On March 22, 2021, the industry-leading DevSecOps agile security manufacturer, Xuanjing Security, officially announced the completion of its Series A financing of nearly 100 million yuan. This round of financing was led by Tencent Industrial Ecological Investment and continued to be supported by Sequoia China. After the strong alliance, Hangjing Security will further deepen the strategic synergy with Tencent’s industrial investment ecosystem. With the leading next-generation agile security system, it will form a deep integration in public cloud, private cloud and the overall agile security solution on the industry side, and continue to expand. The large-scale product and service delivery capabilities in North China, East China, South China, Central China, Southwest China and other regions have accelerated the coverage of enterprise-level security markets such as financial e-commerce, energy and power, intelligent manufacturing, telecom operators and leading Internet manufacturers.
Tencent Industrial Ecological Investment, the lead investor in this round, said that under the background of security left shift, agile development and Xinchuang, domestic DevSecOps ushered in huge growth space. Hangjing Security’s products have been widely used in finance, energy and power, operators and leading Internet manufacturers, and its products and technical strength are in a leading position. Tencent will further deepen cooperation and strategic synergy with Hangjing Security, and jointly build a next-generation agile security system for the industry.
Zhai Jia, Managing Director of Sequoia China, the exclusive lead investor in the last round, said: “Embedding security into the DevOps process to form DevSecOps is in line with the current trend of agile development needs, enabling security to ‘shift left’ and ‘shift right’. DevSecOps penetrates from R&D to operations. The entire software life cycle can help companies detect and fix vulnerabilities and reduce costs and risks during the software development stage. This is an emerging and important development direction of network security. The hanging mirror, which has been continuously cultivated in this field, has a leading advantage and has built a deep The industry barriers are high, and the business is progressing rapidly, expanding benchmark customers in many industries, and the development prospects are promising for a long time.”
Hangjing Security focuses on the integrated detection and defense of continuous threats in the DevSecOps software supply chain. Its original Hangjing DevSecOps intelligent adaptive threat management system mainly covers the development and operation integration of key links such as threat modeling, open source governance, risk discovery, threat simulation, and detection and response. The agile security products and government-enterprise security services featuring actual offensive and defensive confrontation help government and enterprise organizations gradually build an endogenous security development and operation system that adapts to their own business elastic development, is oriented to agile business delivery, and leads future architecture evolution. At present, enterprises and institutions that practice the agile security concept and apply the hanging mirror solution include China UnionPay, Bank of China, Industrial and Commercial Bank of China, Ping An, China Securities, Sinopec, PetroChina, China Telecom Research Institute, China Sports Lottery , People’s Daily Online, State Grid, Peking University, ZTE, China Academy of Engineering Physics and many other industry benchmark users.
Do agile security governance from the source of development
According to a third-party authoritative survey, nearly 92% of known security vulnerabilities occur in software applications, and at least one business logic flaw occurs in every 1,000 lines of code in the application. In addition, 78%-90% of modern applications incorporate open source components, with an average of 147 open source components per application, and 67% of applications use open source components with known vulnerabilities. At present, most government and enterprise users discover business application vulnerabilities, in addition to internal self-tests, mostly from external third-party security researchers or security vendors. In the entire software development life cycle, there is a significant difference in the cost of repairing security vulnerabilities at different stages, and the repair cost in the R&D testing stage and the online operation stage can even be hundreds of times different. Therefore, it is very urgent and necessary to ensure the security of the software supply chain how to pre-empt security work, eliminate vulnerability risks and open source threats in the bud, prevent applications from going online with diseases, and ensure the security of software supply chains.
Lingmai IAST gray box security testing platform, one of the star products of Hangjing Security, is an application risk discovery platform in the pre-launch testing link of Hangjing DevSecOps intelligent adaptive threat management system. Run-time application instrumentation (including dynamic taint tracking and interactive defect location), terminal traffic proxy, bypass traffic mirroring, host traffic sniffing, heuristic crawler, real-time analysis of web logs, etc. and original AI-inspired penetration testing technology to empower traditional IT practitioners can quickly establish a security public testing mode within the organization of Party A’s users, so that traditional security novices (such as R&D, testing, QA, etc.) can transparently implement in-depth business security testing while completing application functional testing. Monitor open source risks, accurately cover more than 95% of medium and high-risk vulnerabilities, and effectively prevent applications from going online with diseases.
