\u3000\u3000
Science and Technology Daily reporter Liu Yuanyuan
How many software have you opened today?
We were awakened by the software, used the software to take a taxi, order takeout, shop, carried out work with the help of various software, and slept at night listening to the music in the software. All kinds of software are convenient, fast, efficient, even interesting and fun, which makes us love it. But are they safe?
At the two sessions of the National People’s Congress this year, a number of Representatives and members from the Internet field sounded the alarm: today, when software can be touched with your fingers, the security risks behind it need to be strengthened.
on average, there are about 158 vulnerabilities per codebase
“More than 90% of cloud server operating systems and more than 80% of mobile operating systems worldwide are based on open source software.” Zhou Hongyi, member of the CPPCC National Committee and founder of 360 group, paid special attention to the security risks of open source software this year.
In Zhou Hongyi’s view, as long as it is written by people, there must be loopholes in software, and open source software is no exception. He introduced that there are about 158 vulnerabilities in each code base on average. These vulnerabilities will be inherited, which will affect the security of the software itself.
“The modern software industry is highly dependent on the existence of open source system. Open source code and its code hosting services have become an important part of the software security engineering system.” Xiao Xinguang, member of the National Committee of the Chinese people’s Political Consultative Conference and founder of Antan group, also paid close attention to this.
Xiao Xinguang said that in recent years, there have been many security incidents such as open source software vulnerabilities, open source project pollution and maintainer deletion of code; The situation that relevant countries use open source platforms as a means of sanctions against other countries deserves more vigilance.
“Open source software developers come from different countries and backgrounds, and the access to view, modify and increase source code is relatively open, which is easy to be implanted into the ‘back door’. At the same time, many of the open source code in the industry are used directly or only minor repairs, so it is easy to bury unknown security risks.” Zhou Hongyi said.
What worries Zhou Hongyi is that the systems running in Bank Of China Limited(601988) , energy, national defense, medical treatment, electric power and other important industries use a lot of open source software. Due to the ecological openness of open source software, there are a large number of security vulnerability risks, which, if maliciously exploited, can shake the security of China’s key information infrastructure.
conduct “mapping” of key information infrastructure
In fact, not only open source software, but also the security risks in the whole software field can not be ignored.
“The modern software development and delivery process is extremely complex, involving compilation environment and various class libraries, open source code, public development packages, middleware, etc. the software delivery process involves complex supporting relationships.” Xiao Xinguang mentioned that the lack of transparency of software components and dependencies and the lack of security verification mechanism support make it difficult to trace the impact scope of software defects and hidden threats.
On the other hand, Xiao Xinguang pointed out that at present, the safety standards and specifications of software development are backward and cannot cover the whole life cycle. There is still great room for improvement in software planning, requirements definition, design and development and corresponding test and verification. The safeguard mechanism and standard for software security have not yet formed a unified system.
In the face of these current situations and problems, representatives and members put forward many countermeasures.
Zhou Hongyi suggested that we should conduct a general survey of key information infrastructure and important information systems, find out the “family background” of the use of open-source software, accurately grasp its type, protocol, source and other basic information, excavate system vulnerabilities and lay out security risk management.
“It is suggested to establish a safety responsibility system for software enterprises and make it clear that software enterprises should undertake the whole life cycle safety management of open source software.” Zhou Hongyi also proposed to encourage China National Software And Service Company Limited(600536) developers to actively participate in the international open source community and promote the vulnerability mining of international open source software.
“It is suggested that the competent department should take the lead to establish a mechanism to promote the transparency of software supply chain in key industries. At the same time, the corresponding detection and verification capability should be regarded as a mandatory requirement for key software, equipment and systems.” Xiao Xinguang said.
Xiao Xinguang added that while accelerating the construction of open source ecology in the software industry, we should promote a series of special projects, strengthen open source ecological security and software ecological security, and establish a corresponding security monitoring mechanism. In addition, a series of Engineering recommendations and mandatory requirements with software security as the primary goal shall also be formulated.
