Security Testing is different from penetration testing. penetration testing focuses on Penetration attacks at several points, while security testing focuses on modeling security threats, comprehensive Consideration of threats at all levels. Security Testing tells you which threats your system may come from, what threats it is under, and what threats your system can defend against. Of course, security testing covers the content of penetration testing.
The differences between security testing and penetration testing are as follows:
Penetration testing uses hacking methods to find a single point of use to prove that you have problems, help customers increase awareness, and solve urgent problems, however, they cannot and cannot perform security tests on the completeness of the system. Therefore, it is difficult to solve the substantive security problems of the system itself. Therefore, the vendors that provide penetration testing generally buy their own protective equipment, if you find a similar problem with threats targeted at your own protection devices, the solution uses selling corresponding protection devices as a means to address specific threats, use a protective device for passive protection. Security Testing vendors consider problems from the aspects of the overall system architecture, security coding, security testing, coverage of Security testing, and security measurement, the solution is to gradually help the customer introduce the security development process and provide corresponding tool support. The goal is to finally improve the substantive security issues of the business system.
First, the security test system analyzes the tested system, analyzes its architecture, software system, and program deployment, and then performs System Security Analysis on the tested system, after that, security modeling will be performed on the system to identify the potential threats that the system may come from, and then the system should be analyzed to identify the attack interfaces and test them according to the test scheme.
Security testing only focuses on the vulnerability availability analysis, but does not focus on how the vulnerability is actually used. There are several factors:
Cost factor: for attackers, the benefits of exploiting vulnerabilities are the assets protected by the system. Therefore, more costs can be invested to study the exploitation of vulnerabilities, including time, personnel, and means. However, for security testing, the entire benefit is the cost the customer is willing to invest. The assets protected by the system are much larger than the system development investment, and the security investment only accounts for about 3% of the system development investment, therefore, from the cost perspective, security testing only focuses on evaluating the possibility of exploits, rather than studying how vulnerabilities are exploited and presented to customers.
Factor: Security Testing helps customers reduce security threats and reduce security vulnerabilities. As a protection technology, it is critical to discover security problems and instruct customers to fix security problems as much as possible, the path below is to discover security problems-> analyze and evaluate security problems-> propose repair suggestions-> measure security, instead of discovering security issues from the attacker's perspective-> exploiting security issues-> obtaining illegal profits. What is most valuable to the defender is to discover and solve the problem, instead of discovering and using the problem. It is enough for the defender to check whether vulnerabilities can be exploited to determine the Security Vulnerability and repair level. Studying more specific attack utilization technologies makes sense for operating system-level protection, however, development and users of common application systems have no value.
Assumption factor: the customer's risks come not only from the outside, but also from the attacker's penetration through the client host (for example, by attaching a Trojan to an employee's notebook and then accessing the Intranet), and may also come from the inside. To ensure comprehensive security, we cannot assume that the attacker path must be in the same pure external strict protection as the penetration test, nor that the attacker accumulates social engineering or its own characteristics (employees) through time) obtain some information. At the same time, the attack exploitation technology has developed to the present and has been combined with the characteristics of specific applications. Attackers may always find the exploitation methods of vulnerabilities that we previously thought were low-risk and difficult to exploit. Therefore, Security Testing focuses on the security implemented by the Business System after all external protection is lost. It focuses on high-coverage Security Testing and Security measurement, rather than a single penetration test.
Of course, at present, there are still many misunderstandings in users' understanding of security, and it still needs to be improved slowly.
In the last project, the user's goal was to improve security through testing before the business system went online. The user's previous security was mainly a set of consulting processes provided by a large international company, however, it is difficult to solve the security problem. Therefore, users who want to introduce security testing to comprehensively improve security are in line with the security testing objectives. However, after the selection, the projects offered to several vendors are purely website penetration tests, and the evaluation criteria are only the criteria for who actually intruded into who was the best. Although we also achieved penetration success, however, the report is used to analyze the specific threats on a page. The suggestions for improvement are as follows: no destructive intrusions are placed. Instead, the user feels that no other reports from penetration testing vendors are beautiful, capture the screen of WEBSHELL and take sensitive files or something. In fact, it is far away from the intention of security testing.
Of course, since the user's understanding is only at this stage, there is no way to do it. In the subsequent tests, we can only do and generate reports by means of penetration, but I keep thinking, what users need is to improve the security of their own business systems and continue to penetrate this method. Do we have to go back to selling protective equipment for passive protection? In the test for Microsoft, the report I submitted does not need to write EXP, except for MDB, because Microsoft thinks MDB is not a security file and I told them that it can be used to call IIS, however, it is estimated that I did not let them understand the poor English, and I finally proved it with the actual demonstration on BLUEHAT. In fact, since the development of technology, how to exploit security vulnerabilities has become an art. However, whether a vulnerability can be exploited theoretically is basically qualitative. As long as the vulnerability can be exploited theoretically, vendors should fix the issue, because we cannot assume that attackers cannot make real use of the vulnerability through in-depth research, and the vendor does not have to spend a lot of money to study the actual feasibility. Therefore, Microsoft does not need to submit EXP. It only needs to point out whether the theory can be used.
In fact, as long as the attacker pays the research cost, most of the theoretically usable vulnerabilities can be exploited to a high degree. Recently, it has submitted a very serious report to relevant departments, this vulnerability affects the use of products in multiple key industries in China. However, the other party thinks this vulnerability is too difficult to exploit because it has application encoding detection requirements. Otherwise, it cannot write controllable content to files. No way, it took only one night for reverse analysis, and finally the code was written. It was very easy to launch attacks and confirmed that this was an extremely high-risk security vulnerability. Yes, even though the code is finally written out, there is nothing to say that no one can actually use it. But is this cost worthwhile? If the manufacturer pays for discovering its own security vulnerabilities, will it write attacks that can be exploited to pay for the discovered security vulnerabilities? The house security examiner finds that the House has an empty drum, instead of having to attach a tile and wait for two years for the wall tiles to crack or fall off.