On September 17, the 2021 White Hat Conference, a global security industry conference for the global white hat and technical elite, was held in Beijing. As the first white hat industry event after the official implementation of the "Regulations on the Management of Security Vulnerabilities in Network Products" (hereinafter referred to as the "Regulations"), guests from regulatory agencies, security teams, research institutions and nearly 1,000 people from top white hats gathered together.
Xiao Junfang, Deputy Director of the Cyber Security Administration of the Ministry of Industry and Information Technology, Qin Qingling, Deputy Director of the Security Research Institute of the China Academy of Information and Communications Technology, Bu Zhe, Director of the Cyber Security Response Center of the Security Research Institute of the China Academy of Information and Communications Technology, MJ, Founder and CEO of Beijing Cyber Kunlun Technology Co., Ltd., Wan Tao, Chief Security Ecology Officer of HUAWEI CLOUD, Lin Wei, Head of byteDance Security Center, Yang Qing, Head of Tencent Security Tianma Lab and Vice President of Tencent Security Academy, Qu He, Head of Ant Security Countermeasure Technology Department, senior network security expert Ye Meng, head of the blue army of the actual combat attack and defense team, Qi Xiangdong, chairman of Qianxin Group, Zhang Zhuo, vice president of Qianxin Group and head of the vulnerability response platform, were invited to attend. More than ten enterpriseSRC, nearly 100 excellent security laboratories and security teams at home and abroad also participated in the conference.
Loophole management regulations officially implemented White hat groups have a "yardstick" for behavior
The network security industry has entered the fast lane, and white hat talents have also become an important supporting force for maintaining the network security industry. Xiao Junfang, deputy director of the Cyber Security Bureau of the Ministry of Industry and Information Technology, said in his speech that since the launch of the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology on September 1, it has received nearly 90,000 security vulnerabilities from various fields such as telecommunications networks, the Internet, and the Internet of Vehicles, of which the third-party vulnerability platform represented by the sky-filling platform has played an important role in the active guidance of the white hat group.
Qi Xiangdong, chairman of Qianxin Group, proposed in his speech that the "Regulations on the Management of Security Vulnerabilities in Network Products" will play an incentive role in three aspects: network product providers, white hat groups, and vulnerability platforms. Among them, the loophole management regulations justify and legitimize the behavior of white hats, providing white hats with a sense of security.
Qi Xiangdong pointed out that on the one hand, the "Provisions" clearly encourage private forces to carry out loophole mining work, delineate the red line for the discovery, collection, release and other behaviors of loopholes, and guide white hats to play their value under legal and compliant conditions; on the other hand, the "Provisions" also encourage manufacturers to set up loophole reward mechanisms for white hats, and white hats can also obtain corresponding returns through their own skills, thus forming a virtuous circle and promoting the continuous growth of the security industry. In 2021, an enterprise SRC paid a single vulnerability bonus of up to 130,000 yuan to White Hat through the patching platform.
For vulnerability platforms, the implementation of vulnerability management regulations also provides a healthy growth direction for vulnerability response platforms. In the next step, Tiantian will continue to optimize and improve the platform capabilities, provide positive guidance to the private white hat, help manufacturers build and operate a product vulnerability collection platform that meets the requirements, and guard the important security defense line of vulnerabilities.
"2021 White Hat Talent Report" released Network security has entered the post-00 era
Driven by the favorable domestic policy environment and industrial environment, the overall capacity building of white hat talents in China has continued to improve. At the white hat conference, Zhang Zhuo, vice president of Qianxin Group, released the "Investigation Report on the Ability and Development of China's White Hat Talents" from many aspects: the loophole "excavator" of diligent study, insisting on "generating electricity for love", and the post-00s have become the main force.
The report shows that about 38.8% of white hat talents submit more than 10 effective security vulnerabilities per capita each year; and about 4.7% of white hat talents submit more than 300 valid vulnerabilities per capita per year, which can be called the "super excavator" in the vulnerability industry.
