Software security deserves attention.
36氪 was informed that “Shuimu Yulin”, a start-up security company focusing on software security, has recently completed an angel round of financing of 10 million yuan. Investors in this round include Frontier Fund, Ginkgo Valley Capital, Douxiang Technology, Hainan Layer Forest, etc.
At present, one of the security problems faced by many enterprises is that the security of software cannot be guaranteed. Therefore, the security of software in the development process has also attracted a lot of attention. According to earlier statistics from the National Institute of Standards and Technology (NIST), performing code fixes after release costs 30 times as much as performing fixes during the design phase. The development of security products starts from the development process, hoping to reduce the security risks existing in the software itself through the management and control of the software development process.
In order to solve this problem, different types of tools have emerged in the industry, mainly including AST tools, covering static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST) products Wait. According to the company, the current AST tools have a significant effect on applications, and Fuzz technology can better adapt to different types of basic and system software, and achieve a better balance between false negatives and false positives, as well as automated support.
36氪 also observed that some companies currently focus on FUZZ products, hoping to help enterprises solve software security problems. The protagonist of this article “Shuimu Yulin” was officially established in March 2021. The core members of its team are all graduated from Tsinghua University. They have accumulated more than 10 years in the field of software security testing. He has published more than 30 academic papers, and mined hundreds of high-risk security vulnerabilities in various system software and included them in the national security vulnerability database. The company’s main product is the XFUZZ intelligent fuzzing system, which not only supports application layer software and class libraries, but also supports automated security evaluation of large-scale basic software such as protocols, kernels, and databases.
Company COO Li Yuanyi introduced that the XFUZZ intelligent fuzzing testing system is a new generation of software quality and security testing platform, which can automate vulnerability mining for various levels and types of software, effectively detect various high-risk vulnerabilities, and improve software robustness and security. Software supply chain security provides basic support.
It also introduced that intelligent fuzzing will dynamically observe program feedback during the testing process, and use technologies such as taint analysis and hardware instruction tracking to guide the generation of test inputs, triggering program branches faster and more, and the deeper the branch coverage, the final finding. more loopholes. However, in Li Yuanyi’s view, due to different procedures, the specific coverage indicators cannot be generalized today, but this automated test input generation method can significantly reduce the difficulty and labor costs of current software testing and security analysis.
At present, “Shuimu Yulin” mainly relies on cutting-edge technologies such as intelligent fuzzing testing, aiming at DevSecOps scenarios such as development security and code security, hoping to solve the security problems of software supply chains in various industries.
Specifically, the company introduced that its XFUZZ intelligent fuzzing system has the following highlights:
?Intelligent in-depth mining capabilities: In the comparison of authoritative third-party and customer test data sets, compared with benchmarking tools such as AFL, Peach, and Syzkaller, core indicators such as test coverage, number of defects found, and test speed are all significantly ahead.
Cross-layer full-stack support capability: It fully supports detection objects such as applications, class libraries, databases, operating systems, and communication protocols, and completely covers the software supply chain. More than 100 vulnerabilities have been found in basic software and protocols such as Linux, MySql, and IEC104. The Central and American National Information Security Vulnerability Database is officially included as a CVE.
DevSecOps support capabilities: through the full API, CLI tools and other features, it can realize automatic, integrated and continuous software development security left shift, support automatic test-driven generation, real-time Display of coverage information, automatic generation of defect reports, automatic reproduction of defect input and other functions.
In addition, various tools with different technical routes are also emerging in the current industry. Different tools often have different functional characteristics. In some scenarios, they can be integrated to meet customer needs. Later, “Shuimu Yulin” will also expand relatedly to improve its product coverage. .
In terms of specific commercialization, “Shuimu Yulin” has received millions of orders from customers such as Tongxin Software and NTU General within six months of its establishment. After this round of financing, the company will continue to invest in product research and development, while expanding the market.