In February 2023, Hangjing Security officially unveiled the Supply Chain Security Intelligence Center, which is the first digital supply chain security intelligence research center in China. Five years ago, Ziya, the founder and CEO of Hanging Mirror Safety, the dream builder of the unnamed lake, accepted an exclusive interview with An Zai, and at that time, Hanging Mirror Safety was in the practical exploration stage of the commercial application of products that have been sharpened for ten years by code vaccine technology; Two years ago, Ning Ge, CTO of Hanging Mirror Security, was also interviewed by An Zai, at that time, Hanging Mirror Security had completed hundreds of millions of yuan in Series B financing, and had rapidly developed into a leading manufacturer in the field of DevSecOps digital supply chain security.
Innovation and inclusiveness in hard science and technology are the core driving forces for the development of human society. With the rapid development of the digital era, the digital applications of the Internet of Everything are undergoing profound changes in four aspects: programming and development methods, application collaborative publishing models, application design architectures, and infrastructure operating environments. At the DSS2023 Digital Supply Chain Security Conference in August 2023, Ziya pioneered the innovative theoretical system and practical framework of digital supply chain security, which has a far-reaching impact in the industry, and the issue of digital supply chain security has also been raised to the level of infrastructure security with the further attention of the country.
As the security of the hanging mirror continues to give accurate warnings in advance, such as the backdoor poisoning attack of malicious Py packets counterfeiting tensorflow AI framework, the occurrence of malicious NPM packages using Windows reverse shell backdoor attacks on developers, and the poisoning attacks of malicious Py component tohoku-tus-iot-automation. It marks the first time that the Hanging Mirror Supply Chain Security Intelligence Center has officially disclosed to the industry with the super accurate early warning capability of the Yunmai XSBOM digital supply chain security brain. The Supply Chain Security Capability Research Center, which was originally only behind the scenes, is committed to in-depth excavation and traceability analysis of supply chain security risks such as supply chain security vulnerabilities, poisoning incidents, and component risks, and has been officially unveiled. This move is not only a positive response to the global digital supply chain security situation monitoring, but also an important measure to promote the global digital supply chain security governance as a pioneer of digital supply chain security.
The person in charge of the supply chain security intelligence center of Hanging Mirror - random Cai Zhiqiang, who is also the partner of Hanging Mirror Security Technology and the boss behind the supply chain security intelligence center.
"The most low-key number one hacker", this is one of Ziya's evaluations of random. He is the first winner of the BMW Group's Digital and IT R&D Technology Award, a speaker at the top international security conference in BlackHat USA, and has participated in the DEFCON CTF International Security Attack and Defense Competition for many times, which is the tip of the iceberg of random's special technical experience in the past 10 years. Together with Ziya and Ning Ge, they are the representatives of the white hat geek technology on campus, and together with several brothers, they not only initiated the establishment of the "Xmirror" team, but also became the offensive and defensive support force of the "Guoxin 504 Red Team", and have provided a strong guarantee for the security of major activities of the national critical information infrastructure for many times.
"random" is the ID that Cai Zhiqiang has been using in the circle since he was a student. When asked why he used "random" as his ID, he smiled and said, "The confrontation between online attack and defense is always uncertain, the magic is one foot high, the road is one foot high, and the intelligent attack is the advanced defense!" ”
Figure 1 Random Tech Sharing at BlackHat USA 2019
Compared with the random self-evaluation, he is not good at words, and his teammates praise him for his focus, persistence, and lack of distractions. Doing research breakthroughs with tech bigwigs and doing what they are interested in may be one of the traits that white hat hackers have.
When I was young, I met at the beginning of the unnamed lake
Looking back on his experience of playing offensive and defensive competitions as a graduate student, Random recalls that the first national competition he participated in was in 2013 when he participated in the Information Security and Adversarial Technology Competition (ISCC) during his freshman year of graduate school. "ISCC is one of the earliest offensive and defensive competitions held in China, and it is also one of the well-known events in China. In the early days, the ISCC was more inclined to test individual ability, the preliminary round was an individual competition, and the top 25 in the final were about to enter the offline team competition, and individuals preferred the atmosphere of the team competition. ”。 During the graduate school of Peking University, as long as I have spare time, I will participate in domestic offensive and defensive competitions such as XCTF, BCTF, XDCTF, HCTF, RCTF, etc., practice my hand feeling, brush my brainpower, and naturally achieve good results.
