How to test the security of the fund's Online Transaction System

 

The Fund online transaction system is a very important application system. To protect user information and fund data, the security performance of the system must be greatly improved. Security Testing is an effective way to improve system security. This article aims to discuss the focus and implementation activities of security testing, so as to make security testing more reasonable and effective.

In the field of software testing, security testing has always been in an awkward position. Whether it is the customer's software requirements or the design and development carried out by the development team, almost all of them focus on the implementation of software functions, and often ignore whether the software's own security capabilities have been sufficiently guaranteed. For many less important software systems, it is understandable to focus on functions while ignoring Security. However, for important applications such as fund online transaction systems, almost all operations in the system directly involve user information, account funds, and other sensitive information. Therefore, when constructing an online fund transaction system, security construction must be elevated to the same importance as function implementation. The overall security capability of the application system must be constructed simultaneously during the process of developing basic functions required by the business. This article will discuss with you how to test the security of the system during the construction of a secure fund online transaction system.

1. Clarify the focus of Security Testing

The main purpose of the fund's online transaction system testing is to find out whether there are defects in system development, and the second is to verify whether the functional components designed for the demand are correctly implemented. Software System Testing involves multiple methods, including white box testing, black box testing, unit testing, integration testing, and stress testing. In terms of security testing, the security audit functions, communication security, password usage, user data protection, user identification and identification, security management, data security protection, and session management are generally considered..

 

Security Audit includes identifying, recording, storing and analyzing information related to security-related activities. Security audit should be able to automatically identify and respond to security events, including real-time event alerts, termination of unauthorized processes, forced service interruption, session disconnection, and account freezing. At the same time, we should control the storage and access of audit data, such as determining which roles can access which data, so as to avoid the privacy damage caused by audit data.

Communication Security mainly focuses on the non-repudiation of the communication process, including the primary anti-denial and received anti-denial. The original anti-Denial means that the sender of the information cannot deny whether the message has been sent or not, and the recipient cannot deny whether the message has been received.

In terms of password usage, we mainly focus on key management and password calculation processes. Security Management of keys should fully consider the entire lifecycle of keys, including generation, distribution, access and destruction. The password calculation process means that the application system should adopt a password algorithm with sufficient security and key length, and implement the password calculation function well.

Protection of user data involves a lot of content, including the establishment and control of access control policies, encryption and digital signatures of important data, and classification of data to prevent illegal information flow, make sure that the deleted residual information does not contain sensitive content. Because fund transactions are directly related to sensitive information such as account funds, it is necessary to strictly control important data and limit the system scope of its mobility.

User Identification refers to the identification of authorized users, and the identification information can be used to quickly and accurately determine whether a user is the identity it claims. For the fund transaction system, user identity authentication is very important, especially when it is difficult to implement multi-factor authentication, we must try to improve the security and effectiveness of single-factor authentication methods, in order to ensure that the fund transaction instruction comes from the correct user individual.

Security management means that the system should have security management functions and have a sound mechanism to authorize key roles so that they can edit and control various security attributes in the system, such as determining User Role permissions, changing system security parameters, and managing audit data.

Data security protection includes confidentiality and integrity during data transmission, consistency before and after data replication, and trusted recovery after data loss. For the fund transaction system, data encryption, encoding, backup, and inspection measures should be reasonably used to ensure the security of data information, prevents business security risks caused by Data leaks, data tampering, and data loss.

A user session is actually a cycle. When a user interacts with the system, the user starts to complete the identification and authentication, and then executes relevant commands, when all session-related resources and attributes are revoked, the session is terminated. Management of user sessions includes session history, session connection limit, locking or disabling sessions that are not active for a long time.

2. execution and management of security tests

Writing Test cases is an important part of the test. Excellent case design allows the test team to invest the least amount of resources to complete the test in the shortest time, and accurately detects defects in the software system. For the Fund's online transaction system, because the system aims to serve the Fund's business, the preparation of its security test cases should not only consider the conventional system environment factors, but also make appropriate considerations for the business logic, well-designed test scenarios.

The purpose of case writing should be clear and concise, and the format should be neat and standardized, so as to cover test objects to the maximum extent, facilitate the management of test data, reduce the complexity of regression testing, and improve work efficiency. At the same time, a good use case and defect tracking mechanism should be established to ensure that each use case has good execution and feedback, and each defect has been processed accordingly.

Because of the importance and uniqueness of the fund's online transaction system testing work, the system testing work can be viewed as a separate project. Therefore, we need to consider the management requirements during the project implementation process, including project progress management, project risk management, project quality management, project configuration management, and project communication management. Many test projects neglect the importance of project management and lead to various implementation problems that can be avoided. A common case is that the tester performs a test using the test account, but at the same time, the developer is modifying a data table, so the tester finds that the Operation Command cannot be executed normally. If there is a good communication mechanism between testers and developers, this situation can be avoided.

In addition to the above testing methods, there is also a security testing method that can effectively point out the security vulnerabilities of the fund transaction system, that is, penetration testing. Penetration testing refers to the penetration of the fund's Online Transaction System by professional security experts to simulate hacker intrusion, so as to intuitively discover the security risks of the testing object. At present, many professional security vendors can provide penetration testing services, such as Venus and stars. The difference between penetration testing and real hacker intrusion is that hackers do not have scrubs, and the penetration testing process will take the initiative to avoid actions that may cause damage.

(Starling xinglei Tao)