Insights on DevSecOps and Code‑Vaccine Technology from XMirror Security Founder

Zi‑Ya, founder and CEO of XMirror Security, appeared on the "Security Talk" livestream at the invitation of the Second Digital Security Conference, joining hosts Li Shaopeng and Liu Jing to discuss the current state, development, and key technological evolution of DevSecOps.

He explained that XMirror originated from the Beijing University Information Security Lab’s XMirror research team, focusing on automated vulnerability mining and threat simulation using runtime dynamic instrumentation, which later evolved into the company’s security solutions.

According to Zi‑Ya, DevSecOps consists of four core elements—culture, process, technology, and measurement—with the core technology being "code‑vaccine". This technology leverages IAST for runtime dynamic instrumentation to detect both generic and business‑logic vulnerabilities, as well as third‑party open‑source components, and integrates SBOM for risk analysis.

The code‑vaccine also incorporates RASP, providing self‑defense capabilities such as immunity to major unknown vulnerabilities (e.g., Log4j2.x), hot‑patch protection during vulnerability windows, and contextual risk perception in cloud‑native environments.

Zi‑Ya described the advanced features of XMirror’s code‑vaccine, including a single‑probe approach that solves compatibility issues, integrates detection and defense, and combines SBOM for comprehensive open‑source governance.

He outlined three stages of development‑security maturity in China: a foundational stage focusing on IAST‑driven vulnerability elimination, a process‑building stage integrating DevOps as the underlying platform (adopted by 45% of key accounts), and a measurement stage using BAS for continuous security effectiveness validation.

The interview distinguished "development security" (an auxiliary security requirement during development) from "security development" (security‑first approach that embodies DevSecOps), and introduced three security‑driving models: Security Lead (SL), Security Drive (SD), and Security Enable (SE).

Regarding security effectiveness measurement, Zi‑Ya highlighted risk categorization (generic, business‑logic, third‑party, anomalous code) and the use of automated full‑process platforms, AST tool integration, and vulnerability prioritization in the second stage, while the third stage adds BAS‑based intrusion and attack simulation for continuous validation in cloud‑native contexts.

He noted that SBOM adoption in China lags due to standardization challenges, but ecosystem building is improving through strategic partnerships with DevOps and container‑security vendors.

Finally, the discussion forecasted a rapid growth of the software‑supply‑chain security market, emphasizing that security will become a fundamental attribute of IT management, with future regulations likely extending the Cybersecurity Law to explicitly cover software‑supply‑chain security.