As Ziya's junior brother, they met during their graduate studies at Peking University, and Ziya, who was the head of the laboratory at that time, was very impressed by random. When it comes to his first impression of Ziya, Random uses the following adjectives: "creative, pure, simple, with strong sensitivity and appeal". Although the style of He Ziya is different, they both believe that it is more important to create intelligent attack and defense infiltration simulation tools, which can better solidify personal network security capabilities into the automation platform, create more white hat hackers with balanced and stable capabilities, and improve the overall level of China's network security.
In 2015, Random, who is also a graduate student, shouldered the important responsibility of the leader of the red-blue confrontation team of the hanging mirror, leading the technical masters to fully support the task of the technical output of the "Guoxin 504 Red Team", and providing key support services such as attack and defense drills, penetration test attack simulation, and binary vulnerability mining for important government portals and critical information infrastructure during major national events.
Farewell for a while, just for a better reunion
In order to further precipitate the thickness of personal technology, after graduation, RANDOM joined a top security laboratory in China as a security researcher, responsible for vulnerability mining and security research of intelligent networked vehicles.
During this experience, Random was mainly responsible for vulnerability mining and security research for intelligent networked vehicles. "We have successively studied some internationally renowned models, precipitated some technological breakthrough ideas and methodologies, and gained a lot of results in the reverse analysis and mining of vulnerabilities in the firmware of the on-board system. "Random treats these cars as a black box, with no source code and debugging interfaces, and can only dig out the attack entrance exposed to the car from the perspective of a hacker attacker. Through the binary reverse analysis of the vehicle-machine firmware, the security analysis and vulnerability mining of the vehicle's network, Bluetooth, WIFI and mobile phone interconnection communication services are carried out, and finally the vulnerability is used to successfully realize the remote control effect of the vehicle.
While new progress is being made in the field of global smart cars, RANDOM is also constantly solving the security problems of more well-known car companies. After in-depth vulnerability mining and security analysis of a global high-end luxury car group, Random led the team to publish a number of security research results for car manufacturers, and was awarded the first "Digital and IT R&D Technology Award" by the automobile group.
Figure 2 Random himself
When Random recalled the experience of a white hat hacker, he said, "I like technical research work, in that work experience, in addition to a few occasional key technology sharing speeches, and once I did an in-depth technical exchange with the cracked automobile group, most of the time, I still do research and verification work in the laboratory." ”
Random always pays attention to the development of the hanging mirror and the sub-buds. In a way, Random has never left the hanging mirror. "I usually keep in close contact with Ziya, and the other partners are my brothers, so we are all familiar with each other. In addition, I often see the dynamics related to the suspension mirror in the circle of friends, including the iteration of new product technologies, the remarkable achievements made, or the various industry conferences held, etc., I have paid attention to every stage of the development of the suspension mirror. ”
For returning to the hanging mirror after many years, random said that it is a natural result of following the heart. "I've been a white hat hacker myself for more than a decade, and both during my school days and my last research job, I tend to do vulnerability mining and deep exploitation. Looking at the general trend of the development of the network security industry, the security of critical information infrastructure is the cornerstone of national network security, which prompts us to have a stronger sense of mission to protect it. I will also think about what is the real value that can be realized by manually exploiting a vulnerability, and for digital supply chain security, I can empower the upstream and downstream ecology of the entire supply chain through automated intelligent tools that I have jointly researched, and I can make some practical contributions to the security of the digital supply chain, which can effectively help users in the industry. ”
"Another important reason is that I feel his persistence from Ziya's invitations again and again. Random laughed. In each reunion between Ziya and Random, he will elaborate on what Hanging Jing has been doing over the years and what he will continue to challenge and break through in the future. As for why we should focus on supply chain security intelligence, random also explained the discussion process. "At the beginning, Ziya and I discussed the direction of being the first team in China that can provide high-precision, high-real-time, and high-availability digital supply chain vulnerability intelligence and early warning capabilities, but with the increasing frequency of digital supply chain security poisoning incidents and the increasing risk of critical information infrastructure outages, the urgency of doing a good job in the entire digital supply chain security intelligence early warning service has become more and more prominent. "Vulnerabilities to supply chain security tend to be broader and more disruptive, and the users affected by supply chain security tend to be large and have a greater impact if compromised. Through the 24/7 real-time output of digital supply chain security intelligence and the OpenSCA open source digital supply chain security community, it can not only help developers and users solve actual digital supply chain security problems, but also promote the industry's attention and development of digital supply chain security and national information and innovation application security to a certain extent.
