Currently, enterprises heavily rely on digital software for new business expansion. With the rise of open source technology and cloud native architecture, the structure of software supply chains is becoming increasingly complex, making supply chain security issues more prominent. According to well-known foreign security vendorsThe "Software Supply Chain Security Status Survey Report" released by ReversingLabs shows that from 2020 to 2022, attacks on the software supply chain have shown an exponential growth trend, with frequent occurrences of attack methods such as "malicious tampering," "backdoor implantation," and "supply chain hijacking," further exacerbating the security risks of the software supply chain.

With the rapid development of technology, software supply chain security has become a common concern for countries around the world. The risk of software supply chain not only concerns the interests of enterprises and individuals, but also directly threatens the security and stability of the country. However, unfortunately, many people do not have a comprehensive understanding of the software supply chain and have insufficient awareness of its complexity and potential security threats.

This issueNing Dian Interview ",Jian Zhigang, Deputy General Manager of Shenzhen Kaiyuan Internet Security Technology Co., Ltd., will introduce software supply chain security in simple terms.

Shenzhen Kaiyuan Internet Security Technology Co., Ltd. was founded inIn 2013, it was a leader in China's software security industry and one of the top 100 network security enterprises. It has 2 national high-tech enterprises, 1 national specialized and innovative small giant enterprise, and 1 Shenzhen specialized and innovative enterprise. As of now, the company has applied for more than 330 patents and participated in the compilation of over 30 national and industry standards.

As an expert in the network security industry at the National Cybersecurity Base, Suga Zhigang is engaged in software development, network security system integration, software security, and other related workIn 20 years, participated in the compilation of "Information Security Technology Government Website System Security Guidelines" (GB/T 31506-2022), "Information Security Technology Network Security Level Protection Application Software Development Security Management Specification" (T/ISEAA 008-2024), and "Software Supply Chain Security Requirements" (T/ISC 0044)-In 2024, I have been appointed as an external expert for the Postal Industry Security Center of the State Post Bureau and the Deputy Director of the Network Security Engineering Technology Research Center in Longhua District, Shenzhen. Currently, I am mainly responsible for the implementation of the company's software supply chain security business in the digital city.

Usually, when we mention supply chain, we mostly focus on some physical products. So, what are the differences between software supply chain and traditional physical product supply chain, and how do we understand software supply chain security?
Suga Zhigang:Firstly, let's explore traditional supply chains, especially the food supply chain, as it shares structural similarities with software supply chains. The food supply chain includes planting, production and processing, logistics and transportation, as well as terminal sales and consumer use. These four links form a complete chain, and the safety of the food supply chain is to eliminate the safety risks in every link of this chain.

However, in practice, we have found that even with national standards and inspection and testing methods, safety incidents related to the food supply chain still occur frequently. For example, recently a certain brand's product was found to have discrepancies between the detected substances and the ingredient list after being sent for inspection by consumers. And also,The "Fat Donglai" supermarket has implemented stricter food safety testing measures for vegetables on shelves. They built their own testing laboratory and conducted tests on certain foods such as garlic sprouts for up to three years. If they failed the tests, they were not put on the shelves, providing customers with a crucial gateway to food safety. All of these reflect that in the supply chain, even if there are no problems in the production process, there may still be food safety hazards in the transportation and sales processes that do not meet edible standards.

In addition to the food supply chain, we can also see that industries like automobiles are facing more severe supply chain security risks, especially intelligent connected vehicles. The country has introduced two mandatory national standards this year, which provide comprehensive requirements for the information security of the entire vehicle. However, compared to the traditional food industry, the supply chain security standards in the software field are still relatively lacking.

Now, let's take a look at the software supply chain. The software supply chain has a more complex network structure, which can be viewed from both internal and external perspectives. Firstly, standing within the software product, it is necessary to ensure the health of the software itself at all stages of its lifecycle, that is, high quality and security; Secondly, looking at the entire chain of software products from an external, higher dimensional perspective, it is necessary to ensure the stability of the entire chain, namely availability and resilience.

We participated in the writing of 'Network Security Technology'The national standard "Software Supply Chain Security Requirements" (GB/T 43698-2024) takes an external perspective to examine the risks of each link in the entire software chain and propose response strategies. Simply put, software supply chain security involves three roles: supplier, purchaser, and third-party testing, and also involves three stages: development, delivery, and use. Different roles need to adopt corresponding measures and methods to address the security risks faced in different stages.

What are the main security risks in the software supply chain? Are there any typical cases of software supply chain security threats in reality?

Suga Zhigang:From the perspective of software products, the security risks in the software supply chain involve multiple links. Firstly, let's take a look at the production process, which is the software development phase. In this stage, a typical case isThe unofficial version of Apple's integrated development tool Xcode was contaminated by malicious code in 2015. This virus injected version of Xcode has been widely used, causing contamination of multiple well-known apps and affecting a large number of applications in the Apple Store. This incident reveals the issue that development tools themselves may become a source of security risks. In fact, due to the lack of self-developed software development tools, the domestic software development environment faces greater risks.

