Synopsys Provides Security Support for OPPO Software Engineering System

Conduct BSIMM software security assessment to help build an overall trusted engineering

Smartphones are becoming more and more convenient. Food, clothing, housing, transportation, financial management, entertainment, etc. can all be run on a mobile phone. At the same time, the public is increasingly concerned about the monitoring of security, privacy, and cost-sensitive permissions in mobile phones. Mobile phone manufacturers need to continue to explore in the field of security and develop products that better meet the needs of current consumers.

Technology for people

Since its establishment, OPPO Guangdong Mobile Communications Co., Ltd. (hereinafter referred to as OPPO) has expanded its business to more than 40 countries and regions around the world, and its products have more than 300 million users worldwide. Since 2019, OPPO's R&D investment has reached 10 billion yuan, further advancing design through technology. Now, many OPPO mobile phone products are equipped with innovative technologies such as network security situation awareness and network attack identification algorithms, and have security functions such as website detection and property risk prompts. In addition, OPPO has also developed privacy protection functions such as permission records and privacy substitutes.

OPPO attaches great importance to the security of its products and businesses, and has taken a variety of measures to strengthen cooperation with individuals, organizations and companies in the industry to improve the overall security level, including adopting Synopsys's Building Security Maturity Model (BSIMM) assessment.

Goal: Benchmarking against the industry's outstanding safety activities and building an overall trustworthy project

In the digital age, network security and data security are of vital importance. If there are loopholes, it will endanger property safety and personal privacy. The most common problem for ordinary consumers is undoubtedly the hidden dangers of some application software in smartphones.

Wang Anyu, Director of OPPO Terminal Security, said: "OPPO has always been concerned about users' anxiety about information leakage and privacy protection demands. Under the current situation, OPPO will continue to strengthen its technical accumulation in the field of security and privacy, constantly update and upgrade users' privacy and security experience, combine smart and connected scenarios, gradually build brand competitiveness in security and privacy, establish a trustworthy brand image in the minds of users, and provide solid protection for the healthy and long-term development of the company. To this end, we use Synopsys's Software Security Building Maturity Model (BSIMM) to evaluate the industry level of software security capabilities in the industry."

Since its establishment, OPPO's Software Engineering System Security Engineering Department has been committed to building security engineering capabilities and improving the company's software security capabilities. In order to ensure the delivery of secure terminal products, the business department needs to pay attention to security and privacy protection at every stage of the product development process. As OPPO's product series increases and its global influence expands, OPPO pays more and more attention to security and privacy protection in the software development process. To this end, the security department introduced industry best practices such as Microsoft SDL and Synopsys BSIMM to manage security and compliance throughout the software development process, and continuously optimizes it to help business development.

Wang Anyu pointed out: "OPPO hopes to support the company's main business development direction through security compliance mechanisms, ensure business compliance delivery, and IT-based software security development processes. We will start protecting the security and privacy of customers and products during the product planning and R&D stages, reduce risks and costs, and ultimately build OPPO's overall trusted engineering. At the same time, we need a ruler to measure the progress of our security plan and the level of OPPO's software security capabilities in the industry, so as to improve security in a targeted manner."

Synopsys Conducts Building Security in Software Maturity Model (BSIMM) Assessment for OPPO

Synopsys has been named a leader in the Gartner Magic Quadrant for Application Security Testing for five consecutive years. With its outstanding foresight and execution capabilities, it can help OPPO benchmark against industry best practices to determine OPPO's current maturity level and how to improve its software security program. In 2020, OPPO began to adopt BSIMM to conduct an overall assessment of software engineering systems in cities such as Shenzhen, Dongguan, Chengdu, Shanghai, and Nanjing, covering major software engineering businesses.

Since 2008, Synopsys has analyzed quantitative data on actual software security practices of different companies every year and compiled them into an annual BSIMM report to help companies plan, execute, evaluate and improve their software security initiatives (SSIs). BSIMM is a yardstick for companies to measure software security. OPPO can refer to and compare the industry's best practices to improve its own software security maturity in a more targeted manner.

Focusing on the business architecture related to OPPO's software engineering system, Synopsys prepared an interview outline in advance and conducted two weeks of on-site/remote expert interviews. After the meeting, it issued a software security maturity assessment report and provided effective improvement and optimization suggestions.

• Objective analysis of existing SSI

• Analyzing outstanding security practices in different industry verticals
  

• Based on the company's current security status, share the success and failure cases of other related companies, and introduce new measures in the industry to deal with security issues
  

"Through these interviews, we learned about OPPO's thoughts on how its SSI currently operates and how it aims to operate in the future," said Guoliang Yang, senior security architect of the Software Integrity and Security Group at Synopsys. "The BSIMM is primarily a yardstick for measuring software security, comparing OPPO's security approach with the security work being done by other companies. The BSIMM can also be used as an SSI roadmap, where OPPO can determine its own goals and behaviors, and then refer to the BSIMM to determine what additional activities make sense for the company, thereby improving SSI in a planned manner."

With the help of BSIMM, OPPO has developed an SSI enhancement plan to continuously optimize software security practices. Based on the research on the current status of OPPO's software engineering system security research and development, the current status is systematically analyzed, an analysis report is formed, and a security capability improvement route and specific implementation steps are formulated. Through the SDL process, the existing software security capabilities are improved, a secure and reliable product system is established, and finally OPPO's overall trusted engineering is built.

Results: The software development security system has been significantly improved

Synopsys conducted an overall assessment of the software security activities of OPPO's security engineering department and other business departments of the software engineering system. Benchmarking against external companies, Synopsys objectively and impartially analyzed the industry level of the software development security system. Judging from the BSIMM evaluation results in the past two years, OPPO's software development security system has been significantly improved in many areas. In addition, based on OPPO's current security status and with the help of the BSIMM evaluation results, OPPO has developed an effective SSI improvement plan.

Wang Anyu praised: "During the two-year assessment process, Synopsys team experts and members have demonstrated strong professional capabilities. The assessment of the current status of OPPO's software security is very realistic, and effective suggestions have been put forward to improve OPPO's security capabilities. OPPO also hopes to further cooperate with Synopsys to improve the security compliance capabilities of the entire enterprise software security development lifecycle."

Wang Yonglei, senior security expert at Synopsys, concluded: "Combined with comprehensive factors such as the establishment time of OPPO's Software Engineering System Security Engineering Department, OPPO's evaluation results are already at a relatively high level in the industry. In the face of security issues in the digital age, mobile phone manufacturers and operators need to strengthen reliability and security and promote technological innovation in the field of terminal security. Built-in security at the beginning of product design is the most cost-effective way. Synopsys will continue to provide security support for software engineering systems to help OPPO build an overall trusted engineering."