Supply chain security intelligence from an attack perspective
In his view, the essence of network security is the same, whether it is for the Internet of Vehicles, the Internet of Things or the security of the digital supply chain, etc., its essence is the dynamic balance of network security risk and trust, the key point is the ability to perceive threats agilely and accurately, as the so-called world martial arts are only fast and unbreakable!
Therefore, in terms of solving the accuracy and real-time nature of intelligence output, random is very confident. He said that years of security vulnerability attacker perspective have made him more sensitive to security vulnerabilities, and when high-risk vulnerabilities are discovered, he led the development of a supply chain risk intelligence capture platform that can more comprehensively predict the direction of vulnerability exploitation and give users more usable solutions.
In addition, the accurate and real-time output of digital supply chain security intelligence is also one of the keys to realize the deep closed-loop of the digital supply chain security management and control system. Previously, the widely used SCA open source threat management and control platform has a built-in offline deployed vulnerability library, and the maintenance, operation, and real-time update of the incremental vulnerability database are often limited by the actual business scenarios of customers. Now, after capturing and verifying risks, the supply chain security intelligence center can push and synchronize them to subscribers in real time to achieve hour-level vulnerability warning services, so that users can enjoy more convenient and practical digital supply chain security system services.
Hanging Mirror Supply Chain Security Intelligence Center
Relying on the strong digital supply chain SBOM full life cycle traceability management and monitoring capabilities, AI application security big data cloud analysis capabilities and OpenSCA open source digital supply chain security community in code component security, the security team of Hanging Mirror is the first intelligence research center in China to focus on the intelligent defense of digital supply chain security risks, relying on the strong digital supply chain SBOM full life cycle traceability management and monitoring capabilities of the Hanging Mirror security team, the ability of AI application security big data cloud analysis and the active contribution of the OpenSCA open source digital supply chain security community in code component security. Real-time dynamic monitoring and in-depth traceability analysis of the risk of component service suspension and supply interruption.
As the foundation of digital supply chain security intelligence, digital supply chain security mainly focuses on three parts: first, digital application security, including application security development, open source governance and digital immunity; The second is infrastructure service security, including cloud native security (CNAPP) and supply chain environment security; Finally, supply chain data security, including API security and application data security. In addition, Random also mentioned that risk management and cybersecurity and response capabilities of security vendors should also be included in the scope of digital supply chain security.
"Digitalization is a huge concept, and the needs of each segment deserve attention. Random said that in the past, supply chain security was more focused on the process of software development, but now, with the gradual improvement of digital infrastructure and the gradual popularization of new technologies, the scope of the supply chain is getting larger and larger, and there are more and more risks, and the security needs of users are becoming more and more abundant. Hanging Mirror discovered these needs and conveyed them to the outside world in the form of intelligence through the Hanging Mirror Supply Chain Security Intelligence Center.
At present, the Hanging Mirror Supply Chain Security Intelligence Center has accumulated 500,000+ vulnerability intelligence and 100,000+ open-source component poisoning intelligence data.
Random said that there are two main forms of intelligence transmission in the intelligence center, the first is built into the third-generation DevSecOps digital supply chain security system of Hanging Mirror, for example, users can easily use intelligence to optimize security policies by using the Hanging Mirror Source SCA platform, and discover application security risks in advance. The other is to accept the latest supply chain poisoning, vulnerability and service suspension intelligence in real time through the SaaS subscription interface provided by the OpenSCA open source digital supply chain security community of Hanging Mirror, and users can subscribe on demand according to their own needs.
Figure 3 Random received the award as an invited representative
According to random, Hanging Mirror Security regards SCA as the security management entrance of the digital supply chain, and controls the security risks of digital assets in the whole process of digital supply chain introduction, production, distribution, and delivery. In terms of emergency response, Hangjing combines SCA with supply chain security intelligence to achieve continuous risk assessment of digital supply chain component assets and rapid response to emergency vulnerability events.
