Vulnerabilities emerge in an endless stream, and open source software must tighten the "safety valve"

  two sessions voice

  ◎Our reporter Liu Yuanyuan

  How many software have you opened today?

  We are woken up by software, use the software to take taxis, order takeaways, shop, work with the help of various software, and fall asleep listening to the music in the software at night.

A variety of software is convenient, fast, efficient, and even interesting and fun, so we can't put it down.

But are they safe?

  This year's two sessions, a number of representatives from the Internet field sounded the alarm: Today, when software is at your fingertips, the security risks behind it need to be strengthened urgently.

  On average, there are about 158 ​​vulnerabilities per codebase

  "More than 90% of cloud server operating systems and more than 80% of mobile operating systems worldwide are based on open source software." Zhou Hongyi, member of the National Committee of the Chinese People's Political Consultative Conference and founder of 360 Group, paid special attention to the security risks of open source software this year.

  In Zhou Hongyi's view, as long as software written by humans must have loopholes, open source software is no exception.

He introduced that, on average, there are about 158 ​​vulnerabilities in each code base, and these vulnerabilities will be inherited, thereby affecting the security of the software itself.

  "The modern software industry is highly dependent on the existence of open source systems. Open source code and the code hosting services used by it are already an important part of the software security engineering system." Xiao Xinguang, member of the National Committee of the Chinese People's Political Consultative Conference and founder of Antiy Group, also paid close attention to this.

  Xiao Xinguang said that in recent years, there have been many security incidents such as open source software vulnerabilities, open source project pollution, and code deletion by maintainers; the situation that relevant countries use open source platforms as a means of sanctioning other countries is even more worthy of vigilance.

  "Developers of open source software come from different countries and backgrounds. The viewing, modification and addition of permissions for source code are relatively open, and it is easy to be implanted in 'backdoors'. It is easy to bury unknown security risks." Zhou Hongyi said.

  What worries Zhou Hongyi is that open source software is widely used in systems running in important industries such as banking, energy, national defense, medical care, and electric power.

However, due to the open ecology of open source software, if there are a large number of security vulnerabilities in it, if it is maliciously exploited, it is enough to shake the security of my country's critical information infrastructure.

  Carry out "finishing" of critical information infrastructure

  In fact, not only open source software, but also security risks in the entire software field cannot be ignored.

  "The modern software development and delivery process is extremely complex, involving the compilation environment and various class libraries, open source code, public development kits, middleware, etc. The software delivery process involves complex support relationships." Xiao Xinguang mentioned that software components and dependencies The lack of transparency in the relationship and the lack of security verification mechanism support make it difficult to trace and track the impact of software defects and hidden threats.

  On the other hand, Xiao Xinguang pointed out that the current software development safety standards and specifications are backward and cannot cover the entire life cycle. There is still great room for improvement in software planning, requirement definition, design and development, and corresponding testing and verification.

The assurance mechanism and standard for software security have not yet formed a unified system.

  Faced with these status quo and problems, the delegates put forward many countermeasures.

  Zhou Hongyi suggested that a census should be carried out on key information infrastructure and important information systems, to find out the "household" of the use of open source software, to accurately grasp the basic information such as its type, protocol, and source, and to conduct system vulnerability mining and layout security risk management.

  "It is recommended to establish a software enterprise security responsibility system, and make it clear that software enterprises undertake the full life cycle security management of open source software." Zhou Hongyi also proposed to encourage Chinese software developers to actively participate in the international open source community and promote the vulnerability mining of international open source software.

  "It is recommended that the competent authorities take the lead in establishing a mechanism to promote the transparency of the software supply chain in key industries. At the same time, the corresponding testing and verification capabilities should be regarded as mandatory requirements for key software, equipment and systems." Xiao Xinguang said.

  Xiao Xinguang added that while accelerating the construction of the open source ecosystem in the software industry, a series of special projects should be promoted to strengthen open source ecological security and software ecological security, and establish a corresponding security monitoring mechanism.

In addition, a series of engineering recommended standards and mandatory requirements with software security as the primary goal should be formulated.