Military Industry
Practice of Building a DevSecOps System in the Military Industry
Business Requirements
A certain military research institute is a key scientific research institution in China's aviation sector, operating within the aviation industry system. It primarily focuses on research and application in areas such as avionics, computer technology, and software engineering, providing critical technical support for the development of China's aviation equipment. With the advancement of digital transformation, the institute's software development scale has been continuously expanding, involving increasingly complex operating systems and application software. This has led to higher demands for software security, reliability, and development efficiency. There is an urgent need to establish a comprehensive DevSecOps system to address security risks and efficiency bottlenecks in the software development process.Before introducing the X operating system's continuous integration and operation management platform, the institute faced numerous challenges. During software development, security tools were scattered, each producing results in different formats, leading to duplicate vulnerability information and numerous false positives. Manual handling of these issues was time-consuming and significantly hindered development progress. In terms of resource management, numerous embedded devices were scattered, and traditional manual management methods were inefficient, often resulting in device damage due to frequent handling. Additionally, sharing devices across different locations was difficult. Ensuring software security was also a major concern, as comprehensive security detection methods were lacking. Vulnerabilities were hard to detect promptly during stages such as code development and testing, and insufficient security controls in the continuous integration and delivery processes posed potential risks.
Solution
Technical Architecture
Main Capabilities
Technology for Tool Integration and Packaging
The Tool Integration and Packaging System (FUZI ASPM Digital Supply Chain Security Situational Awareness Platform) achieves seamless integration and encapsulation of various security tools, supporting tool interfacing through protocols such as HTTP/HTTPS, Socket, and JavaAPI. It addresses issues such as inconsistent results and non-uniform formats from different tools, providing a unified view and reporting system to streamline the vulnerability management process.
Embedded Resource Integration and Management Technology
It adopts a B/S architecture (with the frontend using the VUE framework) to achieve remote control and centralized management of embedded resources. It supports the connection and management of development boards, digital prototypes, and other devices with various interfaces and architectures. Through features such as virtual grouping and role management, it enables efficient utilization and secure control of resources.
Code Security Review Technology
It possesses technologies such as source code-level component analysis, binary component analysis, and runtime component analysis. These capabilities enable the identification of open-source components and their dependencies, the detection of vulnerabilities and license risks, the provision of prioritized vulnerability remediation recommendations, and support for multiple development languages and package managers.
Code Vulnerability Scanning Technology
Utilizing static code analysis, it supports scanning with multiple coding rules as well as custom coding rules. It analyzes source code for security vulnerabilities and assesses code quality based on mainstream vulnerability databases, and supports periodic offline updates to the vulnerability database.
Penetration Testing Technology
Includes heuristic active vulnerability validation technology, intelligent attack-defense drill technology, deep sniffing scanning technology, adaptive penetration technology, automated scanning technology, and more. It simulates hacker attack methods to verify the system's security defense capabilities.
Results and Benefits
This solution has delivered significant value to users. In terms of security, it has comprehensively enhanced software safety through the integrated application of multiple security detection tools, enabling the timely discovery and remediation of vulnerabilities and reducing the probability of security incidents. The vulnerability detection rate has increased by 60%, and vulnerability remediation efficiency has improved by 30%.
In terms of efficiency, it has achieved integrated management of security tools and efficient sharing of embedded resources, reducing time costs associated with tool switching and resource allocation. The software development cycle has been shortened by 70%, and team collaboration efficiency has increased by 50%.
In terms of management, it provides comprehensive project management and quality assurance mechanisms, allowing real-time monitoring of project progress and quality status, thereby improving project management standards. It offers robust security safeguards and efficiency support for aviation equipment software development, aiding the institute in technological innovation and project delivery within the aviation sector.
The institute believes that adopting the agile security toolchain, including Xuanjing Security SourceSCA, Lingmai AI, FUZI ASOC, and Lingmai PTE, has facilitated highly efficient collaboration among these tools. This approach not only accurately identifies open-source risks but also deeply detects vulnerabilities and defects, while optimizing security processes, significantly contributing to the security enhancement of research and development efforts.