In terms of the application and empowerment of AI large model technology, random said that Hanging Mirror has precipitated a lot of achievements in this area, and has carried out a very effective practical exploration of large model-related technologies in the field of digital supply chain security. At present, the intelligence center has trained a very effective security model in the local subdivision of the digital supply chain, which has greatly improved the quality, efficiency and user experience of the production and operation of supply chain security intelligence, including the enhancement and optimization of supply chain intelligence early warning data, the intelligent repair recommendation of vulnerable code, the intelligent consultation of open source licenses, and the intelligent recommendation of security upgrades for vulnerable components, etc., and it is expected that part of the access service of the "Hanging Mirror Cloud Pulse" intelligent supply chain security brain will be officially launched in May 2024.
A judgment on the future
New technologies and trends of digitalization will inevitably bring new security problems, and we are convinced that the supply chain security intelligence center will continue to upgrade and iterate. Random said that taking domestic information innovation as an example, a large number of self-developed and open-source codes will inevitably be introduced under the wave of information innovation, and these codes are likely to become new risk points. In addition, the popularization and application of large AI models will also bring new security risks, including poisoning of training data, security vulnerabilities and malicious code introduced by open source large models and AI agents in the development, training, and release process. These new security risks will also be included in the scope of digital supply chain security, and the intelligence center will continue to innovate and expand on this.
In addition to expanding the breadth of the intelligence center, fine-graining is also the focus of the next phase. Random said that at present, the intelligence center has basically covered the security vulnerabilities of open source applications and malicious code poisoning intelligence, but the supply chain security problems hidden in binary digital assets are often more concealed and lethal, and the supply chain security intelligence in this area requires deeper and more scenario-based detection and analysis capabilities, and Hanging Mirror Security has been prepared for this.
In addition, the intelligent adaptation of intelligence is also the goal that Hanging Mirror Security will solve. Random mentioned that the current intelligence is more developer-oriented, and the further integration with the OpenSCA open source digital supply chain community allows the intelligence center to push specific intelligence in a more targeted manner. To a large extent, this solves the problems of poor adaptability, uselessness, or spam intelligence of traditional threat intelligence.
For the next stage of personal goals, Random said that the primary goal is to improve the existing digital supply chain security intelligence service experience to a higher level, and the third-generation DevSecOps digital supply chain security system of Hanging Mirror is deeply closed-loop, so that users can enjoy more accurate, real-time, and more usable intelligence early warning services.
Epilogue - The road is long
Different from Ziya and Ning Ge interviewed a few years ago, Random is not only like a start-up witness, but also like a witness, or an old man who has returned to the safety of Hanging Mirror. Random is full of surprise and excitement about the fact that Hanging Mirror Security has developed into a leader in the field of digital supply chain security in China after several years.
"In 15 years, when I was in charge of the offensive and defensive confrontation in Hanging Mirror Security, I felt the passion of a group of young people, even after a few years, after I returned to Hanging Mirror Safety, I can still feel the passion and love of that group of young people. We often say that we stick to long-termism and embrace change, which is not a slogan, in fact, this is what Ziya and Hanging Mirror Safety have always practiced. Random still uses "pure" to evaluate the safety of the hanging mirror that is now approaching its 10th anniversary, "Obsessed with dreams and focused on interests." ”
Based on what we are doing so far, I ask random, what is the greater value of the capabilities covered by the Hanging Mirror Supply Chain Security Intelligence Center with the development of the current megatrend?
Random replied without thinking: "Technically speaking, the digital supply chain security intelligence center conducts in-depth traceability and real-time warning of related intelligence for the risk of supply chain poisoning attacks, vulnerabilities, and the risk of service and supply interruption of open source components. In terms of value, our ultimate goal is to help industry users efficiently manage various application security risks encountered in the process of digital transformation through accurate and reliable intelligence and early warning and supporting code vaccine technology. We often say 'shift left security', but 'shift left security' is not the goal, security should be truly part of the core of the business wherever it is needed. ”
If "guarding the security of China's digital supply chain" is the mission of Hanging Mirror Security, then "seeing clearly, keeping up, and preventing" is the important task of Hanging Mirror Supply Chain Security Intelligence Center.
Full of uncertain challenges, firm beliefs, random and hanging mirror security together to draw the story of China's digital supply chain security, to be continued.