The first 3SCON Software Supply Chain Security Conference of China Academy of Information and Communications Technology was successfully held to focus on the security of the entire software supply chain

On June 17, 2022, the 2022 first 3SCON "Software Supply Chain Security Forum" hosted by the China Academy of Information and Communications Technology (hereinafter referred to as "CAICT") was officially held. At the meeting, China Academy of Information and Communications Technology released a number of major achievements, initiated the establishment of the Software Supply Chain Security Lab (3S-LAB), and invited a number of industry experts and enterprise representatives to focus on the practice, governance trend and technology exploration of software supply chain security. delivered keynote speeches.

Li Wei, deputy director of the Institute of Cloud Computing and Big Data, China Academy of Information and Communications Technology, said in his speech that the security development of my country's software supply chain faces problems such as the need to improve the institutional system, difficult to solve existing problems, and the need to improve security governance efficiency. Establishing systems, institutional processes and evaluation indicators to promote software supply chain security and improve work efficiency will be the focus of future work. China Academy of Information and Communications Technology has achieved a series of achievements in the field of software supply chain security over the years, and will always conscientiously implement the relevant national network security policies and policies, and firmly establish an overall national security concept.

Software Supply Chain Security Series Evaluation Results Released

In order to promote the implementation of standards and regulate the development of the industry, the China Academy of Information and Communications Technology has actively carried out relevant evaluation work in the field of software supply chain security, and released the latest evaluation results in 2022 at the meeting:

The latest assessment results of trusted security are released

The specific evaluation results are as follows :

The first companies to pass the software supply chain security management capability assessment (3SM):

• Ping An Bank Co., Ltd.
• China Mobile Communications Group Zhejiang Co., Ltd.

Companies that pass the Trusted R&D Operational Security Capability Maturity Assessment (TSM):

• Yonyou Network Technology Co., Ltd.

Businesses assessed by the Research and Development Operational Security Tool (SAST):

• Tencent Cloud Computing (Beijing) Co., Ltd.

China Academy of Information and Communications Technology's "2022 Security Guardian Program - Software Supply Chain Security Topics" excellent case released

In order to further promote the innovation and development of the software supply chain industry and improve the level of enterprise software supply chain security governance, the China Academy of Information and Communications Technology launched the "2022 Security Guardian Program-Software Supply Chain Security Topics" outstanding case collection and selection activity, and a number of technologies were selected. Excellent case with mature, perfect solution and wide applicability.

2022 Safety Guardian Program - Selection Results of Excellent Cases in Safety Operation

Software Supply Chain Security Lab (3S-LAB) was officially established

The Software Supply Chain Security Lab (3S-Lab) was initiated and established by the China Academy of Information and Communications Technology. Build a bridge of cooperation to promote the healthy and orderly development of the software supply chain security industry. At this forum, the Software Supply Chain Security Laboratory (3S-LAB) officially announced its establishment and awarded licenses to the representatives of the first member units of the laboratory.

The first member units of Software Supply Chain Security Lab (3S-LAB)

Software Bill of Materials (SBOM) Security Applications White Paper released

In order to allow domestic enterprises to quickly understand the software bill of materials (SBOM) technology and promote the establishment of the SBOM system, CCB Jinke and the China Academy of Information and Communications Technology jointly compiled the first domestic "Software Bill of Materials (SBOM) Security Application White Paper", which was published by the forum. Jointly released by Li Xiaodun, President of CCB Jinke Basic Technology Center, and He Baohong, Director of Cloud University of China Academy of Information and Communications Technology.

Software Bill of Materials (SBOM) Security Applications White Paper released

Subsequently, Wang Hui, an information security expert from CCB Jinke Basic Technology Center, made an in-depth interpretation of the contents of the white paper. She pointed out that the white paper sorted out the international progress and related standards of the Software Bill of Materials (SBOM), and gave an outlook on the development trend of SBOM. At the same time, through the application practice of the software bill of materials (SBOM) in the DevOps and security operation platforms of CCB Jinke, it provides a practical reference for the industry.

