introduced that the reason for creating an open source community for SCA is to hope that more developers and users around the world can better use innovative SCA technology to do open source governance in the coding stage and better achieve security pre-positioning.
In addition, in terms of commercialization, Ziya introduced that current customers will choose to buy diversified products of hanging mirrors according to their own different needs. At present, the company's corporate customers include Chinese Min bank, China UnionPay, Bank of China, Industrial and Commercial Bank of China, Pudong Development Bank, Bank of Chongqing, Guangzhou Rural Commercial Bank, Suzhou Rural Commercial Bank, Zheshang Bank, SHEIN, Ping An of China, CITIC Construction Investment Securities, Shanghai Stock Exchange, Sinopec, PetroChina, China Telecom Research Institute, China Mobile Research Institute, China Unicom Research Institute, China Sports Lottery, People's Network, State Grid, Peking University, ZTE, China Academy of Engineering Physics, Xiaopeng Automobile, Dongfeng Nissan, Changan Automobile, China Automotive Research Institute, China Southern Airlines and many other industry benchmark users. In terms of overall number, the current enterprise customers of The Hanging Mirror have reached hundreds.
Do agile security governance from the source of development
Talking about the driving factors of the industry, the company introduced that security risk governance from the source of development has become a just need for more and more enterprises to ensure the security of the software supply chain.
Specifically, according to third-party authoritative surveys, nearly 92% of known security vulnerabilities occur in software applications, and there is at least one business logic flaw for every 1,000 lines of code in the application. In addition, 78%-90% of modern applications incorporate open source components, with an average of 147 open source components per application, and 67% of applications using open source components with known vulnerabilities. Looking back at the current situation, the company introduced that the vast majority of enterprise users' discoveries of business application vulnerabilities in addition to internal self-testing are mostly from external third-party security researchers or security vendors. Throughout the software development lifecycle, the cost of fixing security vulnerabilities at different stages is significantly different, and the repair cost between the R&D and testing stage and the online operation stage can even be hundreds of times different. Therefore, it is urgent and necessary to eliminate vulnerability risks and open source threats in the bud, prevent applications from being launched with diseases, and ensure the security of the software supply chain.
In view of this situation, the Lingmai IAST Gray Box Security Test Platform, one of the star products of Suspension Mirror Security, as the application risk discovery platform for the pre-launch test link of the Suspension Mirror DevSecOps intelligent adaptation threat management system, is used through a new generation of full-scenario real-time data flow scenario analysis technology, such as runtime application plugging (including dynamic stain tracking and interactive defect positioning), terminal traffic proxy, bypass traffic mirroring, host traffic sniffing, heuristic crawler, Web log real-time analysis and original AI-inspired penetration testing technology empower traditional IT practitioners to quickly establish a security crowd testing model within the organization of Party A users, so that traditional security whites (such as R&D, testing, QA, etc.) can transparently achieve in-depth business security testing while completing application function testing, dynamically monitor open source risks during runtime, accurately cover more than 95% of medium and high-risk vulnerabilities, and effectively prevent applications from going online with diseases.
Measure security effectiveness with intelligent attack and defense
In addition, offensive and defensive confrontation is an eternal theme in the process of network security construction, and it is the most direct way to test the effectiveness of the existing security system to defend against unknown threats. This includes continuous safety crowd testing, irregular offensive and defensive drills and supplemented by supporting detection and response methods.
In view of such needs, another star-level product of Suspension Mirror Security, Lingmai BAS Smart Threat Simulation Platform, as an automated threat simulation and security verification platform for the operation links of The Suspension Mirror DevSecOps intelligent adaptation to the threat management system, innovates the intelligent attack and defense drill robot system that realizes "AI + threat simulation" in China, and transforms the practical experience accumulated by security experts in a large number of penetration tests into structured experience that machines can store, identify and process. In the process of automated testing, with the help of artificial intelligence algorithms, we continuously carry out "self-thinking" and logical reasoning decisions, and in a way that is close to the penetration test of actual experts, the entire complete intrusion simulation and security measurement process from information collection, scanning detection, vulnerability discovery, vulnerability exploitation, post-penetration to continuous verification is carried out for a given target, the effectiveness of the existing security defense measures of Party A's users is continuously verified, and the security posture of the target organization is continuously dynamically assessed from the perspective of "real hackers". It also greatly compensates for the uneven level and inefficiency of security personnel.
Empower business factory immunity with code vaccines
Moreover, with the rapid development of cloud-native technology, the rapid popularization of open source applications, and the large-scale implementation of DevSecOps practices, network security is undergoing the evolution from perimeter security to endpoint security to application security, and the focus of the next generation of application security technology will be runtime context awareness.
