[Industry News] Green League Technology released the "Software Supply Chain Security Technology White Paper"

On July 18, the "2022 China Network Space Emerging Technology Safety Innovation Forum -Cloud Safety Sub -Forum" hosted by the cooperation unit of the Green League of this magazine was held in Shenzhen. At the meeting, Green League Technology released the "Software Supply Chain Security Technology White Paper", which is of great significance to promote the ecological construction of domestic software supply chain.

Information and communication technology (ICT) industry chain undertakes the important task of my country's industrial industrialization from industrialization to digital transformation and upgrading. The software supply chain is an important part of the ICT supply chain. It is the basis for the smooth operation of various key information infrastructure. The security and controllable safety and controlling the core links of life cycles such as design, development, deployment, monitoring, and continuous operation has become a key consideration for network security.

At this conference, Chen Jing, a senior researcher at the Tianyuan Laboratory of the Green League Technology Group, delivered a speech. She said that from the perspective of the software supply chain attack incident in recent years, the ecological invasion of open source software such as open source communities and public open source storage warehouses is more compared serious. Therefore, the safety certification management of supply chain products needs to be strengthened from the regulatory level, providing enterprise software SBOM custody and credible certification services. Enterprises also need to improve the supply chain asset management and security inspection. It can be calmly cope when monitoring early warning.

Chen Jing, senior researcher at Tianyuan Laboratory of Green League Technology Group

At the same time, in order to cope with the threat of the software supply chain, upstream companies need to build a software component list for their own products to sort out the software supply chain information, and provide a clear and transparent management software supply chain to downstream companies and users. The software component list can be divided into opaque, slightly transparent, translucent and transparent according to the particle size of the component. The highly transparent software component list can significantly improve the accuracy of the end user's software supply chain security assessment.

In addition, Chen Jing further explained the upstream and downstream relationships of the enterprise supply chain. She said that during the software development life cycle, the introduction of vulnerabilities during the development stage not only in the code writing stage, but also open source components, development and construction tools that depended on the development stage, etc. According to the software development and construction process, enterprises need to build the development process security assessment capabilities. During the software delivery stage, as a supplier, in addition to ensuring the safety of the software, the software component list should also be delivered to downstream companies, prompting the upstream and downstream of the entire software supply chain to have third -party information such as security notifications and threatening intelligence monitoring Can analyze and evaluate the basic conditions for the security of software supply chain. After the supply chain software products are delivered and operated, the supplier shall provide security services within the life cycle of the product. The product vulnerability shall be repaired in time. End users shall also be included in the scope of corporate asset management according to the software component list provided by the supplier. Perform safety assessments, combine vulnerability warnings to strengthen and repair affected products.

In the continuous iteration of technology and the rapid development of the industry, the software supply chain has gradually formed a huge industrial ecology that includes technical systems, diversified product components, and developers, suppliers and consumers. Software supply chain security will directly affect the key foundation Facilities and digital economy security. As an active participant in China ’s trustworthy security ecological construction, Green League Technology launched the“ Software Supply Chain Security Technology White Paper ”, which aims to sort out the security problems in the software supply chain from the software supply chain security threat and the domestic and foreign situations, and refine the refinement. The core concept, technical framework, and key technologies of software supply chain security governance, and give solutions and best practices from the perspective of supply chain security supervision and control, hoping to bring new technical thinking to readers and help the development of my country's software industry.

- END -