Some of the things we need to know about security testing 1.the best time to security testing:
It is a costly and inefficient practice for many companies to start security testing only after the product has been molded or on-line, and best practices should be in the entire product Security development lifecycle (SDLCimplement the appropriate security measures at different stages of the Enterprises should be inSDLCmake security a part of product design and development.
2, the sooner the more frequent the better:
security flaws and commonBugThere is no difference, the sooner you find that the repair cost is lower. The key to this step is to develop andQAPersonnel for safety training, to tell them what the impact of safety defects can be, and how to detect and repair these defects. While emerging third-party libraries, tools, and programming languages can help developers write more secure programs, it is best to be aware of whether the new vulnerabilities are impacting the product being developed. In addition, security training enables developers to perform internal testing of products at the attacker's point of view.
3, clear the safety requirements of the product:
It is important to understand the security requirements of a product, to classify the information or assets that need to be protected (such as confidentiality, confidentiality, and high confidentiality) and to avoid spending too much time on unimportant business. In addition, the requirements and standards for security in different countries are not the same, and it is advisable to discuss the security requirements with the legal experts.
4, jumping out of the conventional mindset:
A successful security test can be performed only by jumping out of a regular mindset. Regular test cases can only cover the normal behavior of the target program, and a good penetration test requires the person to stand in the attacker's shoes to think of unexpected situations to break the program. Creative thinking can help us analyze what kind of data to use, in which unsafe ways can cause programs to fail, but also help us to guess how developers are developing and how to circumvent the protection logic of the program, which is why using the Security Automation Test tool is not an effective way of security testing. Because creative thinking has to be case -by-case, different developers will have different results in developing the same program.
5, in-depth understanding of objectives:
before conducting a security test, the most important thing is to get the relevant documents for the target to be tested, such as: architecture design, data flow diagram, use case, etc., these specifications and application documents need not only to record the normal use cases, but also to record the cases that are not allowed to occur.
6, don't overlook the details:
A good security test is definitely not a simple program review, we must try to ensure that each of the program's logic and use cases are covered, for the point of false positives can not be spared, must be repeatedly confirmed.
7, using source code:
because black box testing does not cover all the logic inside the program, so it is not the most effective means of security testing, if you have the source code of the target program, it is necessary to conduct a source-level audit, and sometimes to find some black box test can not be found problems.
Some of the things we need to know about security testing