One of the key products in the "active defense" system of suspension mirror security, the Cloud Shark RASP adaptive threat immunity platform, as the detection and response platform of the operation link of the suspension mirror DevSecOps intelligent adaptation threat management system, realizes the deep integration of RASP and IAST key technologies through key technologies such as patent-level application vulnerability attack immunization algorithm, runtime security slice scheduling algorithm, Webshell deep AI detection engine and in-depth traffic learning algorithm, and "injects" active defense capabilities. In digital business applications, with the help of powerful application context situation analysis capabilities, it can capture and defend against various attack methods that bypass traffic detection (such as segmented transmission, code obfuscation and deformation, application memory horses, etc.), provide endogenous active security immunity with both business perspective and functional decoupling, and usher in innovative development for the default security immunity of business applications.
DevSecOps researches the latest practical results
In summary, combined with years of agile security landing practical experience and software supply chain security research results, Ziya said that Suspension Mirror Security has explored a third-generation DevSecOps intelligent adaptive threat management system based on the original patent-level "agile process platform + key technology tool chain + componentized software supply chain security service".
Figure 1: Suspension Mirror 3rd Generation DevSecOps Intelligent Adaptive Threat Management System
According to the company, this system, as a DevSecOps full-process agile security empowerment platform, has paid attention to the soft and low-invasiveness of technology landing since the beginning of construction, starting from several key practice points that drive the continuous operation of DevSecOps CI/CD pipelines, and empowering existing personnel of enterprise organizations through key technological innovations such as threat modeling, open source governance, risk discovery, threat simulation and detection response, aiming to help users gradually build a set of business resilience development. An endogenous proactive defense system that delivers to agile businesses and leads the evolution of future architectures.
Talking about the company's philosophy as a whole, Ziya said that the essence of security is the dynamic balance of risk and trust, and the suspension mirror has been helping Party A users better embrace change, adapt to the popularity of cloud native technology more quickly, and do a good job of endogenous agile security. It also mentioned that compared with the traditional native software applications in the past, a clear technology trend is that the vast majority of digital applications released in the future will be safe and trustworthy, because these applications can use the capabilities of code vaccine technology to achieve self-discovery of their own defects and risks and external unknown threats of factory immunity."
Figure 2: DevSecOps Agile Security Appliance Pyramid v2.0
In addition, the suspension mirror will continue to improve the DevSecOps agile security tool pyramid according to the annual research and practice, aiming to achieve the effect of predicting the future evolution of DevSecOps key technologies and pointing out the direction for the subsequent systematic security construction of the industry organization.
Finally, talking about the latest business planning, Ziya said that this round of financing after suspension mirror will further deepen the innovation and development of key technologies for software supply chain security in China, as well as the layout of upstream and downstream industry ecology, hoping to rely on the next generation of agile security framework to create a closed-loop third-generation suspension mirror DevSecOps intelligent adaptive threat management system in emerging application scenarios such as DevSecOps agile security, software supply chain security and cloud native security. In addition, the company also plans to continue to upgrade the large-scale product service delivery and operation capabilities in North China, East China, South China, Central China, Southwest China, Hong Kong and Macao and other regions, deeply covering the enterprise-level security markets such as financial e-commerce, energy and power, intelligent manufacturing, telecom operators and pan-Internet.
About investment:
Huang Yungang, partner of Source Code Capital, the lead investor in this round, said: "DevSecOps is an inevitable trend of security agility in the context of cloud native. With threat management as the center and multiple tool chains integrated, DevSecOps can help enterprises to ensure that security runs through the entire software lifecycle from development to operation, and will become an important part of the enterprise digital infrastructure. We are optimistic about the technical foresight of suspension mirror safety in the field of DevSecOps, and the products of suspension mirrors have also been recognized by important customers in many industries. It is expected that the suspension mirror can create great value for customers in the future when it is accelerated to cloudification of IT infrastructure and increasingly complex security environments. ”
Li Hongwei, managing partner of GGV Jiyuan Capital, a follower of this round, said: "With the deepening of digitalization and intelligence, software and applications continue to accelerate the iteration cycle and launch speed, and agile development and open source are also widely used. Over the lifetime of software, the cost of fixing vulnerabilities grows exponentially with the discovery phase, and there is currently a lack of effective products to make efficient detection during the code development phase and before going live. The products of the hanging mirror are created for this purpose, and have accumulated a good reputation among a large number of head customers. GGV is optimistic about this young team and will support the development of the company for a long time. ”
Zhai Jia, Managing Director of Sequoia China, the exclusive lead investor of the PreA round, said: "Embedding security into the DevOps process to form DevSecOps is in line with the current trend of agile development needs, so that security can be 'left' and 'right'. DevSecOps penetrates into the entire software lifecycle from R&D to operation, and is closely related to the security of the software supply chain, which can effectively help enterprises to realize the automated detection and repair of digital application vulnerabilities in the software development stage, thereby greatly reducing business security costs and risks, which is an emerging important development direction of network security. In this field, the continuous deepening of the suspension mirror has a certain leading edge, builds a deep industry barrier, and the business progress is rapid, expanding and precipitating many high-quality benchmark customers in the industry, and the development prospects are long-term optimistic. ”