How to use Threadingtest to improve software security detection efficiency (UP)

How to use Threadingtest to improve software security detection efficiency (UP)

Generally speaking, the security test can be mixed in the unit test, the integration test, the system test, and the security requirement is not high. But for software with high security requirements, special security testing must be done to prevent and identify software security issues before they are compromised. Security testing refers to the process of verifying the security level of an application and identifying potential security flaws. The main purpose of application-level security testing is to find out the security hidden trouble in the software's own program design, and to check the protection ability of the application to the illegal intrusion, and different test strategies according to the security metrics. Note: Security testing does not ultimately prove that the application is secure, but rather is used to verify the effectiveness of the established policies, which are chosen based on assumptions made during the threat analysis phase. For example, test the operation of the application software to prevent unauthorized internal or external user access or vandalism.

Let's first look at the Threadingtest test tool:

Threadingtest ("TT") is an innovative system-level white box test tool and digital software testing device designed based on the innovative testing concept of the software testing industry, which incorporates 4 national invention patents-"threading test". TT for the first time the black box test and the white box test process and the perfect fusion, with the black box test process and method, the production of white-box test data, the real software testing into the digital testing era. In addition to supporting traditional Java EE applications, TT is the world's first commercial-grade mobile white-box test tool that can be used to test various types of mobile applications.

All the features of TT are based on the deep quantization analysis and intelligent calculation of code, test, etc., TT can be used in addition to white box test, can provide the whole process and systematic method support for the security test of software, TT can be used in the process of security test black box method, from auxiliary analysis, automatic diagnosis, Provide software security testing solutions on multiple levels, such as rapid positioning. TT offers a wide range of functions beyond traditional security white box testing, and with popular fuzzing security testing methods, the efficiency and quality of security testing can be greatly improved.

The following is a list of the features that must be detected for software security testing, demonstrating the range of methods that TT provides for security testing:

Method One: Threadingtest oscilloscope patented technology

Threadingtest first will introduce the concept of test oscilloscope, in the actual test process, you can see in real time from the program of various logic execution rate, frequency and other information, Testers can convert from a traditional black box test of a tested application (which can only see feedback from the program) into an oscilloscope similar to a hardware test, enabling real-time analysis and viewing of critical test data throughout the test process. The oscilloscope itself has the following functions:

The oscilloscope function embodies:

1. Real-time recording of the running information of the program under test: block, function, condition, run stack

2. Real-time recording of the test case corresponding to the program execution logic:

3. Support for source separation test mode

4. Support distributed real-time recording the running information of the program under test

5. Visualize the operation of the Watcher program. Waveforms can visually react to program behavior.

6. Through the waveform analysis program on a variety of hardware platforms operating performance.

7. Support the real machine, simulator and other types of equipment access

8. Support the record of test data generated by various automated operations and unit tests

9. Support the connection mode of USB, WIFI, Bluetooth and other devices

Analysis of the response of the program under attack in the security testing process through an oscilloscope

The idea of TT Oscilloscope comes from the electronic oscilloscope in electrical equipment test, which can accurately and real-time capture the operation of various characteristics of the program, TT through real-time units of the program execution block, number of conditions, the number of functions and other indicators of the graph, analysis of the various operating characteristics of the program and operating anomalies. For security testing, it can be combined with a black-box security test tool to give a real-time response to a program in a security testing tool such as penetration testing. For example, during the penetration testing of the code, we can display the following data through the TT oscilloscope to assist in analyzing the results of the permeability test:

1. Whether the test program will continue to perform a large number of operations due to aggressive behavior, such as in the face of DDoS attacks and other circumstances of the response;

2. When the program is tested in various attacks, whether there is instantaneous or permanent denial of service (DDoS), DDoS attacks usually appear to deploy the application server CPU, memory, network and other resources consumption, from the inside of the program, there will be some functions and methods will be dense unconventional calls, These TT oscilloscopes will perform a detailed analysis of the sequence flow to facilitate the rapid identification, troubleshooting and repair problems;

3. In the case of impersonation of a non-authorized attack, if the background code is executed without normal user privileges, the problem can be checked out by observing the stack sequence performed by the function of the oscilloscope.

Through the oscilloscope, the security test process of the account permissions to detect

TT oscilloscope can be accurate detection of account privileges, TT Oscilloscope index itself has an equivalent class division function, they can be used to accurately analyze the program for various user rights are correctly handled:

By running a pre-prepared use case with a variety of permission classes, the TT oscilloscope runs the monitoring data using the use case, which is the equivalent class division of these use cases, and the principle is that the software usually executes different logic for different users, and different logic executes different code sequences within the program. And then lead to the TT oscilloscope three indicators will change, through the analysis of each use case TT oscilloscope given the operational indicators, you can determine the user rights of the code handling problems, such as the analysis of the users should not have the same permissions, the oscilloscope has given the same performance indicators. This should be the same permissions of users, the oscilloscope has given a different implementation of the indicators and other security risks.

Detection of operation characteristics and safety of multi-thread-running system by oscilloscope

For the existence of multi-threaded operation of the software, TT oscilloscope can be a multi-threaded operation of the fine analysis, multithreading is usually more prone to resource contention and even lead to deadlock and other situations, TT oscilloscope can analyze the operation of the thread, when the thread has a deadlock, the TT oscilloscope will give an intuitive graphic to give the display. It is also possible to give a proportional relationship between the number of threads and the program processing data throughput rate in the case of large data processing.

Currently Threadingtest Advanced Personal Edition is free to use, there is a trial version of the cloud test, you can apply online, you can learn more on the technical website, website: http://www.teststars.cc/, if you have any questions during the installation and trial process, You can join QQ technology Group-"Symbol execution-Threading test", QQ number is: "339834199"

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

How to use threadingtest to improve software security detection efficiency (UP)