Shulou(Shulou.com)06/01 Report--

The use of third-party code is the key factor for enterprises to quickly and efficiently establish new systems, new products and new platforms, which can greatly shorten the development cycle and reduce the investment of manpower and capital. At present, most third-party code contains a large amount of open source code, and it is mainly open source in the form of binary code or source code.

The security of software has been highly concerned by IoT, automobile, medical and other fields. A large number of code vulnerabilities that have a disastrous impact on enterprises have been found in some well-known open source software.

For example, the heratbleed event is due to a high-risk vulnerability of memory information leakage in OpenSSL, which can be used to steal the user data currently stored in the server memory (64KB). The Venom event is due to a virtual machine escape vulnerability, which allows * * users to surmount the restrictions of virtualization technology to access and monitor and control the host, and to access other virtual machines through host privileges. Events such as Linux Ghost and Equifax have a serious impact on the data security of domestic and foreign enterprises and even countries.

Shanghai Control'an and the Nanyang University of Technology team in Singapore jointly developed the industrial software composition analysis tool SmartRocket Scanner, which retrieves the open source files through the connection of the binary files or source code uploaded by users, compares them with domestic and foreign databases, detects the security vulnerabilities and license concerns in the files, and provides corresponding information and repair suggestions.

This tool has a significant advantage in code analysis such as CCompact +. It is the first vulnerability scanning tool in China that uses dual-engine mode to analyze source code and binary files. It can support more than 10 mainstream programming languages, including CCompact +.

Characteristic function

Value advantage

Comprehensive programming language support

Supports 10 + programming languages (C, C++, Python, Java, JavaScript, PHP, etc.) supports 20 different formats of binaries (.apk, .jar, .exe, .arm, etc.)

The misjudgment rate is low

Misjudgment rate < 7%

The misjudgment rate for Java, JavaScript, Python and other languages can be less than 2%.

The efficient R & D team updates the database information in time, handles user feedback and suggestions, so as to have a better user experience.

Diversification of deployment methods

Two deployment modes of ready-to-use software (SaaS) and internal settings (On Premise) are supported

Main application areas

This tool can be widely used in IoT, hardware manufacturers, automobile manufacturers, software developers, financial electronic trading platforms, legal advice, intellectual property consultants, government agencies and other fields.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.