Interpretation of "Software Bill of Materials (SBOM) Security Application White Paper"

Software Supply Chain Security Insights

Guo Xue, Deputy Director of the Open Source and Software Security Department (in charge of the work) of the Cloud University of China Academy of Information and Communications Technology, delivered a speech on the topic of "Panoramic Observation of Software Supply Chain". She said that software supply chain security faces five major challenges, which has become a global security consensus. The China Academy of Information and Communications Technology continues to carry out standard system construction and evaluation to ensure the security of the entire software supply chain. In the future, CAICT will continue to promote research on software supply chain security technologies and frameworks, and improve the software supply chain security standard system and series of assessments. At the same time, strengthen ecological construction, further promote upstream and downstream enterprises in the supply chain to improve their own security management systems, and establish a secure and credible ecosystem for software supply chains.

Interpretation of Software Supply Chain Security Insights

The guests delivered wonderful speeches on "Software Supply Chain Security"

Li Xiaoming, engineer of the Open Source and Software Security Department of the Cloud University of China Academy of Information and Communications Technology, gave the title of "Software Supply Chain Security Management Capability Maturity Model" at the forum. Dimension interprets the software supply chain security indicators to improve the software supply chain demander's software supply chain security management capabilities, standardize the software supply chain demander's software supply chain management process, and provide new ideas for third-party evaluation.

Combined with the introduction of software supply chain practice, Ping An Bank senior security expert Chen Yingbin delivered a speech entitled "Ping An Bank Software Supply Chain Security Practice". Procurement of application services, open source components, etc. for key security governance. By formulating process specifications and establishing a process control platform, the introduction of security assessment, version control, online continuous operation, continuous automatic scanning, manual regular security inspection, offline monitoring and other aspects of supply chain products conducts full-process security management, software supply chain Safety quality has been significantly improved.

Jun Zhe, engineer of the Open Source and Software Security Department of the Cloud University of China Academy of Information and Communications Technology, made an in-depth interpretation of the "Overall Framework for the Construction of Software Bill of Materials". He pointed out that the formulation of the "Overall Framework for Software Bill of Materials Construction" standard will help guide manufacturers to better introduce software bill of materials into software supply chain security construction, so as to provide solutions for rapid positioning and response to attacks on the supply chain , reduce the risk of major network security incidents, and will also reduce the procurement and use costs of users.

Focusing on the importance of product detection in the application of DevSecOps in supply chain security and the challenges and implementation methods of related analysis technologies, Zhang Wenkai, a senior security researcher at Tencent Security, analyzed in detail the "technical practice of product scanning under supply chain security". Started and discussed the necessity of product scanning for supply chain security, the important position of product scanning in the research and development process and the technical requirements caused by related usage scenarios, the significance of binary software component analysis in product scanning and the implementation of related technical details, open source Challenges and Significance of Component Knowledge Base Construction.

From the perspective of the research results of software supply chain security, Ling Yun, senior solution architect of Hangjing Security, shared the theme of "On Trends and Best Practices of Software Supply Chain Security Governance". He said that Hangjing Security combined years of agile security Implemented practical experience and research results of software supply chain security, and explored the third-generation DevSecOps intelligent adaptive threat management system based on the original patent-level "agile process platform + key technology tool chain + componentized software supply chain security services", helping enterprises to build a An endogenous active defense system that adapts to the elastic development of its own business, is oriented to agile business delivery, and leads future architecture evolution.

By releasing a number of software supply chain security achievements and sharing with great practical value, this forum ended successfully. In the future, CAICT will continue to carry out closer cooperation with all parties in the industry, and promote the safe, orderly and healthy development of the software supply chain by formulating relevant standards and holding event forums, promoting the digital transformation of thousands of industries and helping the construction of digital China. .