In addition to development tools, software production also relies on external production materials, such as open source software. In recent years, the risks of open source software have gradually been exposed, becoming a focus of software supply chain security. For example,Famous open-source project Apache Log4j in 2021twoSerious security vulnerabilities have been exposed, allowing attackers to remotely execute arbitrary code and control the target machine. This vulnerability has affected numerous users worldwide, including multiple large commercial applications. In addition, the licensing issue of open source software is also a risk point. Different open source software has different licensing methods, and if not handled properly, it may face commercial risks or legal disputes.

In the software development process, the quality and skills of personnel are also important factors that affect software quality. If developers lack the ability or are careless, they may write software with low quality or vulnerabilities. Therefore, the security of the software supply chain also needs to consider personnel training and management.

The next step is the transmission process. In this process, the software may pass through multiple nodes from the manufacturer to the user, and each node may have security risks. For example, the famous'SolarWinds' refers to the SolarWinds supply chain attack incident. Hackers exploited vulnerabilities in SolarWinds' network management software and captured multiple federal agencies and Fortune 500 companies in the United States. This was a highly complex attack with a wide impact, long latency, strong concealment. This incident indicates that strict verification and testing of software is necessary during transmission to ensure that it has not been tampered with or implanted with malicious code.

Finally, there is the usage phase. Even if the software is safe during production and transmission, it may still face risks during use. For example, a cybersecurity expert in the education industry in Guangxi told me a case where during attack and defense drills, the attacking team wouldObtain system source code on GitHub for code auditing to identify security vulnerabilities, and then exploit these vulnerabilities for attacks. At the same time, open source components may be exposed to serious vulnerabilities during use, and timely measures need to be taken to fix them. Therefore, software users need to establish effective vulnerability response mechanisms to ensure rapid response and repair after discovering vulnerabilities.

From a broader perspective, the security of the software supply chain also involves national security and industrial security. If the software supply chain is controlled or disrupted by external forces, it may lead to the interruption or paralysis of the entire industry chain. For example, in the Russo Ukrainian War, the United States restricted Russia's ability to access some open source information and software. In addition, if there is malicious code or backdoors in the software, it may pose a serious threat to national security. Therefore, strengthening the security protection and supervision of the software supply chain is crucial.

We can take a series of measures to strengthen the security of the software supply chain in response to the above risks. Firstly, it is necessary to establish an effective security assessment and testing system to conduct comprehensive security testing and evaluation of the software. Secondly, it is necessary to strengthen personnel training and management, and improve the security awareness and skill level of developers. In addition, it is necessary to promote the integration of industry and education, as well as school enterprise cooperation, to cultivate more software security professionals. Finally, it is necessary to strengthen international cooperation and exchanges to jointly address the challenges faced by software supply chain security.

Taking open source cybersecurity companies as an example, we have developed our own methodology and theoretical system, and supported the construction of multiple domestic software security related standards. We have participated in the release of multiple national and local standards, and are promoting the integration of industry and education and school enterprise cooperation. In addition, we have developed a series of platform tools to enhance the security protection and detection capabilities of the software supply chain. These achievements have been applied and promoted in multiple cities and industries.
Finally, let's talk about the future of this industry, the software supply chain security industry, especially in China. What kind of development will the software supply chain security industry have in the future? Is full autonomy a necessary path?

Suga Zhigang:Indeed, as we mentioned earlier at the macro level, due to issues in the software supply chain, we need to address these problems. These issues mainly include three aspects: the first is autonomy, that is, domestic autonomy and controllability; The second is the maturity of the software industry chain or industry; The third one is security development capability.

From these three perspectives:

Firstly, regarding autonomy, currently in ChinaCPU、 The operating system, database, and other aspects have already acquired independent and controllable capabilities, and the domestic ecosystem of basic software is gradually forming. However, at the application software level, especially in common applications, a large amount of open source software is used, and 90% or even more than 95% of these open source software come from foreign platforms. In addition, the degree of autonomy of industrial software is lower. In order to enhance autonomy, the country, mainly the Ministry of Industry and Information Technology, is introducing a series of guiding policies to encourage domestic universities and enterprises to jointly develop industrial software, while also encouraging the development of the domestic open source industry.

Secondly, regarding maturity, to be honest, the maturity of software engineering is relatively low compared to industries such as construction, food, and even traditional automobile manufacturing. In order to enhance maturity, we need to establish more standards and continuously standardize related work. This can not only improve the autonomy rate, but also enhance the resilience of the software industry supply chain. At the national level, efforts are also being made to improve the comprehensive network security system, which includes the software suppliers, demanders, and third-party testing institutions mentioned earlier.

Finally, regarding security development capabilities, this is a support for digital capabilities. Now, cities and local cities, large central and state-owned enterprise groups, including listed companies, are all enhancing their digital capabilities. Software supply chain security, as a support for digital capabilities, is gradually receiving attention. These institutions or enterprises not only need to possess traditional network security capabilities, but also need to have the ability to build and guarantee software supply chains. Traditional software developers will face increasingly strict requirements for software security and quality, thus actively or passively improving their security development capabilities. The above areas are where we can provide services for open source cybersecurity.

Overall, from macro to micro, China's software supply chain security system will gradually improve, laying the foundation for the high-quality development of our software industry.