It is worth noting that the age of these loophole "excavators" is young, and the post-00s have become the main force of domestic white hat talents, accounting for up to 38.4%, and the proportion of post-95s is 34.6%, and even a small number of post-10 young people have joined the team of white hats, and network security has begun to enter the post-00 era, and the future can be expected. In this annual white hat award, the "Most Energetic White Hat Award" was also awarded to this group of young people, and the honor was awarded to the white hat teenagers who were far ahead in the project application rate, project approval rate, and project efficiency.
Among the white hats surveyed, the average time of self-learning hacking techniques exceeded 15.0 hours per week, of which 14.1% of the white hats taught themselves 20-50 hours per week, which can be called "white hat learning masters"; more 8.0% of the "white hat learning gods" taught themselves hacking techniques for more than 50 hours per week, with an average daily self-study time of more than 7 hours.
But the most admirable thing is that for the white hat group that digs and submits so many loopholes and works hard, "personal hobby" is the main driving force, with more than 64% of respondents citing it as the primary reason. A strong sense of self-identity may also be one of the reasons why white hats "generate electricity for love", with nearly 80% of white hats thinking that white hats work very cool or a little cool.
The first Celestial Stars Awards were presented
As a bridge and link between enterprises and white hats, the vulnerability response platform has up to 8 years of rich experience in the operation of vulnerability platforms, with 87,000 registered white hats, a total of more than 670,000 reported vulnerabilities, and more than 6,000 settled enterprises.
This year's Sky Patch White Hat Conference launched the "Sky Patch Star Award" annual selection activity for the first time for the White Hat Talent and Security Emergency Response Center, aiming to select the "most popular white hat team" and "most popular security emergency response center" in the travel industry, jointly cheer for network security personnel, promote the healthy development of the industry, and create a good security ecology.
After material review, public review, professional review, specially invited white hat review and other links, Tencent Security Emergency Response Center, Baidu Security Emergency Response Center, Jingdong Security Emergency Response Center, Ant Security Response Center, Momo Security Emergency Response Center, Tuya Security Response Center, ByteDance Security Center, OPPO Security Emergency Response Center 8 enterpriseSRC won the "Most Popular Emergency Response Center" award, Zero Group Attack and Defense Laboratory, ChaMd5 Security Team, r3kapig, The Loner, Timeline Sec, Nu1L Team, White Hat 100 Security Attack and Defense Labs, and WhITECat Security Team won the "Most Popular Security Team".
At the same time, the Most Valuable White Hat Award, the Most Contributed White Hat Award, the Most Public Welfare Energy Award, and the Most Potential White Hat Award were also announced at the conference, and more than a dozen white hat talents with outstanding performance on the Sky Patch platform were honored, which fully reflected the vigorous vitality of private security practitioners.
Two-way in-depth exchange of technology and policy
The formal implementation of the Provisions on the Management of Security Vulnerabilities in Network Products clarifies the responsibilities and obligations of various types of entities, which has a huge impact on relevant network practitioners. In order to promote all parties to better understand the regulations and promote the orderly development of vulnerability management, this conference specially held a closed-door forum on network product security vulnerability management and practice.
Bu Zhe, director of the Cyber Security Response Center of the Institute of Security of the China Academy of Information and Communications Technology, gave a detailed introduction to the network security threat and vulnerability information sharing platform, and discussed with the participating enterprises on the regulations on the management of network product vulnerabilities.
In order to help more enterprises establish exclusive security emergency response centers and carry out vulnerability management in accordance with regulations, Qianxin has launched the "Sky Patch full-stack SRC service" for the first time, providing enterprises with security, controllable, full-stack management of four major services through continuous monitoring and vulnerability discovery, end-to-end services, personalized portals, vulnerability information reports, and online and offline joint operation promotion.
At the same time, the technical sharing brought by the security experts was also the most dry part of the event. Security experts and security researchers from top security laboratories and teams such as Kunlun Lab, Tencent Security Tianma Lab, R3kapig Team, Tencent Blue Army, DeadEye Security Experimental Laboratory, Aspartame Attack and Defense Laboratory, Tiangong Laboratory of Qianxin Technology Research Institute, Anderson Code Security Laboratory, etc., shared brilliantly around cutting-edge technology trends such as satellite communication networks and virtual currencies, cloud native container clusters, supply chains, intelligent cars, anti-fraud and other multi-dimensional practical skills.
(Source: China Net Finance)