Hacking Book | Free Online Hacking Learning


yisrc report -- review of the third safety construction salon of sinology

Posted by harmelink at 2020-03-19

Conference background

On the afternoon of June 16, the third "Internet Security Construction Salon" of sinomeni cloud security was held in Dongzhimen. At the meeting, Gartner's global network security report, top ten international security strategy trends and security experts' comments were released. This meeting is a directional invitation. The on-site Internet finance industry leaders discussed the 2017 mutual fund security practice plan together.

At the meeting site, pleasant and safe engineers were invited to give a speech. In addition, the engineers of Yixin security and COO of sinovine cloud also gave a speech.

PS: because the scene light is dim, please kneel down and ask your friends to take a pat~

Picture of the on-site speech of Yixin engineer.

In particular, we brought ppt content from Yiren loan engineers to the small partners who failed to go to the site.

Safety and compliance construction and practice of mutual fund enterprises

June 2018 is the deadline for regulatory acceptance. First, mutual fund rectification involves many regulatory departments, such as the connection of banking regulatory department, Internet Credit Department, industry and Commerce and other departments. As Internet finance is a new industry, it involves the cognition, learning and cooperation of various departments on the industry and platform model, which leads to the lag of legislation and regulatory policies; Second, the third-party service institutions are slow to enter. Many market service institutions, such as depository banks, have been waiting for a long time before entering. At present, many large banks are still waiting. Third, it takes time for many platforms to digest their stock.

Information security compliance requirements

Compliance with business requirements

Network security law: the Standing Committee of the National People's Congress officially promulgated the network security law on November 7, 2016, which shall come into force as of June 1, 2017.  

On August 24, 2016, China Banking Regulatory Commission and other four ministries and commissions jointly issued the Interim Measures for the management of business activities of online lending information intermediaries, which clearly put forward the requirements for the implementation of information system level protection construction management, disaster recovery system construction, customer information protection, transaction information preservation, etc.

Demand for foreign business cooperation

When the company cooperates with the external parties, it needs to meet some demands of backtracking, such as business docking with various banking institutions. If it fails to meet the basic requirements put forward by the bank, many business cooperation will face difficulties that cannot be carried out.

Requirements for controlling internal risks

• meet the compliance control requirements of listed companies, such as sox-404

The company's business development relies heavily on the stability and reliability of the information system. In recent years, information security incidents occur frequently. In order to effectively guarantee the business development, it is necessary to prevent and control the occurrence of information security risks through relevant control processes.

Safety compliance & Safety Management

Safety and compliance: compliance is the key, hard requirement, which can promote the implementation of management

Safety management: management is a means to enhance compliance

Safety compliance system

How to establish information security compliance system

Establish legal compliance database

The figure below shows the safety and compliance system of Yiren loan, which is divided into seven parts, not necessarily applicable to other companies, just for reference.


1. In response to the network security law, enterprises should implement corresponding contents

2. Data security system

Data security key points

3. Terminal security control

4. Implementation of key processes

5, emergency response

The following figure shows the emergency process of YRD in case of wannacry Eternal Blue vulnerability.

The following figure shows the YRD emergency process when the general vulnerability of struts 2 breaks out. PS: when the vulnerability broke out, the internal security engineer found it in time and avoided a series of related problems, so it is very important to respond to the emergency quickly.

6. Host security

Host security is mainly around the following aspects.

• host intrusion monitoring

• file abnormal operation

• host weak password

• compliance baseline

• system vulnerabilities

• service vulnerabilities

7. Full implementation of SDLC

SDLC security development life cycle

1. L the earlier the problem is found, the earlier it is repaired, the lower the cost and the more controllable the quality is. It is almost impossible to modify the serious problems in the vs demand stage after they go online

2. L speeds up the feedback speed of security, and can monitor the security of software earlier than before. The test results can not be obtained until the software is online

3. L continuously pays attention to safety vs. single post launch safety inspection in the whole development process

4. L more people are responsible for software quality and software safety, sharing safety responsibilities rather than relying on the safety team

Supporting tools: application system software development security technology guide v1.1 & security vulnerability management specification & Yiren loan product design and development Security Checklist v1.0

These are the reports from yisrc. See you next time.

Long press attention