Software Security Test (reprint)

Recently, in the final test of a software product in my company, I was often asked the question: How much security does our software product consider in the test process? How safe should a software be measured?
This software is related to the customer's commercially important information, so the core concerns of users always surround "This software security." A security vulnerability due to design and a security vulnerability due to implementation are a huge impact on the user at last. My task is to ensure that the software meets customer expectations in terms of security.
　　 First, what is software security testing
(1) What is software security
Software security belongs to an important sub-domain in the field of software. In the once single-machine era, the security problem is the operating system easy infection virus, single-machine application software security problem is not outstanding. However, since the popularization of the Internet, software security problems have become more and more prominent, making the importance of software security testing to an unprecedented level.
Software security is generally divided into two tiers, that is, application-level security and operating system-level security. Application-level security, which includes access to data or business functions, and, in the expected security situation, the operator can only visit specific features of the application, limited data, and so on. The security at the operating system level is to ensure that only users with access to the system platform are interviewed, including logins to the system or remote visits.
The software security described in this article is mainly the security of the application layer, which contains two levels: ① is the security of the application itself. In general, application security issues are mainly caused by software vulnerabilities that can be a design flaw or a programming problem, or even a backdoor reserved by developers. ② is the data security of the application, which contains two aspects of data storage security and transmission data security.
(2) Software security testing
In general, the security requirements of the software is not high, its safety test can be mixed in unit test, integrated test, System test together. But for software with high security requirements, a special security test must be done to prevent and identify software security issues before they are compromised.
Security testing (securitytesting) refers to the process of verifying the security level of an application and identifying potential security flaws. The main purpose of the application-level security test is to find out the security hidden trouble in the software's own program design, and to check the protection ability of the application to the illegal intrusion, and different test strategy according to the security index. Note: Security testing does not finally prove that the application is secure, but rather is used to verify the effectiveness of the established policies, which are chosen based on what is done in the threat analysis phase. For example, the test application software in the prevention of unauthorized internal or external users of the interview or useful damage, and other situations of operation.
　　 second, software security testing process
(1) Safety test method
There are a lot of test methods to be able to conduct safety testing, the main safety test method currently:
① Static code security test: Mainly through the source code for security scanning, according to the program data flow, control flow, semantics and other information and its unique software security rules database, to find out the potential security vulnerabilities. A static source code security test is a useful way to identify all possible security risks during the coding phase so that developers can address potential security issues early on. Because of this, static code testing is better suited to the early stages of code development than to the test phase.
② Dynamic Penetrant Testing: penetrant testing is also a frequently used safety test method. is to use their own active tools or artificial methods to simulate the hacker's input, the corresponding system for the attack test, to find out the implementation of the security loopholes in the moment. The characteristics of such tests are real and effective, the general problem is correct, but also more serious. But one of the deadly drawbacks of penetration testing is that the simulated test data can only reach a limited number of tests, with very low coverage.
③ program Data scanning. A software with high security requirements, data cannot be destroyed during execution, or it can cause a buffer overflow type of attack. Data scanning is usually done in memory test, memory test can find a lot of such as buffer overflow and other vulnerabilities, and this kind of vulnerability to use in addition to the test method is difficult to find. For example, the software execution of the memory information to scan, to see if there are some potential hidden information, of course, this requires a special tool to verify, hand-made is more difficult.
(2) Reverse security test process
Most of the software's security tests are based on the principle of reverse design of the defect space, that is, to check in advance where there may be potential security risks, and then to test these potential pitfalls. Therefore, the reverse test process is to set up the defect threat model from the defect space, and through the threat model to find the intrusion point and scan the intrusion point for the known vulnerability. The advantage is that the known defects can be analyzed to avoid the existence of known types of defects in the software, but the unknown attack means and methods are generally powerless.
① establishes a defect threat model. To establish the defect threat model is to start with a known security vulnerability and check whether there are known vulnerabilities in the software. When you build a threat model, you need to identify which areas of expertise your software is involved in, and then model it based on the attack tactics that you encounter in each area of specialization.
② Search and Scan the intrusion point. Examine which defects in the threat model may occur in the software, and then manage the possible threats into the intrusion point matrix. Assuming there is a sophisticated vulnerability scanning tool, scan directly using the vulnerability scanning Tool and then manage the identified suspicious issues into the intrusion point matrix.
Verification of the ③ intrusion matrix test. After creating the intrusion matrix, we can design the corresponding test example for the detailed entry of the intrusion matrix, and then carry on the testing certificate.
(3) Forward safety test process
In order to avoid the test incompleteness caused by reverse design principle, a positive test method is needed to test the software relatively well, so that the tested software can prevent the unknown attack means and methods.
① first identifies the test space. All variable data in the test space is identified because the security test is expensive, with emphasis on identifying the external input layer. For example, requirements analysis, summary design, specific design, coding in these stages are to identify the test space, and establish a test space tracking matrix.
② defines the design space precisely. The focus examines whether the design space is clearly defined in the requirements, and whether the data involved in the requirement identifies its legal value range. In this step, the most important thing to pay attention to is the exact word, strictly according to the safety principle of the design space to do a precise definition.
③ identifies security risks. According to the test space and design space and the conversion rules between them, identify which test space and which conversion rules may have security risks. For example, the more complex the test space, the more complex the test space division or the more variable data combination relationship is more unsafe. And the more complex the conversion rules, the greater the likelihood of a problem, which is a security risk.