Use continuous offensive and defensive confrontation to control the pulse of security
Sun Tzu once said in the Art of War: “The way of using the military, if you don’t rely on it not coming, you can wait for it; if you don’t rely on it not attacking, you can’t attack if you don’t rely on it.” Offensive and defensive confrontation is an eternal theme in the process of network security construction. , is the most direct way to test the effectiveness of the existing security system defense against unknown threats, such as the bug bounty involved in the golden pipeline in RSAC 2018, which essentially encourages the establishment of an offensive and defensive confrontation system, such as continuous security public testing, and irregular offensive and defensive drills. And supplemented by supporting means of detection and response.
Lingmai PTE intelligent penetration testing platform, another star-level product of Hangjing Security, is the threat simulation platform in the operation link of Hangjing DevSecOps intelligent adaptation threat management system. , creatively transform the actual combat experience accumulated by security experts in the process of a large number of penetration tests into structured experience that can be stored, identified and processed by machines, and continuously make “self-thinking” and logical reasoning decisions with the help of artificial intelligence algorithms in the process of automated testing, In a way that is close to the penetration testing of actual experts, the entire penetration testing process from information collection, scanning and detection, vulnerability discovery, vulnerability utilization to post-penetration is carried out for a given target, and the effectiveness of the existing security defense measures of Party A’s users is comprehensively checked. , continuously and dynamically assess the security posture of the target organization from the perspective of “real hackers”, and greatly compensate for the uneven level of security personnel and low efficiency.
Build business immunity with situational defense
With the development of cloud-native technologies and the rapid popularization of DevSecOps practices, network security is undergoing an evolution from perimeter security to host security to application security. It can be predicted that the focus of next-generation application security will be runtime dynamic security.
Cloud Shark RASP Adaptive Threat Immunity Platform, the latest active network defense product released by Hangjing Security, is used as a detection and response platform in the operation link of Hangjing DevSecOps intelligent adaptive threat management system. Key technologies such as immune algorithm, runtime security aspect scheduling algorithm, and in-depth traffic learning algorithm realize the deep integration of RASP and IAST key technologies, “inject” active defense capabilities into business applications, and use powerful application context analysis capabilities to capture It also defends against various attack methods that bypass traffic detection (such as segmented transmission, coding deformation), provides endogenous active security immunity with both business perspective and functional decoupling, and ushered in innovative development for business application factory default security immunity.
The latest practical results of research on DevSecOps
Combining years of practical experience in agile security implementation, Hangjing Security has developed a set of DevSecOps intelligent adaptive threat management system based on the original patent-level “agile process platform + key technology tool chain + componentized security service”.
Figure 1: Dangjing DevSecOps Intelligent Adaptive Threat Management System
As a DevSecOps full-process AI security empowerment platform, it focuses on the softness and low intrusion of technology implementation from the beginning of its construction. It starts from several key practice points that drive the continuous operation of the DevSecOps CI/CD pipeline. , risk discovery, threat simulation, detection response and other key technological innovations empower the existing personnel of government and enterprise organizations, and help Party A to gradually build a set of endogenous security development that adapts to the elastic development of its own business, is oriented to agile business delivery, and leads the evolution of future architecture. operating system.
Zi Ya, founder of Hangjing Security, said in an interview, “The essence of security is the balance between risk and trust. One thing that Hangjing has been doing over the years is how to help Party A’s users better embrace changes and make changes more quickly. Adapt to the popularization of cloud-native technologies, and do a good job of endogenous agility and security.” The Pyramid of DevSecOps agile security tools, as the latest research and practice results of dangling security, forward-lookingly predicts the evolution of key technologies of DevSecOps in the future, and points out the direction for the subsequent systematic security construction of industry organizations.
Figure 2: Pyramid of DevSecOps Agile Security Tools
The business security goals in the digital age place more emphasis on the assessment and analysis of risk and trust. The process of analysis is a dynamic balance process. We need to bid farewell to the traditional security gate-style allow/block approach in the past, aiming to pass the runtime context. Analysis to continuously assess business security risks, give up the pursuit of absolute security, do not insist on zero risk, do not demand 100% trust, and achieve a comprehensive between 0 and 1 through key technologies such as runtime threat immunity, risk linkage governance, and continuous monitoring A dynamic balance of risk and trust.