④ establish and validate the intrusion matrix. After the safety hazard identification is complete, the intrusion matrix can be established according to the security hidden danger identified. Lists potential security risks, identifies volatile data that has potential security implications, and identifies levels of security risks. For those variable data with a high level of safety hazard, a detailed test sample design is required.
(4) The difference between forward and reverse test
The positive test process is based on the test space to find defects and loopholes, the reverse test process is based on the known defect space as the basis to find out whether the same defects and loopholes in the software, both have their advantages and disadvantages. One of the basic advantages of the reverse test process is the lower cost, just to verify the known possible defects can be, but the disadvantage is that test is not intact, can not be tested space coverage intact, unable to detect unknown attack means. The advantage of the positive testing process is that the test is relatively full, but the workload is comparatively large. Therefore, the security requirements of the software, generally according to the reverse test process to test can be, for high security requirements of the software, should be a positive test process, the reverse test process supplemented.
　　 iii. common software security flaws and vulnerabilities
Software security has a very wide range of content, the basic security problems caused by the software itself, the following describes the common software security flaws and vulnerabilities.
(1) Buffer overflow
Buffer overflow has become the number one public enemy of software security, many of the actual security problems are related to it. There are two reasons why a buffer overflow problem usually occurs. ① The calibration problem of the conversion rules of the design space. The lack of verification of the measured data results in the illegal data not being checked out and discarded at the external input layer. The illegal data enters the interface layer and the implementation layer, because it goes beyond the corresponding test space of the interface layer and the implementation layer or the scope of the design space, which causes overflow. ② Local test space and design space is insufficient. When the legal data entered, because the program implementation layer within the corresponding test space or design space is insufficient, resulting in program processing overflow.
(2) Encryption weaknesses
These cryptographic weaknesses are not secure: ① uses an insecure encryption algorithm. The encryption algorithm is not strong enough, and some encryption algorithms can even be cracked by brute force. ② encryption data password is generated by pseudo-random algorithm, and the method of generating pseudo-random number is flawed, making password very easy to be cracked. The ③ authentication algorithm has a flaw. The ④ client and server clocks are not synchronized, giving the attacker enough time to crack password or alter the data. ⑤ does not sign encrypted data, which could allow an attacker to tamper with the data. Therefore, when testing for encryption, it is necessary to test for these possible cryptographic weaknesses.
(3) Error handling
In general, error handling will return some information to the user, the returned error message may be exploited by a malicious user to attack, the malicious user can analyze the returned error information to know what to do next to the success of the attack. Assuming that some of the wrong features are called when handling errors, the process of error handling will be exploited. Error handling is a processing problem in the exception space, the processing in the exception space should be as simple as possible, using this principle to design can avoid this problem. But error handling often involves problems with ease of use, assuming that the error handling hints are too simple, the user may be confused and do not know what to do next. So, at the same time that you consider the security of error handling, you need to weigh it with ease of use.
(4) Too much permission
Assuming that too much permission is given, it can cause malicious users with only ordinary user rights to take advantage of too large a privilege to make a security compromise. For example, there are no restrictions on what can be manipulated, which can lead to users being able to access other resources beyond the specified scope. For security testing, it is necessary to test whether the application has used too much permissions, to analyze the permissions that should be present in various situations, and then to check whether the given permissions are exceeded in practice. The problem of excessive authority is inherently too large in design space, so it is necessary to control the design space and avoid the problem of too great authority in design space.
　　 IV. Recommendations for safety testing
Many software security testing experience tells us that the prerequisite for a good software security test is: to fully understand the software security vulnerabilities, the second is to assess security risks, third, has an efficient software security testing technology and tools.
(1) Fully understand software security vulnerabilities
Assessing the degree of security of a software system requires a three-step process of design, implementation, and deployment. Let's take a look at how Commoncriteria evaluates the security of a software system. The first step is to determine the corresponding protectionprofile (PP) for the SOFTWARE PRODUCT. A PP defines a security feature template for a class of software products. such as the database of PP, firewall, such as pp. Then, according to PP and then put forward the detailed security function requirements, such as the user's identity authentication implementation. Finally, determine the security objects and how to meet the corresponding security functional requirements. Therefore, a security software three links, which is not a problem.
(2) Evaluation of safety tests
Can the software achieve the desired level of security when the security test is done? This is the most concern for security testers, so it is necessary to establish a safety assessment mechanism after testing. Generally from the following two aspects of evaluation. ① Security Defect Data assessment.
It is assumed that the more security flaws and vulnerabilities of software are found, the more defects may be left over. When such assessments are carried out, baseline data must be established as a reference, otherwise the right conclusions cannot be obtained without a basis for evaluation. ② used the vulnerability implant method to evaluate. Vulnerability implantation and reliability testing the fault insertion test is the same reason, just this is in the software to insert some security problems. In the case of vulnerability implantation, a certain number of vulnerabilities were pre-implanted in the software by a specific person who did not participate in the security test, and the final test was done to see how many of the vulnerabilities were found to assess the security of the software.
(3) Use of safety testing technology and tools
Use specialized, feature-specific security scanning software to identify potential vulnerabilities, incorporate the defects that have occurred into the defect library, and then use your own proactive test method to bomb tests using your own active defect library. For example, a test can be done using software that simulates various attacks.
The security test is used to verify that the protection mechanism integrated within the software can protect the system from illegal intrusion in practice. In a popular word, the security of a software system must be able to withstand a frontal attack-but it must also be able to withstand the side and back attacks.

Software Security Test (reprint)